1

I want to simulate a DMZ like scenario where server1(inside DMZ, 10.1.1.0) should be able to respond to any incoming connection and cann't make a new outgoing connection on its own.

I would appreciate if someone provides a working example.

Example:

I am doing a simple test. I am accessing the webpage hosted at 10.1.1.10 from 10.2.2.10. So if this rule were to allow all incoming and only related/established outgoing I should be able to open the webpage and do all stuff on that. But with this rule I am not able to access the webpage. If I do nc -v 80 from 10.2.2.10 (server2). I am getting success and also could see incoming packets in tshark

I tried a iptables rule but it does not work the way I expect

*filter
-A INPUT  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW -j DROP
-A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
COMMIT

Iptables -L -nv output

iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1375  142K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   480 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW reject-with icmp-port-unreachable 
 1185 1346K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

PS:

I am running CentOS 6.4.

chandank
  • 847
  • 3
  • 14
  • 31
  • Your INPUT rules are a bit redundant at the moment, since everything is accepted on the first rule. I assume you're planning to change this eventually? – Paul Gear May 21 '13 at 20:32
  • You've also got a stray -m in your OUTPUT rule - where did that come from? Was this really created by system-config-firewall, or have you manually edited? – Paul Gear May 21 '13 at 20:34
  • 2
    Please provide the output of `iptables -L -nv`. Your rules look good to me. I guess there are more and those cause problems. Furthermore, quoting the man page: The "state" module is an obsolete version of "conntrack". – Hauke Laging May 21 '13 at 21:29
  • I have updated the question – chandank May 21 '13 at 22:01
  • I would definitely follow @HaukeLaging's suggestion and use conntrack rather than state. – Paul Gear May 21 '13 at 22:06
  • Could you be more precise about "but it does not work the way I expect"? If a connection can (not) be stablished though it should not then provide the output of `tcpdump -i eth0 -n host 10.2.2.10` (if testing the connection with 10.2.2.10). – Hauke Laging May 21 '13 at 22:19
  • I am doing a simple test. I am accessing the webpage hosted at 10.1.1.10 from 10.2.2.10. So if this rule were to allow all incoming and only related/established outgoing I should be able to open the webpage and do all stuff on that. But with this rule I am not able to access the webpage. If I do nc -v 80. I am getting success and also could see incoming packets in tshark. – chandank May 21 '13 at 22:57
  • Could you be getting into this situation? http://www.frozentux.net/iptables-tutorial/chunkyhtml/x6249.html "State NEW packets but no SYN bit set" – Mark Wagner May 22 '13 at 00:12
  • I dont think. Because I have no Windows machine in my network all CentOS/Fedora. – chandank May 22 '13 at 16:06

1 Answers1

-1

A fairly generic answer (i'm sure there are better ones elsewhere on serverfault if you search) is: if iptables isn't working as you expect, you should:

  • add logging rules at appropriate points and watch the log as you generate the traffic
  • watch the counters on your rules with iptables -L -n -v as you generate the traffic
  • and (my favourite) use an iptables preprocessor like Shorewall to do the heavy lifting of creating the rules for you
Paul Gear
  • 4,367
  • 19
  • 38