Firewall setup Huawei 4G with DMZ

Question

Network topology:

ISP1                 |                               | Alternative ISP 4G   |
                     |                               | Huawei 4G  with DMZ  |
                     |                               | to 192.168.2.1       |
                     |                               | LAN IP: 192.168.2.254|
                     |                               | Public IP: 2.2.2.2   |
---------------------+                               +----------------------+
          |                  +----Main server---+                |
          +------------eth0--| WWW, MAIL, SSH   |-eth1-----------+
            Public IP:1.1.1.1| DNS, etc...      | 
                             +------------------+ Local IP: 192.168.2.1
                                  eth2|           GW: 192.168.2.254
                           10.10.10.10|
                                      |
                         [local 1] ---+--- [local 2] .... [local n]

I have completely hit dead end while trying to figure out how to route traffic from/to Alternative ISP on the Main server with iptables.

Services on Main server must be accessible from outside aswell as from local network accessing public IP.

Everything is fine with ISP1. I have set up NAT and MASQUERADING but I can not seem to get Alternative ISP to work.

At the alternative ISP the DMZ toggle is active and points to 192.168.2.1 which is configured on the Main server as eth1 IP.

Do I need to MASQUERADE everything going out through eth1 so it would look like coming from 2.2.2.2 or the 4G router will do that for me?

I understand that I do not understand many things here so sorry for dumb questions in advance...

You will need to NAT and Masquerade both connections. DMZ or local network, the internal IPs still need to be translated. — NickW, May 21 '14 at 11:27
The real/public IP address is specified for Alternate router only. The router then forwards everything (theoretically) to 192.168.2.1 which is the IP of main server. Could you please give an example of rules for iptables to achieve a successful two way connection? Thanks! — Didzis, May 21 '14 at 11:46
If the Huawei is doing your NAT, it will do the Masquerading for you, I think your problems may be to do with default routes for the services. What network are the WWW, SSH, etc actually using? — NickW, May 21 '14 at 11:57
services are using both networks depending on server load default server route is to the ISP1 and nexthop to ISP2 (192.162.2.254 GW) — Didzis, May 21 '14 at 11:59
Hmm, I think you may actually need to set up policy routing to ensure that traffic from one interface is replied to on that same interface.. — NickW, May 21 '14 at 12:03
That was my initial thought before we had a secondary ISP change. The same setup was good enough. The difference now is that the router now has the static, public ip (instead of servers eth1) and the router only forwards data.. — Didzis, May 21 '14 at 12:18
@DidzisLuka-lndans You should not apologize for asking this question, it is a great question. It is not your fault, that you got such a convoluted setup. You'll have me trying to come up with a great solution, but it'll take a while for me to think it all over. — kasperd, May 21 '14 at 12:20
I'm not enough of an iptables user to tell you exactly how you could set up policy routing with it, but I can tell you how to set up policy routing with `ip route`, which would use the interface traffic came in on to make routing decisions, if you're interested. — NickW, May 21 '14 at 12:23
@NickW I suppose I would have to set up two routing tables that include all three interface routing and mark each table right ? What happens when one of the ISP connection goes down? — Didzis, May 21 '14 at 12:29
Well, I think you only need to set up 1 table (though 2 might make it easier to understand), which will make sure any traffic through 192.168.2.1 goes back out through 192.168.2.1. The default route would then forward any other traffic back out through eth0. — NickW, May 21 '14 at 12:40

score 0 · Accepted Answer · answered May 22 '14 at 08:40

It looks like the problem indeed was because of the packets coming in through one and leaving through another interface.

Thanks to @NickW for hint!

What I did was created two routing tables (one for each ISP),

# ip route show table isp1
default via 1.1.1.254 dev eth0
10.10.10.0/24 dev eth2  scope link  src 10.10.10.10
127.0.0.0/8 dev lo  scope link
1.1.1.0/24 dev eth0  scope link  src 1.1.1.1


# ip route show table isp2 
default via 192.168.2.254 dev eth1
10.10.10.0/24 dev eth2  scope link  src 10.10.10.10
127.0.0.0/8 dev lo  scope link
192.168.2.0/24 dev eth1  scope link  src 192.168.2.1

Created two rules so the incoming packets would know what to do next

# ip rule
0:      from all lookup local
32764:  from 192.168.2.1 lookup isp2
32765:  from 1.1.1.1 lookup isp1
32766:  from all lookup main
32767:  from all lookup default

And set up the default route maneuver between the two ISP routers:

# ip route
default
        nexthop via 1.1.1.254  dev eth0 weight 1
        nexthop via 192.168.2.254  dev eth1 weight 1
10.10.10.0/24 dev eth2  proto kernel  scope link  src 10.10.10.10
127.0.0.0/8 dev lo  scope link
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1
1.1.1.32/27 dev eth0  proto kernel  scope link  src 1.1.1.1

Firewall iptables-save output:

# Generated by iptables-save v1.4.12.1 on Thu May 22 11:27:18 2014
*nat
:PREROUTING ACCEPT [3549:255693]
:INPUT ACCEPT [1284:97835]
:OUTPUT ACCEPT [2116:146271]
:POSTROUTING ACCEPT [168:12371]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu May 22 11:27:18 2014
# Generated by iptables-save v1.4.12.1 on Thu May 22 11:27:18 2014
*mangle
:PREROUTING ACCEPT [105533:57605385]
:INPUT ACCEPT [21841:6013942]
:FORWARD ACCEPT [82551:51514621]
:OUTPUT ACCEPT [24003:30467247]
:POSTROUTING ACCEPT [106672:81997112]
COMMIT
# Completed on Thu May 22 11:27:18 2014
# Generated by iptables-save v1.4.12.1 on Thu May 22 11:27:18 2014
*filter
:INPUT DROP [135:8424]
:FORWARD DROP [20:1360]
:OUTPUT DROP [0:0]
:LOCAL_DROP - [0:0]
:LOGGING - [0:0]
:LOG_DROP - [0:0]
:SMTP_LOG - [0:0]
-A INPUT -d 10.10.10.10/32 -i eth2 -p tcp -j ACCEPT
-A INPUT -s 192.168.2.0/24 -d 10.10.10.10/32 -i eth2 -p tcp -j ACCEPT
-A INPUT -d 1.1.1.1/32 -i eth2 -p tcp -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -s 1.1.1.1/32 -d 192.168.2.1/32 -i eth0 -p tcp -j ACCEPT
-A INPUT -s 192.168.2.1/32 -d 1.1.1.1/32 -i eth1 -p tcp -j ACCEPT

-A INPUT -s 10.10.10.11/32 -i eth2 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -i eth1 -j ACCEPT


-A INPUT -s 1.1.1.1/32 -p tcp -j ACCEPT
-A INPUT -s 1.1.1.1/32 -p udp -j ACCEPT

-A INPUT -s 192.168.2.1/32 -p tcp -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p udp -j ACCEPT

-A INPUT -s 10.10.10.0/24 -i eth0 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 10.10.10.0/24 -i eth1 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth1 -j DROP

-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -s 10.10.10.0/24 -j LOCAL_DROP
-A INPUT -p udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A FORWARD -i eth2 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -i eth2 -p tcp -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -i eth2 -p udp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -d 192.168.2.0/24 -i eth1 -j ACCEPT

-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p udp -m udp --sport 137 --dport 137 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -i eth2 -p tcp -m tcp --dport 143 -j ACCEPT


-A FORWARD -s 10.10.10.11/32 -i eth2 -p tcp -j ACCEPT
-A FORWARD -s 10.10.10.11/32 -i eth2 -p udp -j ACCEPT
-A FORWARD -s 10.10.10.18/32 -i eth2 -p tcp -j ACCEPT
-A FORWARD -s 10.10.10.18/32 -i eth2 -p udp -j ACCEPT
-A FORWARD -s 10.10.10.1/32 -i eth2 -p tcp -j ACCEPT
-A FORWARD -s 10.10.10.1/32 -i eth2 -p udp -j ACCEPT

-A OUTPUT -s 1.1.1.1/32 -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.10.10.0/24 -d 10.10.10.0/24 -o eth2 -j ACCEPT
-A OUTPUT -s 1.1.1.1/32 -o eth2 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -o eth1 -j ACCEPT
-A OUTPUT -s 1.1.1.1/32 -o eth1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.2.1/32 -o eth2 -j ACCEPT
-A OUTPUT -s 1.1.1.1/32 -o eth2 -j ACCEPT
-A OUTPUT -s 10.10.10.0/24 -d 1.1.1.1/32 -o eth2 -j ACCEPT

-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOCAL_DROP -p tcp -j ULOG --ulog-prefix "[---LOCAL DROP---]: "
-A LOCAL_DROP -p udp -j ULOG --ulog-prefix "[---LOCAL DROP---]: "
-A LOCAL_DROP -j DROP

-A LOGGING -j ULOG --ulog-prefix "LOGGING: "
-A LOGGING -j ACCEPT
-A LOG_DROP -p tcp -j ULOG --ulog-prefix "[---TCP LOGDROP---]: "
-A LOG_DROP -p udp -j ULOG --ulog-prefix "[---UDP LOGDROP---]: "
-A LOG_DROP -j DROP
-A SMTP_LOG -j ACCEPT
COMMIT
# Completed on Thu May 22 11:27:18 2014

Firewall configuration most likely is far from perfect but it works and now I am afraid to touch it :D

Glad you were able to sort it! – NickW May 22 '14 at 08:40 — NickW, May 22 '14 at 08:40

Firewall setup Huawei 4G with DMZ

1 Answers1