[Firewall] Port forwarding natted DMZ to natted LAN

Kenneth Henderick khenderick at plesetsk.be
Sun Oct 11 18:53:22 CEST 2015


Hi Lonnie,

Thanks for helping me out. I'm going to enable some more logging and check
whether I can find something with tcpdump.

br0 is stitching the 192.168.41.0/24 network together with a tap-device for
my site-to-site VPN (slighly over-engineered home network here). Slightly
redacted output from "ip a" and "ip r":
http://paste.roguecoders.com/p/d8818f0009b716830d0be18bbb95f363.txt

Kenneth


On Sun, Oct 11, 2015 at 6:05 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com>
wrote:

> Hi Kenneth,
>
> You were correct in using:
> --
> DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
> --
>
> I'm like you and put my "don't trust" devices in my DMZ, and I just tested
> DMZ_LAN_HOST_OPEN_TCP and it works as expected for me.
>
> 1) Try enabling more logging to see where your TCP 192.168.35.52~8086
> packet is being dropped (if it is) with DMZ_LAN_HOST_OPEN_TCP defined.
>
> 2) I see you have multiple subnets on a single bridge (br0) interface,
> possibly you have a routing issue for the return 192.168.17.50 packet ?
>
> I see you are using VLAN's off a single interface, (router-on-a-stick),
> could the br0 be separated out as a few more separate VLAN's or is that
> wireless or such.
>
> Lonnie
>
>
> On Oct 11, 2015, at 10:11 AM, Kenneth Henderick <khenderick at plesetsk.be>
> wrote:
>
> > Hi,
> >
> > I have issues getting devices in my DMZ to reach a certain service on a
> device insite my LAN.
> >
> > Network setup:
> > * DMZ: 192.168.17.0/24
> > ** For devices I don't trust (TV, guest wifi, ...)
> > * LANs: 192.168.(25,33,34,35,41).0/24
> >
> > Routing:
> > * My firewall/router is configured to NAT between public internet and
> DMZ and the 192.168.25.0/24 LAN. Between the LANs themself, routing is
> provided by my layer 3 switch
> > * Until now, devices in the DMZ and LANs cannot access eachother (which
> generally speaking is good)
> >
> > What I want to achieve: I want one devices on the DMZ to reach a service
> running on a server inside one of the LANs. That is, DMZ device
> 192.168.17.50 should be able to access 192.168.35.52 port 8086.
> >
> > My guess was DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
> but that doesn't seem to work.
> >
> > Below is some debug information, please note that current port forwards
> from internet to LAN have been redacted to e.g. 111, 222, 333, ...
> > * My full configuration file:
> http://paste.roguecoders.com/p/f20c537d2c0bd569ec92f21bef9da7e9.txt
> > * Output of arno-iptables-firewall status:
> http://paste.roguecoders.com/p/5cdfb8eda6b974d51ec3be50fb7b4d59.txt
> >
> > Can somebody help me out?
> >
> > Best regards,
> >
> > Kenneth
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20151011/ad3471a6/attachment.html>


More information about the Firewall mailing list