[Firewall] Port forwarding natted DMZ to natted LAN

Kenneth Henderick khenderick at plesetsk.be
Sun Oct 11 19:46:21 CEST 2015


Hi Lonnie,

Your comment about the routing issue got me thinking; as stated, my L3
switch does almost all routing between the LANs. By default it routes
between all VLANs where it has an interface and various ACLs are applied to
prevent routing between LANs that, well, should not have routing between
them (e.g. 17 and 35, or the management VLAN and all other VLANs). However,
the switch also had an interface in VLAN 17, so the ACLs prevented any
routing between the DMZ (17) and all other VLANs. It does that by
inspecting all packaging traveling across the network, so it basically
dropped all the packages between the two devices stated in the previous
mails.

I removed the VLAN interface in the DMZ (there's no need for that anyway),
and removed all ACLs that interfered with 17. Suddenly, everything starts
working. All requests that are redirected outside the network (e.g. pinging
a server on the LAN, or connecting to a LAN server's http server) are
logged as DROP, and the one port is allowed.

Thanks for helping me out :)

Regards,

Kenneth

On Sun, Oct 11, 2015 at 6:53 PM, Kenneth Henderick <khenderick at plesetsk.be>
wrote:

> Hi Lonnie,
>
> Thanks for helping me out. I'm going to enable some more logging and check
> whether I can find something with tcpdump.
>
> br0 is stitching the 192.168.41.0/24 network together with a tap-device
> for my site-to-site VPN (slighly over-engineered home network here).
> Slightly redacted output from "ip a" and "ip r":
> http://paste.roguecoders.com/p/d8818f0009b716830d0be18bbb95f363.txt
>
> Kenneth
>
>
> On Sun, Oct 11, 2015 at 6:05 PM, Lonnie Abelbeck <
> lists at lonnie.abelbeck.com> wrote:
>
>> Hi Kenneth,
>>
>> You were correct in using:
>> --
>> DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
>> --
>>
>> I'm like you and put my "don't trust" devices in my DMZ, and I just
>> tested DMZ_LAN_HOST_OPEN_TCP and it works as expected for me.
>>
>> 1) Try enabling more logging to see where your TCP 192.168.35.52~8086
>> packet is being dropped (if it is) with DMZ_LAN_HOST_OPEN_TCP defined.
>>
>> 2) I see you have multiple subnets on a single bridge (br0) interface,
>> possibly you have a routing issue for the return 192.168.17.50 packet ?
>>
>> I see you are using VLAN's off a single interface, (router-on-a-stick),
>> could the br0 be separated out as a few more separate VLAN's or is that
>> wireless or such.
>>
>> Lonnie
>>
>>
>> On Oct 11, 2015, at 10:11 AM, Kenneth Henderick <khenderick at plesetsk.be>
>> wrote:
>>
>> > Hi,
>> >
>> > I have issues getting devices in my DMZ to reach a certain service on a
>> device insite my LAN.
>> >
>> > Network setup:
>> > * DMZ: 192.168.17.0/24
>> > ** For devices I don't trust (TV, guest wifi, ...)
>> > * LANs: 192.168.(25,33,34,35,41).0/24
>> >
>> > Routing:
>> > * My firewall/router is configured to NAT between public internet and
>> DMZ and the 192.168.25.0/24 LAN. Between the LANs themself, routing is
>> provided by my layer 3 switch
>> > * Until now, devices in the DMZ and LANs cannot access eachother (which
>> generally speaking is good)
>> >
>> > What I want to achieve: I want one devices on the DMZ to reach a
>> service running on a server inside one of the LANs. That is, DMZ device
>> 192.168.17.50 should be able to access 192.168.35.52 port 8086.
>> >
>> > My guess was DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
>> but that doesn't seem to work.
>> >
>> > Below is some debug information, please note that current port forwards
>> from internet to LAN have been redacted to e.g. 111, 222, 333, ...
>> > * My full configuration file:
>> http://paste.roguecoders.com/p/f20c537d2c0bd569ec92f21bef9da7e9.txt
>> > * Output of arno-iptables-firewall status:
>> http://paste.roguecoders.com/p/5cdfb8eda6b974d51ec3be50fb7b4d59.txt
>> >
>> > Can somebody help me out?
>> >
>> > Best regards,
>> >
>> > Kenneth
>> > _______________________________________________
>> > Firewall mailing list
>> > Firewall at rocky.eld.leidenuniv.nl
>> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> > Arno's (Linux IPTABLES Firewall) Homepage:
>> > http://rocky.eld.leidenuniv.nl
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20151011/35222b6d/attachment-0001.html>


More information about the Firewall mailing list