|
IPCop DMZ DNS HOWTO Rule 1: Allow ORANGE udp domain input to the ORANGE nic Rule 2: Allow ORANGE to GREEN forwarding of high port udp traffic Adding the rules to rc.firewall.up AboutThis HOWTO is for IPCop V0.1.1 users who wish to run DNS servers in the DMZ. These servers will be used by the IPCop firewall itself, users on the green network, and other servers in the DMZ. All DNS traffic goes through the DNS servers and it’s these servers that query the Internet. A RED + ORANGE + GREEN configuration is assumed. The RulesI had to add two rules to the rc.firewall.up script. Rule 1: Allow ORANGE udp domain input to the ORANGE nicThis rule allows the IPCop firewall itself to use your DNS servers in the DMZ. To do this we must allow UDP domain (port 53) traffic into the ORANGE nic. For this rule I wanted tighter security so unlike the next rule I only allow UDP port 53 input. ipchains -A input -i $ORANGE_DEV -p udp --source-port domain -s \ $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $ORANGE_NETADDRESS/$ORANGE_NETMASK -j ACCEPT Rule 2: Allow ORANGE to GREEN forwarding of high port udp trafficThis rule allows UDP traffic from ORANGE to be forwarded into GREEN, i.e., it allows DNS queries from GREEN to freely return. In this case I chose to open up the firewall for ports 1024:65535. For tighter security you may wish to only forward udp domain (port 53) traffic. But in my case I use several udp protocols so it’s just easier to open all the safe ports. ipchains -A forward -i $GREEN_DEV -p udp \ -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK 1024:65535 -j ACCEPT Adding the rules to rc.firewall.upNow it’s important to properly insert the above rules into the firewall script. Before you do this make sure you make a backup copy of rc.firewall.up. If you get into trouble then you can restore it. Adding Rule 1Look for the following rule set in rc.firewall.up. # Allow ORANGE to GREEN. Let it get in as far as the forward chain. if [ "$ORANGE_DEV" != "" ]; then ipchains -A input -i $ORANGE_DEV -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT fi Then modify it to look something like this: # Allow ORANGE to GREEN. Let it get in as far as the forward chain. if [ "$ORANGE_DEV" != "" ]; then ipchains -A input -i $ORANGE_DEV -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT Insert Rule 1 Here fi Adding Rule 2Look for the following rule set in rc.firewall.up. # Allow GREEN to talk to ORANGE. if [ "$ORANGE_DEV" != "" ]; then # Anything from GREEN to ORANGE is ok. ipchains -A forward -i $ORANGE_DEV -s $GREEN_NETADDRESS/$GREEN_NETMASK \ -d $ORANGE_NETADDRESS/$ORANGE_NETMASK -j ACCEPT # TCP: From ORANGE to GREEN is ok; no SYNs allowed, and it must be to a # high port on GREEN. ipchains -A forward -i $GREEN_DEV -p tcp ! -y \ -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK 1024:65535 -j ACCEPT # ICMP: from ORANGE to GREEN is ok, if its a echo-reply ipchains -A forward -i $GREEN_DEV -p icmp --icmp-type echo-reply \ -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT fi Then modify it to look something like this: # Allow GREEN to talk to ORANGE. if [ "$ORANGE_DEV" != "" ]; then # Anything from GREEN to ORANGE is ok. ipchains -A forward -i $ORANGE_DEV -s $GREEN_NETADDRESS/$GREEN_NETMASK \ -d $ORANGE_NETADDRESS/$ORANGE_NETMASK -j ACCEPT # TCP: From ORANGE to GREEN is ok; no SYNs allowed, and it must be to a # high port on GREEN. ipchains -A forward -i $GREEN_DEV -p tcp ! -y \ -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK 1024:65535 -j ACCEPT Insert Rule 2 Here # ICMP: from ORANGE to GREEN is ok, if its a echo-reply ipchains -A forward -i $GREEN_DEV -p icmp --icmp-type echo-reply \ -s $ORANGE_NETADDRESS/$ORANGE_NETMASK \ -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT fi DisclaimerI am not a professional security expert so use this HOWTO at your own risk. About The AuthorWalt Davis Credits |