From colin at colina.demon.co.uk Wed Jul 2 23:43:31 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 03 Jul 2003 07:43:31 +0100 Subject: [NARC] Forwarding http to LAN ??? Message-ID: Hello, I have apache running on port 80 on both my DMZ and my LAN. I can use narc-forward.conf (0.6.3) to forward traffic to the DMZ, and it works OK. If I change the fowarding IP address to that of my LAN instead (for testing purposes) I cannot connect from the outside world (I can connect from my firewall machine, but that's no use!). Any tips? -- Colin Paul Adams Preston Lancashire From colin at colina.demon.co.uk Wed Jul 2 23:57:28 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 03 Jul 2003 07:57:28 +0100 Subject: [NARC] Forwarding http to LAN ??? In-Reply-To: References: Message-ID: >>>>> "Colin" == Colin Paul Adams writes: Colin> Hello, I have apache running on port 80 on both my DMZ and Colin> my LAN. Colin> I can use narc-forward.conf (0.6.3) to forward traffic to Colin> the DMZ, and it works OK. If I change the fowarding IP Colin> address to that of my LAN instead (for testing purposes) I Colin> cannot connect from the outside world (I can connect from Colin> my firewall machine, but that's no use!). Further experimentation shows that if I swap the definitions of the LAN and DMZ then it will work. In other words, it appears that narc prohibits forwarding to the LAN, only to the DMZ is allowed, irrespective of what IP addresses you specify in narc-forward.conf. Why??? How can I change this? -- Colin Paul Adams Preston Lancashire From shane at knowplace.org Thu Jul 3 10:25:09 2003 From: shane at knowplace.org (Shane Chen) Date: Thu, 3 Jul 2003 10:25:09 -0700 Subject: [NARC] Forwarding http to LAN ??? References: Message-ID: <003501c34188$0e2db4e0$22c1a8c0@ict.usc.edu> ----- Original Message ----- From: "Colin Paul Adams" > Colin> Hello, I have apache running on port 80 on both my DMZ and > Colin> my LAN. This is probably your problem. Unless you have rules distinguishing which packets with dport 80 are going to be forwarded, the first forwarding rule will match. So, the second forwarding rule will never see any packets. Set up two forwarding rules, one with an ORIG_PORT of 80, another with an ORIG_PORT of 8080 and see if your problem goes away. > In other words, it appears that narc prohibits forwarding to the LAN, > only to the DMZ is allowed, irrespective of what IP addresses you > specify in narc-forward.conf. Although it might be a good idea, NARC doesn't implement any specific measures to prevent you from forwarding packets into the LAN. Shane From shane at knowplace.org Thu Jul 3 17:50:41 2003 From: shane at knowplace.org (Shane Chen) Date: Thu, 3 Jul 2003 17:50:41 -0700 Subject: [NARC] Forwarding http to LAN ??? References: <003501c34188$0e2db4e0$22c1a8c0@ict.usc.edu> Message-ID: <003901c341c6$4adea0a0$4264a8c0@TRANSMUTE> ----- Original Message ----- From: "Colin Paul Adams" > Well, it may not implement it, but that's what's happening. As stated before, NARC has no limitations when it comes to forwarding packets into your LAN. In fact, I've personally used this for somethings. > So how can I debug? (although I'm quite prepared to edit the Turn on the logging or insert logging rules of your own and see where and why NARC is dropping the packet. If NARC isn't dropping the packet, then it's likely that it's a network configuration issue. Shane From colin at colina.demon.co.uk Fri Jul 4 02:53:38 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 04 Jul 2003 10:53:38 +0100 Subject: [NARC] Forwarding http to LAN - a fix In-Reply-To: <000f01c34202$7cf22e40$4264a8c0@TRANSMUTE> References: <003501c34188$0e2db4e0$22c1a8c0@ict.usc.edu> <003901c341c6$4adea0a0$4264a8c0@TRANSMUTE> <000f01c34202$7cf22e40$4264a8c0@TRANSMUTE> Message-ID: >>>>> "S" == Shane Chen writes: >> OK - narc isn't dropping packets (I tried using another port, >> and those ARE dropped, as there is no forwarding statement for >> them). >> >> In fact it's certainly a network configuration issue, as whilst >> investigating it I discovered that my firewall syslog logging >> copies everything via syslog remote logging to the machine on >> my DMZ - it is only recently that I bought another machine, and >> so now have two ethernet cards - I had forgotten to switch the >> remote logging to the new machine. >> >> So I changed the syslog configuration, and sure enough, the >> syslog messages fail to get through. >> >> eth0 is the DMZ - no problems there eth1 is the LAN. >> >> narc forwarding is from 80.177.30.27 to either 10.0.0.5 (works) >> and 10.0.1.5 (only works if I tell narc that my DMZ (as well as >> my LAN) is on eth1. >> >> That last bit puzzles me. I can understand that I may well have >> configured my network wrongly, but I can't see why it should >> work if I lie about my DMZ to narc. >> >> I also don't understand why forwarding the syslog to susannah >> worked, as I don't have anything in narc.conf to allow messages >> through. >> OK - seeing if anyone on the list can help me. But I tried some more investigating myself - If I do an iptables status, to get a list of the firewall rules in place, I see why the forwarding isn't working: First, my lines from narc-forward.conf PROTOCOL="tcp";ORIG_IP="80.177.30.27";ORIG_PORT="80";NEW_IP="10.0.0.5";NEW_PORT="80" PROTOCOL="tcp";ORIG_IP="80.177.30.27";ORIG_PORT="8080";NEW_IP="10.0.1.5";NEW_PORT="80" With LAN defined to narc on eth1, and DMZ on eth0 (i.e. the true configuration), then the (abbreviated) forwarding chain looks like this: Chain number target prot in out source destination 4 ACCEPT all eth1 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW 5 ACCEPT all eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW 6 ACCEPT all eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 7 ACCEPT tcp ppp0 eth0 0.0.0.0/0 10.0.0.5/0 state NEW tcp dpt:80 flags:0x16/0x02 8 ACCEPT tcp ppp0 eth0 0.0.0.0/0 10.0.1.5/0 state NEW tcp dpt:80 flags:0x16/0x02 which explains why forwarding to port 80 on eth1 from 8080 isn't working - it's going to eth0 rather than eth1. Now if I tell narc that both the LAN and DMZ are on eth1, then the chain looks like: Chain number target prot in out source destination 4 ACCEPT all eth1 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW 5 ACCEPT all eth1 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW 6 ACCEPT all eth1 eth1 0.0.0.0/0 0.0.0.0/0 state NEW 7 ACCEPT tcp ppp0 eth1 0.0.0.0/0 10.0.0.5/0 state NEW tcp dpt:80 flags:0x16/0x02 8 ACCEPT tcp ppp0 eth1 0.0.0.0/0 10.0.1.5/0 state NEW tcp dpt:80 flags:0x16/0x02 so now forwarding to port 80 on eth1 from 8080 works, but fowarding to port 80 on eth0 from port 80 doesn't. Looks like a bug in narc to me. To confirm it, I look in the narc script, and indeed I see lines looking like: $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $DMZ_INTERFACE ... so narc only forwards to the DMZ, and not the LAN. As a fix, I changed the $DMZ_INTERFACE to $DEST_INTERFACE (defining the latter like the other variables, using -f12) and added a DEST_INTERFACE parameter to narc-forward.conf. This does the trick. -- Colin Paul Adams Preston Lancashire From narc.Andy at spiegl.de Fri Jul 4 14:31:35 2003 From: narc.Andy at spiegl.de (Andy Spiegl) Date: Fri, 4 Jul 2003 23:31:35 +0200 Subject: [NARC] no access from the firewall to the firewall Message-ID: <20030704213134.GA28950@radiomaranon.org.pe> Hi there. Just found this great tool. Thanks guys! Maybe it's just too late already and I have spent too much time on this, but I don't understand two things: I've set up everything just fine so that my local network has access to the firewall and internet while at the same time the internet only sees ssh and https. BUT the firewall itself doesn't have access to its own services. I just can't figure out why. An example: (condor is the firewall, owie is behind the firewall) condor:~>telnet condor 53 Trying 192.168.1.11... Ctrl-C but: owie:~>telnet condor 53 Trying 192.168.1.11... Connected to condor.int.spiegl.de. Escape character is '^]'. And even: condor:~>telnet localhost 53 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. And the other thing is that I don't get _any_ info in /var/log/firewall.log although I configured syslog.conf as suggested. (acutally, _before_ configuring it I saw the logs in /var/log/syslog. E.g.: Jul 4 22:02:23 condor kernel: ALL_ELSE IN=ppp0 OUT= MAC= SRC=81.98.246.46 DST=80.184.29.87 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=11484 DF Jul 4 22:02:23 condor kernel: ALL_ELSE IN=ppp0 OUT= MAC= SRC=81.98.246.46 DST=80.184.29.87 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=11485 DF But now nothing :-( I'd really appreciate your help, Andy. PS: I'll attach my narc.conf to the mail. -- http://peru.spiegl.de Our project http://radiomaranon.org.pe Radio Mara??n, Ja?n, Per? o _ _ _ ------- __o __o /\_ _ \\o (_)\__/o (_) -o) ----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\ ---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Windows is not an operating system; it's a GUI on a program loader. (Tom Christiansen, LUG) -------------- next part -------------- # # NARC - Netfilter Automatic Rules Configurator v0.6.3 # Copyright (c) 2001, Shane Chen (shane at knowplace.org). See the LICENSE file for the (BSD) license. # CONF_VERSION=0.6.3 # DO NOT edit this line. EDITED="yes" # Edit the options below and change this option to 'yes' once you're satisfied with the changes # # Config options # # Start Iptables at boot up? START_IPTABLES="yes" USE_COLOR="yes" # When possible # Path to the executables NARC="/usr/sbin/narc" # Location of the narc bash script - edit this if the path is incorrect IPTABLES="/sbin/iptables" # Make sure the path is correct! ECHO="/bin/echo" # Make sure the path is correct! # Load Netfilter modules - only necessary if you compiled netfilter as modules LOAD_MODULES="yes" # Network parameters EXTERNAL_INTERFACE="ppp0" # Example: "eth0" DYNAMIC_EXTERNAL_IP="yes" # If this is set to "no", you'll need to enter an IP address below EXTERNAL_INTERFACE_IP="" # If DYNAMIC_EXTERNAL_IP is "yes", NARC will attempt to auto-obtain this # The options immediately below control server services that you're offering to the outside world - it does not limit # the services available to your localhost. # Use comma separated name or numeric value from /etc/services - if port is > 1024, use numeric value instead of name # # Note: limited to 15 services - you shouldn't need more than 15 ports open, especially on a firewall. ALLOW_TCP_EXT="ssh,https" # Example "ssh,smtp,http" - note the lack of spaces ALLOW_UDP_EXT="" # Example "domain,ntp" - note the lack of spaces CHECK_SYN_PACKET_LENGTH="yes" # Do not disable unless you must use a stock kernel that does not support length checking # # The options immediately below here are similar to above, except that they allows you to enter port ranges (and single ports) # using space separated numeric values. Enter as many as necessary (i.e. not limited to 15 entries). # Unless needed, use the above instead. ALLOW_TCP_EXT_RANGE="" # Example "6000:6010 6660:6669 3128" ALLOW_UDP_EXT_RANGE="" # Example "6000:6010 6660:6669 3128" # Note: If you simply wanted to firewall a single host, you can ~safely skip the rest of the config options below # MASQuerading section - This is the Linux equivalent of "Internet Connection Sharing" # Don't turn on ALWAYS_FORWARD unless you know what you're doing. # ALWAYS_FORWARD will keep forwarding (and masq'ing) traffic even when there are no firewall rules loaded. MASQUERADE="yes" # Turning this on will enable IP forwarding automatically LAN_INTERFACE="eth0" # Example: "eth1" ALWAYS_FORWARD="yes" # Don't turn this on unless you want to forward traffic even when not firewalling. PROTECT_FROM_LAN="no" # "yes" or "no" - Protect firewall from internal network # The options immediately below control server services that you're offering to your internal LAN - it does not limit # the services available to your localhost. # Use comma separated name or numeric value from /etc/services - if port is > 1024, use numeric value instead of name # # Note: limited to 15 services - you shouldn't need more than 15 ports open, especially on a firewall. #ALLOW_TCP_LAN="ssh,smtp,http,https,3128,ntp,domain" # Example "ssh,smtp,http" - note the lack of spaces #ALLOW_UDP_LAN="domain,ntp" # Example "domain,ntp" - note the lack of spaces # # The options immediately below here are similar to above, except that they allows you to enter port ranges (and single ports) # using space separated numeric values. Enter as many as necessary (i.e. not limited to 15 entries). # Unless needed, use the above instead. ALLOW_TCP_LAN_RANGE="" # Example "6000:6010 6660:6669 3128" ALLOW_UDP_LAN_RANGE="" # Example "6000:6010 6660:6669 3128" # PortForwarding section - Requires masquerading and forwarding. PORT_FORWARD="no" # This will not have any effect unless MASQUERADE is enabled DMZ_INTERFACE="" # DMZ interface (technically, you can use your LAN interface as well - bad security practice) PROTECT_FROM_DMZ="" # "yes" or "no" - Protect firewall from DMZ network FORWARD_LAN_TO_DMZ="no" # Forward traffic from LAN to DMZ FORWARD_CONF="/etc/narc/narc-forward.conf" # Edit this file if you need to do port forwarding # The options immediately below control server services that you're offering to your DMZ network - it does not limit # the services available to your localhost. # Use comma separated name or numeric value from /etc/services - if port is > 1024, use numeric value instead of name # # Note: limited to 15 services - you shouldn't need more than 15 ports open, especially on a firewall. ALLOW_TCP_DMZ="" # Example "ssh,smtp,http" - note the lack of spaces ALLOW_UDP_DMZ="" # Example "domain,ntp" - note the lack of spaces # # The options immediately below here are similar to above, except that they allows you to enter port ranges (and single ports) # using space separated numeric values. Enter as many as necessary (i.e. not limited to 15 entries). # Unless needed, use the above instead. ALLOW_TCP_DMZ_RANGE="" # Example "6000:6010 6660:6669 3128" ALLOW_UDP_DMZ_RANGE="" # Example "6000:6010 6660:6669 3128" # To enable traceroute from MS Windows to your firewall, enable ANSWER_PING. # To enable traceroute from UNIX hosts, turn enable ANSWER_TRACEROUTE. Use of either option is discouraged. ANSWER_PING="yes" PING_RATE="1/s" # Leave this alone unless you happen to like flood pings ANSWER_TRACEROUTE="yes" # Auth port responds with reject instead of drop AUTH_REJECT="yes" # Disable this if you're running identd or using IRC # Drop broadcasts DROP_BROADCASTS="yes" BROADCAST_NETWORKS="0.0.0.0/8 255.255.255.255 224.0.0.0/4" # Logging options LOG_DROPS="yes" # If this is turned off, the rest of the log options have no effect. NORM_LOG_LEVEL="debug" # Log everything to /var/log/firewall.log ONLY if you add 'kern.=debug -/var/log/firewall.log' to /etc/syslog.conf WARN_LOG_LEVEL="debug" # Change to "warning" if you want more urgent logging to show up in /var/log/warn LOG_PROBES="yes" # Uses the TCP/UDP_PROBE# below to monitor certain ports LOG_ILLEGAL="yes" # Logs packets defined by ILLEGAL_TCP_FLAGS in the advanced section below. LOG_INVALID="yes" # Logs packets that do not belong to a valid connection LOG_SPOOF="no" # Logs packets defined by the anti-spoof options in the advanced section below. LOG_ICMP="no" # Logs packets not accepted by ALLOW_ICMP_MESSAGE (below) LOG_PACKET_LENGTH="yes" # Logs TCP SYN packets that have bad header length (PACKET_LENGTH) LOG_LIMIT_EXCEED="yes" # Logs TCP connections that exceed LIMIT_RATE LOG_IPLIMIT_EXCEED="yes" # Logs TCP connections that exceed IPLIMIT_MAX_ACCEPT LOG_ALL_ELSE="yes" # This logs everything that we didn't explicitly match (recommeded) BURST_MAX="5" # default is 5 LOG_RATE="1/s" # not implemented - may not be a good idea # Probable probes - Note: Add or remove entries as necessary but do not exceed 15 ports per line! # Use comma separated values with no spaces # (common trojans) - see http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html TCP_PROBE="23,81,111,123,161,445,515,555,1234,1241,1243,1433,1494,2049,3306" TCP_PROBE2="3128,3389,5631,5632,6635,8080,9055,12345,24452,27374,27573,31337,42484" UDP_PROBE="22,161,1025,3283,5634,5882,28431,31337,31789" UDP_PROBE2="" # # Advanced options below - DO NOT edit unless you know what you are doing # # Executes a custom script EXECUTE_CUSTOM_SCRIPT="no" CUSTOM_SCRIPT="/etc/narc/narc-custom.conf" PRELOAD_IP_MODULES="ip_tables ip_conntrack ip_conntrack_ftp" NAT_MODULES="iptable_nat ip_nat_ftp" # Illegal TCP flag combinations ILLEGAL_TCP_FLAGS="SYN,FIN PSH,FIN SYN,ACK,FIN SYN,FIN,PSH SYN,FIN,RST SYN,FIN,RST,PSH SYN,FIN,ACK,RST SYN,ACK,FIN,RST,PSH ALL" FINSCAN="FIN" XMASSCAN="URG,PSH,FIN" NULLSCAN="NONE" # SYN packet length (range in bytes) PACKET_LENGTH="40:68" # General rate limit ENABLE_LIMIT_RATE="no" LIMIT_RATE="30/s" LIMIT_BURST="50" # IP based TCP rate limit (requires the CONFIG_IP_NF_MATCH_IPLIMIT / iplimit patch) ENABLE_IPLIMIT="no" # You better know what you're doing - change the values below. IPLIMIT_MAX_ACCEPT="16" # accept only UP TO this many connections per the netmask below. IPLIMIT_NETMASK="24" # netmask value # Drop "unclean" packets - packet sanity checking (EXPERIMENTAL - don't use this) DROP_UNCLEAN_PACKETS="no" # Allowable ICMP messages - see http://www.iana.org/assignments/icmp-parameters # Note: will accept numeric or name value - 'iptables -p icmp -h' to list ALLOW_ICMP_MESSAGE="echo-reply network-unreachable host-unreachable port-unreachable fragmentation-needed time-exceeded" # Anti-spoofing options # see http://www.sans.org/dosstep/cisco_spoof.htm and http://www.isi.edu/in-notes/rfc1918.txt # 0.0.0.0/8 - Broadcast (old) # 255.255.255.255(/32) - Broadcast (all) # 127.0.0.0/8 - Loopback # 224.0.0.0/4 - Multicast # 240.0.0.0/5 - Class E reserved # 248.0.0.0/5 - Unallocated # 192.0.2.0/24 - NET-TEST (reserved) # 169.254.0.0/16 - LinkLocal (reserved) # 10.0.0.0/8 - Class A (private use) # 172.16.0.0/12 - Class B (private use) # 192.168.0.0/16 - Class C (private use) RESERVED_NETWORKS="127.0.0.0/8 240.0.0.0/5 248.0.0.0/5" PRIVATE_NETWORKS=" 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Accept traffic to loopback LOOPBACK_ACCEPT="yes" LOOPBACK_MODE="normal" # values are paranoid, normal, or loose. # Self-referenced firewall DNS workaround - leave this alone; if you're having DNS problems on the firewall itself, # but not from behind it, this should probably make sense to you. Otherwise, leave this blank. # Use space separated dotted quad IP addresses if you need more than one. BIND_IP="" # Kernel options - do not change unless you're sure what you're doing SYNCOOKIES="no" ANTI_SMURF="yes" ACCEPT_SOURCE_ROUTE="no" # Ingress filtering: 1 for simple, 2 to comply with RFC1812 section 5.3.8 - see http://andrew2.andrew.cmu.edu/rfc/rfc1812.html INGRESS_FILTER="2" LOG_MARTIANS="yes" # TCP congestion notification - depreciated ENABLE_TCP_ECN="no"