I want to setup a mail server in a DMZ.

Hi people,

Our network is configured as a) below and:

- has been connected non-stop to the net for a full year now
- tripwire is installed, runs daily, results are sent to my mail daily
- chkrootkit: same
- we did not yet encounter any strange behavior or any intrusion. But
again, I offer little access. Only port 80 has been opened for the last
5 months as a test (rest is stealth) and I did not see any intrusion
yet. I plan to offer web pages on the gw soon. I think the system is
pretty secure.

But my main plan (in next few months, after some study... no hurry) is
plan b), as below, in which a DMZ is set up (old cheap pentium box not
bought yet, with RH9) where would run :

1) - postfix
2) - squirrel mail
3) - an anti-spam
4) - an anti-virus

2 questions:--------------------------------------------------------

A) One would need a third NIC card on the default gw, right? (as eth2,
since eth0 is ADSL, eth1 is internal) If so, is an IP as 192.168.1.1 ok
for that card? I would need to set up a routing table on the gw. What
should it look like?

B) How can I redirect data from the net (mails, webmail requests, from
the gw to the mail server) I have to change the iptable script, correct?
Anything else?

Thanks for any ideas, suggestions.

Gaetan



Plan a)-----------------------------------------------------------
Internet
/
/-/
+------/------+
| default gw |
| 192.168.0.3 |
+------+------+
|
-------+---------+---------+----------
| |
+------+------+ +------+------+
| node 1 | | node 2 |
| 192.168.0.5 | | 192.168.0.6 |
+-------------+ +-------------+



Plan b)------------------------------------------------------------
Internet
/
/-/ DMZ ???
+------/------+ +-------------+
| default gw | | mail server |
| 192.168.0.3 |----------------| 192.168.1.2 |
+------+------+ +-------------+
|
-------+---------+---------+-----------
| |
+------+------+ +------+------+
| node 1 | | node 2 |
| 192.168.0.5 | | 192.168.0.6 |
+-------------+ +-------------+


Iptables script: (as of now, on the gw in plan a)-------------
INSMOD=/sbin/insmod
IPTABLES=/sbin/iptables
dev_extern="ppp0"
dev_intern="eth1"
addr_int=192.168.0.3
net_int=192.168.0.0/24
$INSMOD ip_tables
$INSMOD ip_conntrack
$INSMOD ip_conntrack_ftp
$INSMOD ipt_state
$INSMOD iptable_nat
$INSMOD ipt_MASQUERADE
$IPTABLES -F
$IPTABLES -N BLOCK
$IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
$IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT
$IPTABLES -A BLOCK -j DROP
$IPTABLES -A INPUT -j BLOCK
$IPTABLES -A FORWARD -j BLOCK
$IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s $net_int
echo 1 > /proc/sys/net/ipv4/ip_forward

Hi Gaétan -

On Sun, 16 May 2004 14:04:53 -0400, Gaétan Martineau
<(E-Mail Removed)> wrote:

>A) One would need a third NIC card on the default gw, right? (as eth2,
>since eth0 is ADSL, eth1 is internal) If so, is an IP as 192.168.1.1 ok
>for that card? I would need to set up a routing table on the gw. What
>should it look like?

Yes, you will need a third NIC for the DMZ on the gateway. You need
to make sure your LAN and DMZ are different subnets. If your LAN is
192.168.0.0/24 (GW IP probably 192.168.0.1), then 192.168.1.0/24 with
the GW IP of 192.168.1.1 is fine.

Starting the interface should create the route needed for that card,
since it will only be handling DMZ traffic.

>B) How can I redirect data from the net (mails, webmail requests, from
>the gw to the mail server) I have to change the iptable script, correct?
>Anything else?

You will need PREROUTING rules in the nat table to DNAT to the DMZ
address of the server(s).

You will need FORWARD rules in the filter table to ACCEPT that
traffic. Two rules per forwarded port, one with that port as the
destination port to ACCEPT the packets going into the DMZ, one with
that port as the source port to ACCEPT the packets coming out of the
DMZ.

>I plan to offer web pages on the gw soon. I think the system is
>pretty secure.

Once your DMZ is in place, I recommend that you move the webserver in
there. IMO a gateway firewall/router should do only that. The only
time my firewall/router box has a webserver running is when I have the
webserver in the DMZ down for more than just a few minutes (which is
about never). In that case the firewall/router just serves up a page
saying that the website is down, try again later.

--
Ken
http://www.ke9nr.net/

Hi Ken,

Many thanks. I filed your message for more study, also did some research
and found :

http://www.linuxguruz.com/iptables/s...Z.firewall.txt

where one can read: (which baffles me a bit)

INET_IP="194.236.50.152"
INET_IFACE="eth0"

HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"

1) So I assume the writer has "194.236.50.152" assigned to him by his
ISP. Fine so far as for me the case is similar. What I am not sure are
194.236.50.153 and 194.236.50.154 as HTTP and DNS (port 80 and 53).
(Used further in the script for PREROUTING, FORWARDING, I think) Does
these IP have to do with the ISP (you pay for it) or one can just decide
for himself? (???) I would have thought that one has ONE entry/exit
point to the net being (in this case) 194.236.50.152. (I admit I must
further RTFM on iptables and experiment, as I did with the gw).

2) I agree about moving the webserver to the DMZ. Setting up this DMZ
seems promising and maybe easier than what I tought at first, thanks,
partly to your help. So I may setup this DMZ even before serving the
pages on the gw.

Gaétan



Ken wrote:
> Hi Gaétan -
>
> On Sun, 16 May 2004 14:04:53 -0400, Gaétan Martineau
> <(E-Mail Removed)> wrote:
>
>
>>A) One would need a third NIC card on the default gw, right? (as eth2,
>>since eth0 is ADSL, eth1 is internal) If so, is an IP as 192.168.1.1 ok
>>for that card? I would need to set up a routing table on the gw. What
>>should it look like?
>
>
> Yes, you will need a third NIC for the DMZ on the gateway. You need
> to make sure your LAN and DMZ are different subnets. If your LAN is
> 192.168.0.0/24 (GW IP probably 192.168.0.1), then 192.168.1.0/24 with
> the GW IP of 192.168.1.1 is fine.
>
> Starting the interface should create the route needed for that card,
> since it will only be handling DMZ traffic.
>
>
>>B) How can I redirect data from the net (mails, webmail requests, from
>>the gw to the mail server) I have to change the iptable script, correct?
>>Anything else?
>
>
> You will need PREROUTING rules in the nat table to DNAT to the DMZ
> address of the server(s).
>
> You will need FORWARD rules in the filter table to ACCEPT that
> traffic. Two rules per forwarded port, one with that port as the
> destination port to ACCEPT the packets going into the DMZ, one with
> that port as the source port to ACCEPT the packets coming out of the
> DMZ.
>
>
>>I plan to offer web pages on the gw soon. I think the system is
>>pretty secure.
>
>
> Once your DMZ is in place, I recommend that you move the webserver in
> there. IMO a gateway firewall/router should do only that. The only
> time my firewall/router box has a webserver running is when I have the
> webserver in the DMZ down for more than just a few minutes (which is
> about never). In that case the firewall/router just serves up a page
> saying that the website is down, try again later.
>

Leave the DMZ closed, save the grief and just buy a NAT router that allows
specific port forwarding (UPnP) to be directed to specific machines...
Linksys being one that I recommend. Linksys has also gone open GPL with the
source... see http://www.linksys.com for details. The NAT router becomes the
gateway device etc.

"Gaétan Martineau" <(E-Mail Removed)> wrote in message
news:83Opc.756$(E-Mail Removed)...
> Hi people,
>
> Our network is configured as a) below and:
>
> - has been connected non-stop to the net for a full year now
> - tripwire is installed, runs daily, results are sent to my mail daily
> - chkrootkit: same
> - we did not yet encounter any strange behavior or any intrusion. But
> again, I offer little access. Only port 80 has been opened for the last
> 5 months as a test (rest is stealth) and I did not see any intrusion
> yet. I plan to offer web pages on the gw soon. I think the system is
> pretty secure.
>
> But my main plan (in next few months, after some study... no hurry) is
> plan b), as below, in which a DMZ is set up (old cheap pentium box not
> bought yet, with RH9) where would run :
>
> 1) - postfix
> 2) - squirrel mail
> 3) - an anti-spam
> 4) - an anti-virus
>
> 2 questions:--------------------------------------------------------
>
> A) One would need a third NIC card on the default gw, right? (as eth2,
> since eth0 is ADSL, eth1 is internal) If so, is an IP as 192.168.1.1 ok
> for that card? I would need to set up a routing table on the gw. What
> should it look like?
>
> B) How can I redirect data from the net (mails, webmail requests, from
> the gw to the mail server) I have to change the iptable script, correct?
> Anything else?
>
> Thanks for any ideas, suggestions.
>
> Gaetan
>
>
>
> Plan a)-----------------------------------------------------------
> Internet
> /
> /-/
> +------/------+
> | default gw |
> | 192.168.0.3 |
> +------+------+
> |
> -------+---------+---------+----------
> | |
> +------+------+ +------+------+
> | node 1 | | node 2 |
> | 192.168.0.5 | | 192.168.0.6 |
> +-------------+ +-------------+
>
>
>
> Plan b)------------------------------------------------------------
> Internet
> /
> /-/ DMZ ???
> +------/------+ +-------------+
> | default gw | | mail server |
> | 192.168.0.3 |----------------| 192.168.1.2 |
> +------+------+ +-------------+
> |
> -------+---------+---------+-----------
> | |
> +------+------+ +------+------+
> | node 1 | | node 2 |
> | 192.168.0.5 | | 192.168.0.6 |
> +-------------+ +-------------+
>
>
> Iptables script: (as of now, on the gw in plan a)-------------
> INSMOD=/sbin/insmod
> IPTABLES=/sbin/iptables
> dev_extern="ppp0"
> dev_intern="eth1"
> addr_int=192.168.0.3
> net_int=192.168.0.0/24
> $INSMOD ip_tables
> $INSMOD ip_conntrack
> $INSMOD ip_conntrack_ftp
> $INSMOD ipt_state
> $INSMOD iptable_nat
> $INSMOD ipt_MASQUERADE
> $IPTABLES -F
> $IPTABLES -N BLOCK
> $IPTABLES -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A BLOCK -m state --state NEW -i ! $dev_extern -j ACCEPT
> $IPTABLES -A BLOCK -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A BLOCK -j DROP
> $IPTABLES -A INPUT -j BLOCK
> $IPTABLES -A FORWARD -j BLOCK
> $IPTABLES -A POSTROUTING -t nat -o $dev_extern -j MASQUERADE -s $net_int
> echo 1 > /proc/sys/net/ipv4/ip_forward
>

Hi Gaétan -

On Mon, 17 May 2004 07:34:55 -0400, Gaétan Martineau
<gmarti@mediomPAS_DE_SPAM.qc.ca> wrote:

>INET_IP="194.236.50.152"
>INET_IFACE="eth0"
>
>HTTP_IP="194.236.50.153"
>DNS_IP="194.236.50.154"
>
>1) So I assume the writer has "194.236.50.152" assigned to him by his
>ISP. Fine so far as for me the case is similar. What I am not sure are
>194.236.50.153 and 194.236.50.154 as HTTP and DNS (port 80 and 53).
>(Used further in the script for PREROUTING, FORWARDING, I think) Does
>these IP have to do with the ISP (you pay for it) or one can just decide
>for himself? (???) I would have thought that one has ONE entry/exit
>point to the net being (in this case) 194.236.50.152. (I admit I must
>further RTFM on iptables and experiment, as I did with the gw).

It sure looks to me like the example is based on three separate IP
addresses from the ISP. You can plug the same value into all three
variables.

Personally I didn't work from a template like that; I put together my
own script, so it is fine-tuned for the way I do things and I know
exactly why each part is there and what it is doing.

--
Ken
http://www.ke9nr.net/

Patrick Cohan wrote:
> Leave the DMZ closed, save the grief and just buy a NAT router that allows
> specific port forwarding (UPnP) to be directed to specific machines...
> Linksys being one that I recommend. Linksys has also gone open GPL with the
> source... see http://www.linksys.com for details. The NAT router becomes the
> gateway device etc.

Interesting option, since what is the firewall/router now would become
the "specific machine", set up with postfix and squirrelmail.

But I am used to receive a daily mail about activity on my router now
(tripwire report, chkrootkit report, log..) so that I can check activity
(Maybe I should review my way of doing). With a router as you suggest,
you can't, right? You must "thrust" the router and check the machines
behind?

Thanks for any answer.
Gaetan