1
I am working with a linux based UTM appliance and have some disagreement with the client on the operation. THere is a standard GUI to configure port forwards in the firewall but for some reason he thinks the following rules are required.
-s 10.91.186.0/23 -d 10.10.10.0/23 -j ACCEPT -s 10.11.10.0/23 -d 10.10.10.0/23 -j ACCEPT -s 192.168.10.0/23 -d 10.10.10.0/23 -j ACCEPT
very dirty network topology and yes I know its awful
--------------------------------------------------------------------- Hosted cloud VM's 123.231.254.125 [public IP example] 192.168.10.10 [Microsoft TMG]/23 192.168.10.2 [cloud gateway]/23 10.91.186.161 [cloud edge?]/30 ---------------------------------------------------------------------- 10.91.186.162 [site cisco 2921 external]/30 10.91.186.1 [site cisco 2921 internal]/30 ---------------------------------------------------------------------- 10.91.186.2 [UTM gateway]/30 (seconary IP 10.11.10.1/23) 10.10.10.82 [UTM gateway internal]/23 (secondary IP 10.11.10.10/23)
it is the most awful convoluted configuration but it is what I have to work with. Hopefully that gives some more perspective. I just need to define what the IPTABLES rule above is doing.
I believe it is just opening all incoming traffic but the subnets are wrong as you can see from the CIDR notation at the end of the network topology. THe other thing is the destination setting, traffic comes from the public IP or the TMG not the CISCo?
My networking abilities are not as good as what I would like but I am learning and someone could let me know what those entries are allowing and if they actually work that would be so appreciated.
HERE is a diagram to help - will give better idea of network. Network Diagram
Robert Wilde
Posted 2013-10-11T22:42:01.497
Reputation: 11
The first 3 contain non-routeable ip address that won't work on the internet, only internally. http://en.wikipedia.org/wiki/Private_network
– cybernard – 2013-10-12T04:48:35.317the -s is source and the -d is destination – cybernard – 2013-10-12T04:48:55.193
So all traffic between the specified subnets is ACCEPTed. Any drop rules for these addresses/subnets that come after these lines will never do anything. Other ip address can still be blocked normally. – cybernard – 2013-10-12T04:54:54.900
The rules are position sensitive so these rules out of context may or may not function as desired. Something in line 1 could block the traffic and these rules could do nothing. Accepting the internal traffic is not a bad thing as long as they are not likely to get viruses or etc. Security experts recommend only allowing the port necessary for the computers to function and block the rest. The public IP is the one that should be the most blocked. Place rules to allow the few ports you need and drop the rest of the incoming traffic. – cybernard – 2013-10-12T05:06:06.467
added a link to a diagram so it may be a little clearer. With the network the way it is, its hard to do. My question is, with this network layout, are these rules doing anything at all? -s or source is going to be the TMG server 192.168.10.10 as it has to port forward from the external but the dule in there is to generic and will not forward anything just allow it through – Robert Wilde – 2013-10-12T06:45:41.113
The diagram link is not working. What table/chain do they want these on? – Zoredache – 2013-10-12T09:37:02.823
@RobertWilde The rules listed ONLY permit the specific IP addresses to talk to one another. Since no chain is listed, they global allow access across ALL chains INPUT,OUTPUT,FORWARD, and etc. The actually port forwarding will require an additional iptables entry. – cybernard – 2013-10-13T03:18:40.993