iptables, forwards, arps, and other chaos

From: thotpoizn (jason_at_NOSPAMTHANX.killerinterviews.com)
Date: 03/29/05 

Date: Tue, 29 Mar 2005 00:16:47 GMT

   OK, I'm pulling my hair out, which I have very little of so I hope
someone here can help... :)

   Basically, I have a setup like this:

[LAN]---e0-[Cisco PIX]-e1----[DMZ]
                 \e2
                  \_ [Internet]

   OK, so surprises so far... In the DMZ is a switch, with a bunch of
servers attached to it. All is well, until the day a recently
firewalled vendor decided they wanted to play too. So in the case of
this one particular server, what USED to plug right into the DMZ switch
now has an iptables firewall in its place (and on its old address) doing
forwards to the server connected via a crossover cable:

[PIX eth1: 192.168.1.1]=>[IPTABLES:192.168.1.13]x>[Server:192.168.2.13]

   Still doable, right? Let's say PIX eth0 is the LAN, on - oh,
172.16.18.1 for example.

   Now, it just so happens there is a *special* address on the LAN -
172.16.18.66 - for which we allow certain traffic from the vendor
machine, back into the LAN.

   In this brave new firewalled world, that machine and that machine
only - can still access the server in the DMZ. Other machines time out
trying to connect. We did a trace, and it turns out the connection is
making it all the way through the iptables machine, to the server, and
back - but then it stalls with the iptables machine trying to ARP for
the final destination.

   In fact, the ARP requests occur for all attempted connections to the
host on 192.168.1.13. However, for that one special host, the PIX
answers the requests - and the return connection is made.

   My reading of RFC 1180 suggests to me that this is inappropriate.
Assuming a SYN packet from the LAN is forwarded through the iptables
machine to the DMZ server, the return traffic should be passed right
back to the PIX. Shouldn't be trying to ARP at all until the packet
reaches the network the destination is on, right?

   Any insight would be appreciated...

Relevant Pages

  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: ADAM handshaking very slow in a DMZ
    ... If you look at the network trace of a slow connection from the DMZ can you ... I've got a server in a DMZ that has a web service which uses forms based ... authentication to verify user credentials against ADAM. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to establish connections to the servers inside a DMZ?
    ... Each server is assigned one of those IPs. ... >> (inside the DMZ) is accessed. ... >Directing packets to the dmz is accomplished with route table entries. ... >packets) and use connection tracking and ESTABLIHED, ...
    (comp.os.linux.networking)
  • Re: 2 NICs Configuration Problem
    ... Sonicwall and see to setting up the DMZ properly. ... so they neeed a routable public IP to access the Internet directly. ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: using wrong smtp server
    ... It sounds like from the DMZ, ... port 25 outbound is not allowed, which would explain the connection attempts ... the DMZ server as the only bridgehead and have outbound mail flow through ... Looks like I dns config issue ...
    (microsoft.public.exchange.admin)