I want to simulate a DMZ like scenario where server1(inside DMZ, 10.1.1.0) should be able to respond to any incoming connection and cann't make a new outgoing connection on its own.
I would appreciate if someone provides a working example.
Example:
I am doing a simple test. I am accessing the webpage hosted at 10.1.1.10 from 10.2.2.10. So if this rule were to allow all incoming and only related/established outgoing I should be able to open the webpage and do all stuff on that. But with this rule I am not able to access the webpage. If I do nc -v 80 from 10.2.2.10 (server2). I am getting success and also could see incoming packets in tshark
I tried a iptables rule but it does not work the way I expect
*filter
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW -j DROP
-A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
COMMIT
Iptables -L -nv output
iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1375 142K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 480 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
1185 1346K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
PS:
I am running CentOS 6.4.
Best Answer
A fairly generic answer (i'm sure there are better ones elsewhere on serverfault if you search) is: if iptables isn't working as you expect, you should:
iptables -L -n -vas you generate the traffic