I'm using iptables v1.2.6a (RPM from redhat) in a firewall that has
5 external ips and lots of machines in the internal network.
iptables should port foward services based on external ip/port to
some internal machines and port.
Everything is working fine, but I've seen entries in my internal
servers logs to 192.168.1.254 and my internal network is 192.168.0.254.
Ping shows that 192.168.1.254 does not exist. So I'm thinking that
maybe my firewall script has a hole. And someone discoved it.
My external interface is eth0 (200.200.200.111~115 eth0:1~eth0:5)
and the internal is eth1 (192.168.0.254)
Can someone point me if I'm doind something very wrong here?
Thanks alot
Thiago Lima.
Here goes my fw script.
-- fw.sh
echo -n Starting firewal ..
# enable packet forwarind
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n .
# clear all tables
/sbin/iptables -t nat -F
/sbin/iptables -F
echo -n .
# eth0 is the external interface. blocking packages to internal net
/sbin/iptables -A INPUT -d 192.168.0.0/24 -i eth0 -j DROP
echo -n .
# install snat
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
200.200.200.110
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT
--to 200.200.200.110
echo -n .
# port forwarding
# http goes to server #1
/sbin/iptables -A PREROUTING -t nat -p tcp -d 200.200.200.111 --dport
80 -j DNAT --to 192.168.0.1:80
/sbin/iptables -A PREROUTING -t nat -p tcp -d 200.200.200.111 --dport
443 -j DNAT --to 192.168.0.1:443
echo -n .
## pop goes to server #2
/sbin/iptables -A PREROUTING -t nat -p tcp -d 200.200.200.112 --dport
110 -j DNAT --to 192.168.0.4:110
echo -n .
# DNS goes to server #3
/sbin/iptables -A PREROUTING -t nat -p tcp -d 200.200.200.114 --dport
53 -j DNAT --to 192.168.0.6
/sbin/iptables -A PREROUTING -t nat -p udp -d 200.200.200.114 --dport
53 -j DNAT --to 192.168.0.6
echo -n .
# enables access from internet net to external virtual servers
/sbin/iptables -A POSTROUTING -t nat -d 192.168.0.0/24 -s
192.168.0.0/24 -j SNAT --to 192.168.1.254
--cut
