Hi Robert, A strategy that might work is to get the NAT and routing working first then lock everything down. Assuming: Your external IP range is: 1.2.3.* Your internal IP range is: 10.*.*.* Your DMZ IP range is: 192.168.1.* And your interface addresses are: eth0: 1.2.3.1 eth1: 10.1.1.1 eth2: 192.168.1.1 I would try the following. --- Begin --- #!/bin/sh # Disable the filter till we get things working iptables -t filter -F iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT # NAT Policy - do nothing iptables -t nat -F iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT # Bi-directional nat (in then out) for one host in DMZ iptables -t nat -A PREROUTING -i eth0 -d 1.2.3.4 -j DNAT --to-destination 1 92.168.1.4 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.4 -j SNAT --to-source 1 .2.3.4 # All remaining outbound traffic will be nat'ed to the firewall address # This is a catch all rule hence it must come after the host specific nats. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.1 # Make sure forwarding is on echo 1 > /proc/sys/net/ipv4/ip_forward --- End --- Assuming that works all you have to do is change the INPUT and FORWARD filter policies to DROP (at your option you can also change the OUTPUT filter). Then add the rules for the services you want to allow. If you want to use a GUI to create your rules you may want to take out any NAT information from the GUI and just use it to build your filter rules. IP tables has a very clean design, so you should be able to lock down your system without having to touch any of your NAT rules. If this doesn?t work either I have made a mistake or there is a problem with your routing: All of your internal hosts should have their default gateway set to 10.1.1.1 All of your DMZ hosts should have their default gateway set to 192.168.1.1 Hence if things aren?t working it?s probably a problem with your upstream router not sending the packets to your firewall correctly. I hope this gets you started, David >From Robert Cole <robert.cole@xxxxxxxxxxxxxxxxx> on 20 May 2003: > Like David T I'm a bit frustrated myself. :) > > The flexiblity of iptables has got me pulling my hair out. Here's what I > would > like to do: > > I have a server that has 3 real interfaces (no aliases). eth0 is the > public, > eth1 is the private and eth2 is the DMZ interface. All the books and > docs > I've seen so far work with only two interfaces and trying to adapt those > > scripts is giving me a headache. > > I want to allow all private traffic out to the internet through PAT > (port > address translation). But when going from the LAN to the DMZ I want no > nat or > pat going on, only when leaving to the internet. > > Next I would like a strict rule that allows another public IP to be 1 to > 1 > nat'd from the public interface to a server out the DMZ interface. > > I've got the new riders second edition of the linux firewalls book and > tons of > howto's and yet I'm having trouble putting together this simple > firewall. > > I'm currently using narc to setup the firewall and it appears to work to > get > basic internet bound traffic from the lan and I can get to the DMZ from > the > LAN without translation so I'm close here but getting the 1 to 1 NAT > working > is causing me grief. > > Any ideas? > > Thanks, > Robert > > >
