Am Mit, 2003-05-21 um 08.42 schrieb Robert Cole: > Like David T I'm a bit frustrated myself. :) Ok. let's see. > > The flexiblity of iptables has got me pulling my hair out. Here's what I would > like to do: > > I have a server that has 3 real interfaces (no aliases). eth0 is the public, > eth1 is the private and eth2 is the DMZ interface. All the books and docs > I've seen so far work with only two interfaces and trying to adapt those > scripts is giving me a headache. > > I want to allow all private traffic out to the internet through PAT (port > address translation). But when going from the LAN to the DMZ I want no nat or > pat going on, only when leaving to the internet. Ok. DMZ_DEV=eth2 PRV_DEV=eth1 PUB_DEV=eth0 # making up the network, replace as needed. PRV_NET=192.168.0.0/24 DMZ_NET=192.168.1.0/24 # NAT rules iptables -t nat -A POSTROUTING -s $PRV_NET -o $PUB_DEV -j MASQUERADE > > Next I would like a strict rule that allows another public IP to be 1 to 1 > nat'd from the public interface to a server out the DMZ interface. PUB_IP=128.176.0.12 DMZ_IP=192.168.1.15 iptables -t nat -A POSTROUTING -i $PUB_DEV -d $PUB_IP -j DNAT --to $DMZ_IP So far we have setup the NAT rules, now the filtering. # Allow all established connections iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow traffic from the private network to the DMZ iptables -A FORWARD -i $PRV_DEV -o $DMZ_DEV -s $PRV_NET -d $DMZ_NET -m state --state NEW -j ACCEPT # Allow traffic from the private network to the internet iptables -A FORWARD -i $PRV_DEV -o $PUB_DEV -s $PRV_NET -d 0/0 -m state --state NEW -j ACCEPT # Allow traffic from the outside to the one machine on the DMZ iptables -A FORWARD -i $PUB_DEV -o $DMZ_DEV -s 0/0 -d $DMZ_IP -m state --state NEW -j ACCEPT # Close everything else (you might want to move these rules to the beginning iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Be aware that you cannot access the firewall anymore and the firewall cannot access any other machine. # Turn on forwarding sysctl -w net.ipv4.ip_forward=1 > > > Any ideas? This should get you going. Email again if you've got problems. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
