Hello all, I am running iptables on my fedora box to do ip masquerading for my internal network as well as 1 to 1 NAT for two windows terminal servers. Here is a general layout of my network: INTERNET | (serial interface) Cisco router (real ip (1.2.3.4 on fast ethernet interface) | (eth0 with real ip (1.2.3.5)) Linux Box w/ IP Tables --also runs squid, httpd, etc. (eth1 with internal ip (192.168.0.1) | Private Network (192.168.0.0/27) (included in this network are two Windows terminal server boxes. They are 192.168.0.2 and 192.168.0.100. Both of these have 1:1 NATS) Here is my iptables-config file: # Generated by iptables-save v1.2.9 on Wed May 12 08:19:27 2004 *nat :PREROUTING ACCEPT [924:149516] :POSTROUTING ACCEPT [434:32409] :OUTPUT ACCEPT [236:14561] -A PREROUTING -p tcp -m tcp --dport 139 -j DROP -A PREROUTING -p icmp -j DROP -A PREROUTING -d 1.2.3.6 -i eth0 -j DNAT --to-destination 192.168.0.100 -A PREROUTING -d 1.2.3.7 -i eth0 -j DNAT --to-destination 192.168.0.2 -A PREROUTING -i eth1 -p tcp -m tcp -d ! 1.2.3.5 --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -s 192.168.0.100 -o eth0 -j SNAT --to-source 1.2.3.6 -A POSTROUTING -s 192.168.0.2 -o eth0 -j SNAT --to-source 1.2.3.7 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed May 12 08:19:27 2004 # Generated by iptables-save v1.2.9 on Wed May 12 08:19:27 2004 *filter :INPUT DROP [67:5874] :FORWARD ACCEPT [34716:47614943] :OUTPUT ACCEPT [5645:2441647] -A INPUT -p udp -m udp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT -A FORWARD -i eth1 -j ACCEPT COMMIT # Completed on Wed May 12 08:19:27 2004 I have a few questions that I hope somebody might be able to help me out with. #1, I am using a Checkpoint SecureClient to log into my VPN at my office (not on one of the two terminal servers). Since I switched to iptables to handle my ip masquerading, it has periodically booted me out of my network forcing me to re-authenticate. I had heard that there were more than one ways to do IP sharing/masquerading. Is the -A POSTROUTING -o eth0 -j MASQUERADE the preferred method to do this? #2, I hope this is feasible--it is kind of a tricky one. I have a third interface on my iptables box (not indicated on my diagram) that is connected to a cable modem (as a backup). Since it is just sitting there all day long not doing anything, I would love to use it from a few of my boxes to handle my bittorrent/ftp traffic. Is it possible to do a similar thing to what I am doing with my squid proxy to automatically route bittorrent or ftp traffic through eth2 instead of the default eth0? Could somebody shed some light on that one for me? Props to everybody on the netfilter team. This firewall is awesome! I have done quite a bit with Cisco PIX firewalls, but as I get more and more familiar with iptables I realize that in many places where PIXes have been implemented that an iptables firewall could do the job just fine. Keep up the good work! Thanks in advance for what ever help anybody can give! Ryan Hatch PS. Any other tips/advice/suggestions on no-no's or things I could do to improve what I have would be greatly appreciated! Thanks! ------------------------------------------ Information wants to be anthropomorphized. ------------------------------------------
