Hi, I did some work but I still can't get my new set up to work. I'm going describe my problem again to avoid confusions. Some background info: Firewall: linux kernel 2.6.9-1.667 & iptables v1.2.11 Zinfandel and Cabernet (not the actual names) are web servers with real domain names and public IP addresses. Zinfandel's public IP address x.x.174.104 Cabernet's public IP address x.x.174.106 I don't have access to the DNS server and the IT dept doesn't want to make any changes to the DNS server. Problem: I need to put two web servers behind a firewall without making changes to the DNS server. My new set up: Zinfandel Cabernet 192.168.0.2 192.168.0.3 | | `---------- ------------' | switch | | eth1 192.168.01 FIREWALL | eth0 x.x.174.103 (Primary address) | eth0:0 x.x.174.104 | eth0:1 x.x.174.106 | Internet I added the two IP addresses to eth0 using iproute2 as previously suggested and I can ping the new addresses without a problem. I can even connect to the firewall with SSH using those addresses. This tells me that anti-arp spoofing is not an issue on the network and that I can have multiple IP addresses binded to one NIC. However, the forward rules don't work. I will appreciate any help that you can provide. The following is my ruleset file: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # allow local loopback connections -A INPUT -i lo -j ACCEPT # allow pings -A INPUT -i eth0 -p icmp -j ACCEPT # drop INVALID connections -A INPUT -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP # allow all established and related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow connections to DNS servers -A OUTPUT -d x.x.100.129 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT #allow computers behind the firewall to access the DNS servers. -A FORWARD -d x.x.100.129 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT # allow incoming SSH connections #Only my desktop can ssh to the firewall -A INPUT -i eth0 -s x.x.174.12 -p tcp --dport ssh -j ACCEPT # allow outgoing connections from web servers. # added these lines so I can browse the web from the web servers -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT -A FORWARD -s 192.168.0.3 -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT -A FORWARD -s 192.168.0.2 -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT COMMIT *nat #set up IP forwarding and nat #This is the primary IP address for eth0 -A POSTROUTING -o eth0 -j SNAT --to x.x.174.103 # forward ports to the proper servers -A PREROUTING -i eth0 -p tcp -d 130.17.174.104 --dport 80 -j DNAT --to 192.168.0.2:80 -A PREROUTING -i eth0 -p tcp -d 130.17.174.106 --dport 80 -j DNAT --to 192.168.0.3:80 COMMIT Thanks.
