> I dont quite get the answer, my setup is > > +-----------+ +-----------+ +-----------+ > | | eth0 | |eth1 | | > |Internet |-----------|firewall |-----+-----|web server | > | | | | | | +ssh | > +-----------+ +-----------+ | +-----------+ > any valid internet ip NAT | 192.168.0.2 > | > +-----+-----------+ > |rest of | > |internal | > |network | > +-----------+ > 192.168.0.3-254 > > eth0 has a public IP address > eth1 has a private IP address
ok, so you have 2 nics. eth0 attached to the Internet and eth1 attached to the internal network. You SSH server and web server are internal(not on firewall). In DNS, the IP addresses for the SSH and web server both resolve to the firewall public address. So packets will be arriving with a destination address of your firewall. The firewall needs to change the destination address to the actual internal destination address (192.168.0.2?). You do this with the PREROUTING rule. As the name implies, the firewall still then needs to forward/route the packets onto their final destination. This is what the second FORWARD rule does. My rules assume you already have a rule in the forward chain that allows ESTABLISHED,RELATED. I have a copy of my rules if you'd like them. The firewall has 3 nics so it's slightly more complicated, but the process is exactly the same. I'll also add the caveat that I'm not sure how SSH will react to your mangling the IP headers. Perhaps someone else can comment on this. > Anyone on the internet needs to be able to access www and ssh on the > 192.168.0.2 box via the public IP and the whole internal network needs to be > able to access www & ssh out (but masq behind the public ip) To accomplish the "masq" or NAT you use a POSTROUTING rule similar to this: /sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP As packets leave the firewall, you're changing the source address to that of the firewall. Now as far as the allowing SSH and WWW out, I'll leave you to your own devices. The key to all this is understanding what "chain" (input/output/forward) the packets will traverse. > I hope this makes it a bit clearer > > Thanks > > Mark > > -----Original Message----- > From: Matthew Hellman [mailto:[EMAIL PROTECTED]] > Sent: 21 March 2002 02:08 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: ssh & www access from the internet to the lan > > > You generally need two rules to accomplish this. One prerouting rule to > change the destination address and one forward rule to allow for the > routing of the packets. Here is a setup which forwards HTTP to a particular > host on a different interface. It uses a few variables but hopefully you'll > get the idea. > > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp -d $HTTP1 --dport 80 -j > DNAT --to $HTTPDMZ1 > /sbin/iptables -A FORWARD -m state --state NEW -i $EXTIF -p tcp -d > $HTTPDMZ1 --dport 80 -j ACCEPT > > ----- Original Message ----- > From: "Mark Olliver" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 20, 2002 10:44 AM > Subject: ssh & www access from the internet to the lan > > > > > > Hi > > > > I am having trouble writing some rules to allow ssh and www through the > > firewall from the internet to a specific machine on the lan, whilst > blocking > > virtually everything else, > > > > At the moment my scripts seam to be blocking everything. > > > > Thanks > > > > Mark > > > > http://www.carsplus.co.uk/e-Card/mpo.shtml > > > > > > > > >
