> >> iptables -t nat -A PREROUTING -p tcp -s $EXT_host04 -j DNAT --to-destination $LAN_host04 > > > >This is the major problem. If you're connection from a host on the Internet > >the source address is not going to be your firewall. Change this line to: > >iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination $LAN_host04 > > How's this? ($EXT_host04 is just an alias, and there will be more) > > iptables -t nat -A PREROUTING -p tcp -d $EXT_host04 -j DNAT --to-destination $LAN_host04 >
Good catch....I left an imporant piece out. You'll definetely want the "-d xxx" in the rule. <snip> > This seems to be doing the job :-} I added another nat rule, does it > look okay? > > LANIF=eth0 > EXTIF=eth1 > TCP_OPEN="22,25,53,80" > UDP_OPEN="53" > LAN_host04=192.168.xx.xx > EXT_host04=xx.xx.xx.xx > > iptables -P INPUT DROP <snip> > iptables -P OUTPUT ACCEPT Looks good. The only other thing I'd do is change your default OUTPUT policy to DROP and add this: iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT There was a recent bug in the iptables code that had some security implications (information disclosure), but I don't recall the details at the moment. The suggestion was to drop INVALID output, which this does. Goodluck, Matt
