Have you been doing your homework? Check out http://netfilter.samba.org
I'm trying to setup my network as follows:
+----------------+ | Internet | +-------+--------+ | +-------+--------+ | | DMZ +----------------+ | Firewall +-----+ 192.168.1.0/24 | | | +----------------+ +-------+--------+ | +-------+--------+ | 10.0.0.0/24 | <- Internal network +-------+--------+ | +-------+--------+ | LAN Users | +----------------+
Here's the situation:
In the DMZ there are web servers that need to be browsed from the internet for ftp, http, tomcat (21,80,8080)
You need to configure destination NAT to do that. See http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-6. html. For the FTP control channel, HTTP and TCP 8080 you need: iptables -t nat -A PREROUTING -p tcp --dport 21 -i <outside interface> -j DNAT --to 192.168.1.<FTP> iptables -t nat -A PREROUTING -p tcp --dport 80 -i <outside interface> -j DNAT --to 192.168.1.<HTTP> iptables -t nat -A PREROUTING -p tcp --dport 8080 -i <outside interface> -j DNAT --to 192.168.1.<Tomcat> You need to load the ip_nat_ftp.o module, which should automagically take care of the FTP data channels. Furthermore, you need to set up forwarding and perhaps postrouting rules to allow (at least) the above (and block anything you don't allow). Note that you'll need to allow for some other traffic as well, such as DNS and some ICMP, unless you want to take your network down. Don't open up the filter too much, though. Hey, who ever said that firewalling was easy?
In the Internal Network there is a mail server with a private ip of 10.0.0.3 that needs to accept pop3 and smtp from the internet and send smtp to the internet.
Ugh.. Why not put a mail-relay host into the DMZ, if you've got one already?
The internal network must be able to browse, ftp via a transparent proxy on the firewall.
Ugh, why make the proxy transparent? I have a definite dislike for any attempts at transparent proxying, they're bound to fail, since only 95% of the web sites out there listen on port 80. That's no problem with an explicit proxy, but muchos problemas with a transparent one.
The internal network must be able to browse, ftp to the DMZ. The DMZ needs to send smtp to the mail server on the internal network.
See the links above to learn how to write iptables rules.
Can someone tell me what rules I should define to set all this up. I have tried several things and I haven't ironed out all the crinkles yet. I haven't managed to get the mail part working.
Well, what's the specific problem? Cheers, Tobias