Hi Peter, thank you a lot for your kindness ... the actual firewall configuration is the standard one (dmz with true ip's) i was curious about doing an ip forwarding ... :-) i'll take a look on the net ... and then i'll try again .. take care, Mario ----- Original Message ----- From: Peter van den Heuvel <peter@asylum.xs4all.nl> To: <suse-security@suse.com> Sent: Thursday, April 05, 2001 1:23 PM Subject: Re: [suse-security] newbie question
Yo,
in my little lan i must configure a linux firewall with 3 eth cards:
eth0 ( xxx.xxx.xxx.yyy ) <---> to internet router ( xxx,xxx.xxx.xxx ) eth1 ( 192.168.1.1 ) <---> to my internal lan (192.168.1.0 ) eth2 ( 192.168.2.1 ) <---> to my dmz lan ( 192.168.2.0 )
How can i set the iptables firewall for natting my dmz HTTP xxx.xxx.xxx.hhh ) and SMTP ( xxx.xxx.xxx.sss )??? Your DMZ has a private range address. If you do source NAT the machines will not be visible from the outside. What you need is port forwarding in the firewall machine. People would browse to xxx.xxx.xxx.yyy:80 and the firewall would forward those packets to 192.168.2.1:80. Likewise for port 25. Personaly I prefer official addresses in my DMZ so that I can use ordinary filtering rules without any translation involved. The sheer simplicity of the setup has kept us safe from most Linux firewalling security issues. So, I don't have the portforwarding rules at handy, but examples are on the web. Google can easily direct you to them. Hope this helps...
CIAO, Peter van den Heuvel
I've tryed with .. ..................... iptables -t nat -A POSTROUTING -s 192.168.2.hhh -o eth0 -j SNAT --to-source xxx.xxx.xxx.hhh iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.xxx.hhh -j DNAT --to 192.168.2.hhh ..................... with no results ...
I apologize for my bad english and my poor "linux know-how"
Thank you in advance, Mario
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com