--------
Win2003---LAN---eth1---|RHEL5.1|---eth0---Public
--------

eth0 = 192.168.99.100/24 ,GW=192.168.99.1
eth1 = 192.168.100.200 /24 , GW=??
windows ip = 192.168.100.201 /24, GW=??

Hi,
I recently trying to use iptables in my RHEL 5.1 as firewall for packet filtering and traffic routing.My RHEL5.1 is embeded with 2 nic cards.eth0 is connecting to our public network , eth1 is connecting to my private network.Within my private network I have setup a windows share folder.The reason I want to use RHEL5.1 as a firewall is I understand the iptables give lots of control of traffic flow. Here are the intention what I want to do:
1. Only allow certain MAC address from public network to access my private network share.
example : I have create a windows share folder name "winshare", when certain user want to access the share folder from public, only certain MAC address which is match in iptables are allow to connect to my windows share.

Is this possible done in iptables ? I have do many reseach but still not very understand the nature of the iptables.I study lots of DNAT,PREROUTING however I don't know how to start it.I hope the expert can provide me step by step guide to allow me to learn the lesson.Any comment is appreciated.

hi,

1. cant do that - since you will probably have 1 MAC address connected to your public interface which is your ISP routers MAC. the solution is probably using IP/subnet rule to allow access via the firewall.

2. yes - you can DNAT your SMB server (windows shares) or any DMZ servers - but still you have to access them by using ip address like \\a.b.c.d (i think this is not a good idea), or you can directly using VPN.

example :

iptables -t nat -A PREROUTING -i <public_intf> -p tcp --dport 445 -j DNAT --to <smb_server_ip>

and so on with the rest of the SMB ports.

HTH.

Hi,
thanks for the respose.my public is basically another LAN network from different subnet.would it possible to do that ? how ? a step by step guide is much appreciated.thank you.

hi,

assuming your :
samba server is at 10.10.10.10/24
your internet connection is dial-up dsl using ppp0 1.2.3.4
your remote laptop is 5.6.7.8

with the scenario :

remote --- internet --- 1.2.3.4 modem/router --- 10.10.10.1/24 --- samba 10.10.10.10/24

iptables -t nat -I PREROUTING -i ppp0 -s 5.6.7.8 -d 1.2.3.4 -p tcp --dport 445 -j DNAT --to 10.10.10.10
iptables -t nat -I PREROUTING -i ppp0 -s 5.6.7.8 -d 1.2.3.4 -p udp --dport 445 -j DNAT --to 10.10.10.10

and so on with rest of the SMB ports : tcp/udp 135,137,138,139.
and dont forget to configure your samba server to allow connection from the internet (that is not a good idea btw).

HTH.