Quote:
Originally Posted by dales79
Hi
I have two firewalls, f1 and f2. Each firewall is connected to each other via eth1. And each firewall as a web server/client machine attached to it via eth0 c1 (connected to f1 eth0) and c2 (connected to f2 eth0).
I am having trouble configuring each firewall so that client1 can read web pages stored on client2 and vice versa.
I have the following ip addresses:
f1 eth1 = 193.63.1.1
f1 eth0 = 192.168.1.10
f2 eth1 = 193.63.1.2
f2 eth0 = 192.168.2.10
c1 eth0 = 192.168.1.1
c1 Default Gateway = 192.168.1.10
c2 eth0 = 192.168.2.1
c2 Default Gateway = 192.168.2.10
I have enabled ip forwarding and am hoping that the following scripts will work - can someone just take a look and let me know if the ipaddresses are in the right places or if something is wrong - what is wrong?:
F1:
iptables -t nat -A POSTROUTING -s 192.168.1.0/16 -j SNAT -o eth1 --to-source 193.63.1.1
and
iptables -t nat -A PREROUTING -d 193.63.1.1 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.1.1
F2:
iptables -t nat -A POSTROUTING -s 192.168.2.0/16 -j SNAT -o eth1 --to-source 193.63.1.2
and
iptables -t nat -A PREROUTING -d 193.63.1.2 -i eth1 -p TCP --dport 80 -j DNAT --to-destination 192.168.2.1
I am not really to sure if the ipaddresses are correct - for example should the source ip address of f1 be of the f2 machine instead?
Please help
Thanks in advance - I really appreciate it.
Sam
|
IMHO it should look like this instead:
FIREWALL 1:
Code:
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 193.63.1.1
iptables -t nat -A PREROUTING -p TCP -i eth1 -d 193.63.1.1 \
--dport 80 -j DNAT --to-destination 192.168.1.1
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.1.1 \
--dport 80 -m state --state NEW -j ACCEPT
FIREWALL 2:
Code:
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 193.63.1.2
iptables -t nat -A PREROUTING -p TCP -i eth1 -d 193.63.1.2 \
--dport 80 -j DNAT --to-destination 192.168.2.1
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.2.1 \
--dport 80 -m state --state NEW -j ACCEPT
remember to flush your chains before you set your rules...
also, it's a good idea to set the "rp_filter" kernel option:
Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter