can you please send me your script?

Absolutely.......no problem. But FYI. Im only using 1 ethernet card now. The way i have my firewall setup, its more of a security risk to have another card because that card would be for my inside network, hence i would not be using my firewall for what it was designed to do. WHen i talk about firewall im talking about hardware.

I dont have access to it right now. but i will post my iptables script here about 5:30pm.
Thanks

I don't have the script on hand at this moment. It is running at a clients site. However I can give you some instructions on how to do this. It took some searching to figure out how to run NAT the way I wanted.

The first step is to bind the address needed to your public connection. Let's say that you have three address like this:
xxx.xxx.xxx.196
xxx.xxx.xxx.197
xxx.xxx.xxx.198

When you setup linux you would most likely have used the first address as the address to the Linux system. Let's say that it is eth0 for this example. Therefore when you ping xxx.xxx.xxx.196 eth0 responds back. To bind the other two address to eth0 you would use this command:

ifconfig eth0:0 xxx.xxx.xxx.197 netmask 255.255.255.0 up
ifconfig eth0:1 xxx.xxx.xxx.198 netmask 255.255.255.0 up

Now you need to let through the address to the correct system on the private side. Let's say you wanted to assign the following address this way:

Your SMTP server needs to be attached to xxx.xxx.xxx.197
The private address of the SMTP server is 10.123.1.206
Your WWW server needs to be attached to xxx.xxx.xxx.198
The private address of the WWW server is 10.123.1.209

Let's also say that your private interface is eth0 and has the address of 10.123.1.1

first you would want to assign the NAT rules:

iptables -t nat -A PREROUTING - i eth0 -p tcp \
--sport 1024:65535 -d xxx.xxx.xxx.197 --dport 25 \
-j DNAT --to-destination 10.123.1.206

iptables -t nat -A PREROUTING - i eth0 -p tcp \
--sport 1024:65535 -d xxx.xxx.xxx.198 --dport 80 \
-j DNAT --to-destination 10.123.1.209

This is telling the system that when information is destined to xxx.xxx.xxx.197 the SMTP server (port 25) to send it to it's private address. In this case 10.123.1.206. I hope you get the idea.

Since destination NAT is applied before the packet reaches the FORWARD chain, You need to put rules in your firewall to let them through.

iptables -A FORWARD -i eth0 -o eth1 -p tcp \
--sport 1024 :65535 -d 10.123.1.206 --dport 25 \
-j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp \
--sport 1024 :65535 -d 10.123.1.209 --dport 80 \
-j ACCEPT

That is all you need. The second part regarding forwarding is used when you have set your policies to drop, which you should be doing if you are running a firewall. You may also want to look at the -m state option. It may help you speed things up.


I am still learning. I am actually a reseller and have started to OEM Mandrake with some of my systems. I am still a newbie but find this site to be very valuable. If you have any other questions you can contact me via my e-mail at mostcs@DigitalBoxExpress.com

Well there you go..

It can really freak out many systems and apps to have the Internal and the external NICS in the same subnet. You said both were in the 192.168.2.x subnet.... besides a host of security issues, that can also make the systems and apps act strange.... I would suggest changing one of the addresses to a different subnet.

Hope this helps.

I still can't get SSH working myself...