Help!!! Setting up a firewall using IPTables
I have been trying to setup a firewall using IPTables but have found no success so far. Here is the layout of the network I am trying to make.
There are two networks. The first one has IP addresses 10.45.2.1-255 (External Lan) The second one has IP addresses 10.1.0.1-255 (Internal Lan) A machine on the Internal Lan is the mail server (10.1.0.1) I have a computer with 2 ethernet cards Currently all the computers access the mail server directly with the IP address 10.1.0.1. What I want to do is to restrict the computers in the External Lan from using the mail server directly. They will access the mail server with a fake IP address 10.45.2.100. For this I have setup the firewall/router computer with the 2 ethernet cards like this eth0 - IP address = 10.45.2.1 (Facing External Lan) eth1 - IP address = 10.1.0.240 (Facing Internal Lan) and I have setup rules so that incoming packets to the eth0 side with a destination address of the fake mail server (10.45.2.100) will be redirected to the actual destination (10.1.0.1) like this iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.45.2.100 -j DNAT --to-destination 10.1.0.1 also I have setup rules so that replies from the mail server to the external lan will have their source address changed from 10.1.0.1 to 10.45.2.100 iptables -t nat -A POSTROUTING -p tcp -i eth0 -s 10.1.0.1 -j SNAT --to-source 10.45.2.100 I also want to block the external lank from accessing the internal lan so I have done this iptables -A INPUT -p tcp -i eth0 -d 10.1.0.0 -j REJECT This setup didnt work. So I took off the last rule (Rejecting one) and tried again. When I pinged from one of the external lan machines (10.45.2.2), I was able to ping 10.1.0.1 but not 10.45.2.100 When I did a traceroute from the external machine, for 10.1.0.1 I got only two IPs one was the 10.45.2.1 and the other was 10.1.0.1. I was expecting 10.1.0.240 in between the two. I really dont know what is happening here. And I need your help. PLEASE !!! If you need further clarification please let me know. I'll try my best to be clear. |
you'd be better off using a firewall config tool, such as shorewall. that makes it very simple to do things like that.
|
See if a firewall script from http://easyfwgen.morizot.net/ will do the trick. Usually works for me.
|
All times are GMT -5. The time now is 03:42 AM. |