Hi,
Brian1 put the machine that can be accessed from internet behind your DMZ, and he's got a point.
I don't know if you defined the architecture or if it is imposed... but the DMZ should include every single machine accessible from internet, whereas the LAN should have an upstream Internet access only.
I'll assume the architecture MUST be as you showed it in your second picture... even though (I know it's the second time I say so) every remotly accessible machine should be in the DMZ... If you can change the architecture, then, you SHOULD use something similar to what Brian1 proposed. Anyway, the commands I give can be adapted to whatever config you want.
So, to fit what you asked for, I propose this:
Code:
Router
A.B.C.161
|
--------------------------------------------
| |
Firewall DMZ
A.B.C.162, 178-190 A.B.C.163-174
192.168.1.1
192.168.2.1
|
----------------------------------
| |
NAT LAN |
192.168.1.2-254 |
|
-------------------------------------------
| | |
Web Server Mail Server Other Computers
192.168.2.178 192.168.2.179 192.168.2.180-190
I'll assume as well that you have 3 interfaces to plug into you firewall. If you don't, then you can use aliases.
The first one, that I will call the WAN interface, has A.B.C.162 as an IP address. Let's say it's eth0.
The second one, that I will call the LAN interface, has 192.168.1.1 as an IP address. Let's say it's eth1.
The third one, that I will call the LAN2 interface, has 192.168.2.1 as an IP address. Let's say it's eth2.
1/
Let's begin with the NAT stuff, since that's pretty much straight forward.
A classical NAT rule will do the job:
iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source A.B.C.162
This means that any packet entering eth1 and outgoing through eth0 (so, the traffic to internet and A.B.C) will be nated to the A.B.C.162 IP.
On their way in, the response to these packets are de-nated (magic)
2/
Now, the servers and Other computers...
Same thing as above, when packets are on their way out you must use:
iptables -t nat -A POSTROUTING -i eth2 -o eth0 -s 192.168.2.178 -j SNAT --to-source A.B.C.178
iptables -t nat -A POSTROUTING -i eth2 -o eth0 -s 192.168.2.179 -j SNAT --to-source A.B.C.179
...
The main difference with the above command is that, this time you specify the source IP, so that every single machine uses its own public IP (whereas in the LAN, everybody uses the same).
On the way in, you can use:
iptables -t nat -A PREROUTING -i eth0 -s A.B.C.178 -j DNAT --to-dest 192.168.2.178
iptables -t nat -A PREROUTING -i eth0 -s A.B.C.179 -j DNAT --to-dest 192.168.2.179
...
This time you NAT the other way: packets coming from the WAN interface using a specific public IP will be translated to the corresponding private IP.
3/ IP aliasing
But, the above config still don't work... because eth0 won't accept packets for A.B.C.178-190, since its IP is A.B.C.162
So, you have to configure aliases on eth0 so that it is configured with every single IP:
ip addr add A.B.C.178 dev eth0
ip addr add A.B.C.179 dev eth0
...
4/ Routing
You must make sure the default gateways are correctly set on each subnet
On the firewall, you shouldn't have to define any route but the default gateway.
Make sure that "echo 1 > /proc/sys/net/ipv4/ip_forward", if not, then packets won't be forwarded from an interface to the other.
Hope this helps