Following is my setup:
Server: Ubuntu 11.04 with three NICs.
NIC 1- eth0 - 192.168.x.x
NIC 2- eth1 - 172.196.x.x
NIC 3- eth2 - 10.20.30.x

eth0 and eth1 are my Local LAN and eth2 is WAN the IP given to me by the ISP (Internet)

I configured the server using IPTABLES for getting the Router/Firewall features and also DNS.

Question:

1) There are few servers in my eth1 network which needs to serve few applications and windows shares to eth0, so since it’s the Windows network and servers there are WINS and NETBIOS naming resolution in the eth1 network. I have configured the Ubuntu as a DNS server too but the server's name in eth1 are not getting resolved to the eth0 network. How to fix this?

2) How to configure my IPTABLES to detect the destination IPs coming from source eth0 to redirect to eth1 (if any packets for eth1) or to eth2 (if any packets to internet)? Also, no traffic from eth1 to eth0 is to be allowed. e.g. one of my system in 192 network should be able to connect and work with 172 network but none from 172 network should be able to connect to 192 network and also the 172 network system should not go to internet.

I googled and found lot of information in IPTABLES but nowhere mentioned for two different networks having service to each other and also going to the internet.

Also, no information I found for Linux DNS serving the WINS/NETBIOS naming resolution.

Thank you in advance for help.

Cheers.

Shailesh

The 196 bothered me. So:
eth0 -> client computers, internet access, access to servers
eth1 -> servers, no internet access, no direct access to clients
eth2 -> internet, no direct access to clients, no access to servers
There are 2 ways to fix this, if I understand the problem correctly.
1. Put an entry for each server in the DNS configuration on the Ubuntu box, forget WINS & NETBIOS NS
2. Put the IP of the WINS server in the configuration of the client PCs
This can be done with DHCP configuration if the Ubuntu box also is the DHCP server.

The things below only apply if the IP on eth2 (internet) is actually a public IP, and not in the range 10.x.x.x .
If it is a private IP, then things are different. Tell me if it is a private IP, and I'll give you the way to set that up.
Just act as if eth1 isn't there. Since both eth0 and eth1 have private IPs, there's no need for iptables to interfere. Routing between eth0 and eth1 should work automatically when routing between eth0 and eth2 is set up.
There are a few rules needed to make this happen. They should all be inserted in the forward chain.
Set the default policy on the forward chain to drop.
Add a rule to accept related and established packets.
Add a rule to accept packets from eth0.
I hope this info, together with what you googled, can get you on your way.
Don't forget to configure firewall rules for your Ubuntu box itself. The iptables forward chain doesn't look at packets that are meant for your Ubuntu box.
If you need more information, post a link to a tutorial you plan to use as a base, so I can reference that for giving you more detailed instructions.

Yes the network is, exactly the way you mentioned.

I installed BIND, so please direct me where to add the entries. I did add to the host file though, but that did not make any difference.
I cannot configure the box as a DHCP as there is a DHCP integrated ADS of Windows environment. This box is just the Gateway and the DNS assigned by the ADS/DHCP to the clients. I configured the WINS assignment of this box's IP to the clients also.

1) eth2 is not a public IP to the internet, its a private IP provided by the ISP from its network to the internet.
2) I put in the rules like the following:

INTIF="eth0"
INTIF2="eth1"
EXTIF="eth2"
*nat
-A POSTROUTING -o "$INTIF2" -d 172.0.0.0/8 -j MASQUERADE
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i "$INTIF" -o "$INTIF2" -j ACCEPT
-A FORWARD -i "$INTIF2" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

It was fairly simple and its working as expected. Only the DNS part is not working. e.g. the local server names with just the windows name and not the full domain name cannot be pinged. But if I do a manual entry of the same in the host file of the clients it works, now changing host file for so many clients is not possible, so I was thinking any way to fix it on the box itself.

Thanks in advance..

Shailesh

When you post configuration files, logs, program output etc., please put it between [CODE][/CODE] tags. (use the # button above the textbox where you type the reply)

The entries will have to be added to the appropriate zone file of BIND.
Do you have a WINS server or not? If you haven't set up a WINS server, I'd suggest forgetting about WINS, and using DNS, also because you are running AD.
Doesn't your ISP give you a public IP address? You have my sympathy.
Why have you added this rule? What is it supposed to do?
The rest of your firewall seems OK. Remember to set up rules for protecting the Ubuntu box itself. Certainly if it is directly reachable from the internet.
So, if you use the full domain name, then the name does resolve?
Are the servers by any chance also part of the domain?