Hi,

I've got the following setup:

Network B 172.16.0.0/16, a mail_server on this network 172.16.15.10
Network A 10.2.5.0/24 , VPN server on 10.2.5.3, terminal server on 10.2.5.5 and several stations.

There's firewall with external interface 172.16.0.1 and internal interface 10.2.5.1 .

Question:

I'd like to configure firewall using iptables so that

external user from 172.16.0.0/16 connects to VPN server and uses services on Terminal server.

configure transparent proxy on firewall box and

internal users should only be masqueraded to use smtp on external network.

Any help would be appreciated.

If you have a couple of spare computers to setup as firewalls, i would suggest downloading a copy of Smoothwall 2.0 or Ipcop 1.4, not the same as configuring iptalbes yourself, but if you need something up and runnig quickly without any fuss. They both contain vpn servers and are easy to setup, they have easy to follow setup and a web-based GUI. The bootable iso's will completely wipe all information from the hard drives, and will fit onto a drive as small as 500 MG.

This configuration uses nat, which will hide Network A from Network B (the entire Network A will be seen as the external ip of the firewall), as all traffic undergoes NAT.
From network B, the VPN and Terminal Server will be seen as 172.16.0.1

The alternative is to not use NAT and set up routes and FORWARD rules for your firewall.

The following are rules similar to what you will need as the basics, although there are probably a few other rules you will need to have for your configuration to work. I normally put all the rules into a script that flushes iptables and then adds my custom rules.
Assuming external interface = eth0
#----------#
#NAT incoming traffic
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.2.5.3:1723
iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.2.5.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.2.5.5:3389

#NAT outgoing traffic
# add "--dport 25" before "-j SNAT" to only perform NAT on smtp traffic
iptables -t nat -A POSTROUTING -o eth0 -s 10.2.5.0/24 -j SNAT --to-source 172.16.0.1

#Transparent proxy
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j DROP
#-----------#


If you do not need to use NAT on the entire NETWORK A, just use "iptables -A FORWARD ...-j ACCEPT" in the above rules instead of "iptables -t nat -A PREROUTING ... -j DNAT --to ...."

You will also need to enable forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward), and either configure forwarding rules or set your default forward policy to ACCEPT (iptables -P FORWARD ACCEPT). Obviously there are some security issues with doing this.


You will need the following in squid for transparent:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on

Also check that squid is configured to listen on port 3128 (or adjust firewall rule 'REDIRECT' to use squid port), and create an acl to allow lan to browse.
You cannot transparent proxy https traffic.
example acl:
acl lan src 10.2.5.0/24
http_access allow lan

Thanks for your reply.

I already have configured ipfilters myself with the help of examples found on the web.

Here's the script I wrote:

http://users.tpg.com.au/galutva/fwconf.sh