Re: R: Accessing a server thorugh a firewall, ACL troubles...

[Carlton T. <ca...@gi...>]

Boniforti,

You could solve the problem by creating new firewall rules.
Basically, you need to tell the firewall to DROP any packets
destined for port 10000 on your mail server unless they
originate from a list of allowed IP addresses. You should
only need to do this for routing between eth0 and eth1 since
your internet router should not be accepting packets from
destined for your 10.0.0.0 network. However, adding a rule
to filter packets for port 10000 for traffic between eth2 and
eth1 wont hurt.

One question to ask yourself is whether it is absolutely
necessary to do NAT between eth0 and eth1. I would have
thought that simply routing between the two would be OK
with appropriate IP and port filters.

Regards !

--
Carlton
=============================
GIFFORD INTERNET SERVICES
Bristol, United Kingdom 
Tel: 0845 111 0032
Tel: 0117 939 7722
Fax: 0845 111 0033
Email: ad...@gi...
Web: http://www.gifford.co.uk
=============================

On Thu, 29 Aug 2002, Jamie Cameron wrote:

> Boniforti Flavio wrote:
> 
> > May you help me with this issue by taking a look at this iptables
> > output?
> > 
> > Chain PREROUTING (policy ACCEPT 22048 packets, 2440K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 DNAT       tcp  --  eth0   *       192.168.0.0/24
> > 0.0.0.0/0          tcp dpt:25 to:10.0.0.28
> >     0     0 DNAT       tcp  --  *      *       0.0.0.0/0
> > 80.18.173.28       tcp dpt:25 to:10.0.0.28:25
> >     0     0 DNAT       tcp  --  *      *       0.0.0.0/0
> > 80.18.173.28       tcp dpt:110 to:10.0.0.28:110
> > 
> > Chain POSTROUTING (policy ACCEPT 19773 packets, 1180K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 SNAT       all  --  *      eth2    192.168.0.0/16
> > 0.0.0.0/0          to:80.18.173.18
> >     0     0 SNAT       all  --  *      eth2    10.0.0.28
> > 0.0.0.0/0          to:80.18.173.28
> > 
> > Chain OUTPUT (policy ACCEPT 15504 packets, 958K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > 
> > Eth0 is my LAN (192.168.0.0/24), eth1 is my DMZ (10.0.0.19 on the
> > firewall, 10.0.0.28 on the mailserver in the DMZ), eth2 is the public
> > IP.
> 
> 
> It's not that there is anything wrong with your firewall rules.
> When any kind of NAT is happening between two hosts, there is no way
> that they can see the real IP of each other.
> 
>   - Jamie
>