From: Carlton T. <ca...@gi...> - 2002-08-29 02:28:44
|
Boniforti, You could solve the problem by creating new firewall rules. Basically, you need to tell the firewall to DROP any packets destined for port 10000 on your mail server unless they originate from a list of allowed IP addresses. You should only need to do this for routing between eth0 and eth1 since your internet router should not be accepting packets from destined for your 10.0.0.0 network. However, adding a rule to filter packets for port 10000 for traffic between eth2 and eth1 wont hurt. One question to ask yourself is whether it is absolutely necessary to do NAT between eth0 and eth1. I would have thought that simply routing between the two would be OK with appropriate IP and port filters. Regards ! -- Carlton ============================= GIFFORD INTERNET SERVICES Bristol, United Kingdom Tel: 0845 111 0032 Tel: 0117 939 7722 Fax: 0845 111 0033 Email: ad...@gi... Web: http://www.gifford.co.uk ============================= On Thu, 29 Aug 2002, Jamie Cameron wrote: > Boniforti Flavio wrote: > > > May you help me with this issue by taking a look at this iptables > > output? > > > > Chain PREROUTING (policy ACCEPT 22048 packets, 2440K bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 DNAT tcp -- eth0 * 192.168.0.0/24 > > 0.0.0.0/0 tcp dpt:25 to:10.0.0.28 > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > > 80.18.173.28 tcp dpt:25 to:10.0.0.28:25 > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > > 80.18.173.28 tcp dpt:110 to:10.0.0.28:110 > > > > Chain POSTROUTING (policy ACCEPT 19773 packets, 1180K bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 SNAT all -- * eth2 192.168.0.0/16 > > 0.0.0.0/0 to:80.18.173.18 > > 0 0 SNAT all -- * eth2 10.0.0.28 > > 0.0.0.0/0 to:80.18.173.28 > > > > Chain OUTPUT (policy ACCEPT 15504 packets, 958K bytes) > > pkts bytes target prot opt in out source > > destination > > > > Eth0 is my LAN (192.168.0.0/24), eth1 is my DMZ (10.0.0.19 on the > > firewall, 10.0.0.28 on the mailserver in the DMZ), eth2 is the public > > IP. > > > It's not that there is anything wrong with your firewall rules. > When any kind of NAT is happening between two hosts, there is no way > that they can see the real IP of each other. > > - Jamie > |