#eth0 (Internet) has the IP 207.91.104.5 and 207.91.104.6
#eth1 (DMZ) has the IP 10.0.0.1, gateway for the 10.0.0.0/24 network
#eth2 (Local Lan) has the IP 10.0.1.1, gateway for the 10.0.1.0/24 network
#everything seems to work except the connection betwen the Lan and the DMZ, I am trying to stop any NEW packets going from the DMZ to the LAN, only ESTABLISHED,RELATED..I am however, trying to have all connections accepted (NEW,ESTABLISHED,RELATED) going to the DMZ from the LAN. when i ping 10.0.0.5 from the lan network(10.0.1.0), I get a reply. When I ping 207.91.104.5 from the lan network(10.0.1.0) I get a time out. I can ftp (passive only) to 207.91.104.5 and 10.0.0.5 from the lan network(10.0.1.0). When I try to connect to the sql server. The reason why i am testing the ping to 207.91.104.5 from inside the LAN network it to see how the packet gets from the LAN to the DMZ. Does it go into eth2, out eth0, back into eth0 as 207.91.104.6, then out eth1, then to 10.0.0.5 or does it go from eth2 straight to eth1 directly using the 10.0.0/ network address
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#let lan and dmz access the internet
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.1.0/24 -d ! 10.0.0.0/24 -j SNAT --to-source 207.91.104.6
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.0.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source 207.91.104.6
#routing decisions
iptables -A FORWARD -i eth2 -o eth0 -s 10.0.1.0/24 -d ! 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -s 10.0.1.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.0/24 -d ! 10.0.1.0/24 -j ACCEPT
#http to our DMZ from the internet
iptables -A PREROUTING -t nat -p tcp -d 207.91.104.5 --dport 80 -j DNAT --to 10.0.0.5:80
iptables -A PREROUTING -t nat -p tcp -d 207.91.104.5 --dport 80 -j DNAT --to 10.0.0.5:80
#eth1 (DMZ) has the IP 10.0.0.1, gateway for the 10.0.0.0/24 network
#eth2 (Local Lan) has the IP 10.0.1.1, gateway for the 10.0.1.0/24 network
#everything seems to work except the connection betwen the Lan and the DMZ, I am trying to stop any NEW packets going from the DMZ to the LAN, only ESTABLISHED,RELATED..I am however, trying to have all connections accepted (NEW,ESTABLISHED,RELATED) going to the DMZ from the LAN. when i ping 10.0.0.5 from the lan network(10.0.1.0), I get a reply. When I ping 207.91.104.5 from the lan network(10.0.1.0) I get a time out. I can ftp (passive only) to 207.91.104.5 and 10.0.0.5 from the lan network(10.0.1.0). When I try to connect to the sql server. The reason why i am testing the ping to 207.91.104.5 from inside the LAN network it to see how the packet gets from the LAN to the DMZ. Does it go into eth2, out eth0, back into eth0 as 207.91.104.6, then out eth1, then to 10.0.0.5 or does it go from eth2 straight to eth1 directly using the 10.0.0/ network address
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#let lan and dmz access the internet
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.1.0/24 -d ! 10.0.0.0/24 -j SNAT --to-source 207.91.104.6
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.0.0/24 -d ! 10.0.1.0/24 -j SNAT --to-source 207.91.104.6
#routing decisions
iptables -A FORWARD -i eth2 -o eth0 -s 10.0.1.0/24 -d ! 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -s 10.0.1.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.0/24 -d ! 10.0.1.0/24 -j ACCEPT
#http to our DMZ from the internet
iptables -A PREROUTING -t nat -p tcp -d 207.91.104.5 --dport 80 -j DNAT --to 10.0.0.5:80
iptables -A PREROUTING -t nat -p tcp -d 207.91.104.5 --dport 80 -j DNAT --to 10.0.0.5:80