My systems reside on a network with all public IP addresses. I need to firewall my particular subnet without the use of MASQUERADE. I have seen this configuration referred to as a "virtual wire" firewall.
My current configuration: internal subnet | router| rest of institution | internet
Configuration needed: internal subnet | firewall | router | rest of institution | internet
Firewall has two physical interfaces. I have not been able to construct a set of iptables rules that don't require MASQUERADING. Ip addresses I know and can use: xxx.123.68.0/24
router: xxx.123.68.1
firewall eth0 (outside): xxx.123.68.2
firewall eth1 (inside): xxx.123.68.3
rest of addresses are for internal systems
I have constructed INPUT and OUTPUT rules to allow connection to the firewall for management functions, but have not been successful with the FORWARDing chain rules.
Default policy on FORWARD is ACCEPT
Logging turned on to see if any traffic is flowing, but no entries in the log file. I thought that these rules should allow outbound traffic and return traffic
iptables -A FORWARD -p tcp -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
What am I missing?
No comments:
Post a Comment