ammadeyy2020
asked on
linux adding network ranges
i have ISA, internal interface is 192.168.10.1
i can add 192.168.20.0/24
192.168.30.0/24 to ISA configuration, and i can create policy for users to have internet at those ranges
how can i add different ranges to a linux firewall?
i can add 192.168.20.0/24
192.168.30.0/24 to ISA configuration, and i can create policy for users to have internet at those ranges
how can i add different ranges to a linux firewall?
ASKER
i want to give internet to the following ip ranges
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24
192.168.60.0/24
192.168.70.0/24
192.168.80.0/24
im using clarkconnect as a firewall, which is running on redhat 3.4
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24
192.168.60.0/24
192.168.70.0/24
192.168.80.0/24
im using clarkconnect as a firewall, which is running on redhat 3.4
In the clarkconnect webconfig add a virtual IP on each network you want to connect from the LAN
See here
http://www.clarkconnect.com/docs/Network_Settings_-_IP_Settings#Virtual_IPs
So you might add these virtual IPs as the LAN role
192.168.10.1 netmask=255.255.255.0
192.168.20.1 netmask=255.255.255.0
192.168.30.1 netmask=255.255.255.0
192.168.40.1 netmask=255.255.255.0
192.168.50.1 netmask=255.255.255.0
192.168.60.1 netmask=255.255.255.0
192.168.70.1 netmask=255.255.255.0
192.168.80.1 netmask=255.255.255.0
See here
http://www.clarkconnect.com/docs/Network_Settings_-_IP_Settings#Virtual_IPs
So you might add these virtual IPs as the LAN role
192.168.10.1 netmask=255.255.255.0
192.168.20.1 netmask=255.255.255.0
192.168.30.1 netmask=255.255.255.0
192.168.40.1 netmask=255.255.255.0
192.168.50.1 netmask=255.255.255.0
192.168.60.1 netmask=255.255.255.0
192.168.70.1 netmask=255.255.255.0
192.168.80.1 netmask=255.255.255.0
ASKER
i tried that
im able to get internet from 192.168.10.0/24
because by 10 range address is assigned to NIC
virtual IP networks im unable to browse internet
i have done this setup in ISA 2006, im thinkin how to do it on linux
im able to get internet from 192.168.10.0/24
because by 10 range address is assigned to NIC
virtual IP networks im unable to browse internet
i have done this setup in ISA 2006, im thinkin how to do it on linux
Ok, add the virtual IPs.. make sure they're in a LAN role.
Login to the clarkconnect server using SSH
make sure you can ping its own virtual IPs from the box itself.
If not, then the virtual ips are probably not actually operational.
Run the "iptables-save" command to display the list of iptables rules
and paste the results, so we can see what clarkconnect is doing...
Login to the clarkconnect server using SSH
make sure you can ping its own virtual IPs from the box itself.
If not, then the virtual ips are probably not actually operational.
Run the "iptables-save" command to display the list of iptables rules
and paste the results, so we can see what clarkconnect is doing...
ASKER
i can ping from firewall to 192.168.50.80
but from other pc's i cant ping
here is iptables-save
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p gre -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
COMMIT
# Completed on Mon Oct 27 17:50:35 2008
[root@gateway ~]#
[root@gateway ~]# clear
[root@gateway ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*nat
:PREROUTING ACCEPT [61245:3738980]
:POSTROUTING ACCEPT [1979:170280]
:OUTPUT ACCEPT [12805:785058]
-A PREROUTING -s ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 82
-A PREROUTING -s 192.168.50.80 -d xxx.xxx.xxx.xxx -j DNAT --to-destination 192.168.10.10
-A PREROUTING -s 192.160.50.200 -d xxx.xxx.xxx.xxx -j DNAT --to-destination xxx.xxx.xxx.xx1
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.2:110
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.2:25
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.0.2:3000
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xx1:80
-A PREROUTING -d 192.168.10.10 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 172.30.143.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d 192.168.10.10 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d 192.168.10.10 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d xxx.xxx.xxx.xx1 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d xxx.xxx.xxx.xx1 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -o eth0 -p ipv6-crypt -j ACCEPT
-A POSTROUTING -o eth0 -p ipv6-auth -j ACCEPT
-A POSTROUTING -o tun+ -j ACCEPT
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 110 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 110 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 25 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 25 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 3000 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 3000 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -d xxx.xxx.xxx.xx1 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.10.10
-A POSTROUTING -s 172.30.143.0/255.255.255.0 -d xxx.xxx.xxx.xx1 -p tcp -m tcp --dport 80 -j SNAT --to-source 172.30.143.100
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*mangle
:PREROUTING ACCEPT [421429:89398775]
:INPUT ACCEPT [260482:71643795]
:FORWARD ACCEPT [160586:17704114]
:OUTPUT ACCEPT [216907:62479666]
:POSTROUTING ACCEPT [378010:80308526]
-A PREROUTING -p ipv6-crypt -j MARK --set-mark 0x64
-A PREROUTING -p tcp -m mark ! --mark 0x0 -j ACCEPT
-A PREROUTING -p tcp -j CONNMARK --restore-mark
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
-A INPUT -s 64.39.104.38 -i eth0 -j DROP
-A INPUT -s 202.232.235.70 -i eth0 -j DROP
-A INPUT -s 221.239.1.58 -i eth0 -j DROP
-A INPUT -s 190.2.32.27 -i eth0 -j DROP
-A INPUT -s 219.136.252.243 -i eth0 -j DROP
-A INPUT -s 69.60.111.193 -i eth0 -j DROP
-A INPUT -s 211.244.224.3 -i eth0 -j DROP
-A INPUT -s 221.130.183.185 -i eth0 -j DROP
-A INPUT -s 218.23.37.51 -i eth0 -j DROP
-A INPUT -s 221.224.161.102 -i eth0 -j DROP
-A INPUT -s 218.22.88.59 -i eth0 -j DROP
-A INPUT -s 202.99.11.99 -i eth0 -j DROP
-A INPUT -s 193.227.116.16 -i eth0 -j DROP
-A INPUT -s 129.111.112.98 -i eth0 -j DROP
-A INPUT -s 203.142.195.92 -i eth0 -j DROP
-A INPUT -s 200.7.198.162 -i eth0 -j DROP
-A INPUT -s 218.53.97.7 -i eth0 -j DROP
-A INPUT -s 218.22.229.124 -i eth0 -j DROP
-A INPUT -s 218.22.244.45 -i eth0 -j DROP
-A INPUT -s 192.168.0.140 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 167.216.252.1 -i eth0 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1875 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p gre -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p ipv6-crypt -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p ipv6-auth -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m mark --mark 0x64 -j ACCEPT
-A INPUT -d 192.168.10.10 -m mark --mark 0x64 -j ACCEPT
-A INPUT -d 172.30.143.100 -m mark --mark 0x64 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -s 64.39.104.38 -i eth0 -j DROP
-A FORWARD -s 202.232.235.70 -i eth0 -j DROP
-A FORWARD -s 221.239.1.58 -i eth0 -j DROP
-A FORWARD -s 190.2.32.27 -i eth0 -j DROP
-A FORWARD -s 219.136.252.243 -i eth0 -j DROP
-A FORWARD -s 69.60.111.193 -i eth0 -j DROP
-A FORWARD -s 211.244.224.3 -i eth0 -j DROP
-A FORWARD -s 221.130.183.185 -i eth0 -j DROP
-A FORWARD -s 218.23.37.51 -i eth0 -j DROP
-A FORWARD -s 221.224.161.102 -i eth0 -j DROP
-A FORWARD -s 218.22.88.59 -i eth0 -j DROP
-A FORWARD -s 202.99.11.99 -i eth0 -j DROP
-A FORWARD -s 193.227.116.16 -i eth0 -j DROP
-A FORWARD -s 129.111.112.98 -i eth0 -j DROP
-A FORWARD -s 203.142.195.92 -i eth0 -j DROP
-A FORWARD -s 200.7.198.162 -i eth0 -j DROP
-A FORWARD -s 218.53.97.7 -i eth0 -j DROP
-A FORWARD -s 218.22.229.124 -i eth0 -j DROP
-A FORWARD -s 218.22.244.45 -i eth0 -j DROP
-A FORWARD -s 192.168.0.73 -j DROP
-A FORWARD -s 192.168.50.80 -d 192.168.10.10 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.50.80 -d 192.168.10.10 -o eth2 -j ACCEPT
-A FORWARD -s 192.160.50.200 -d xxx.xxx.xxx.xx1 -o eth1 -j ACCEPT
-A FORWARD -s 192.160.50.200 -d xxx.xxx.xxx.xx1 -o eth2 -j ACCEPT
-A FORWARD -m ipp2p --kazaa --apple --winmx -j DROP
-A FORWARD -m mark --mark 0x64 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xx1 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xx1 -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.10 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.10 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.4 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.4 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 1863 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -p tcp -m tcp --dport 1863 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.178 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.178 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.195 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.195 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.199 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.199 -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.0.73 -j DROP
-A FORWARD -s 172.30.143.0/255.255.255.0 -d 192.168.0.73 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -d 167.216.252.1 -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p gre -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
[root@gateway ~]#
but from other pc's i cant ping
here is iptables-save
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p gre -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
COMMIT
# Completed on Mon Oct 27 17:50:35 2008
[root@gateway ~]#
[root@gateway ~]# clear
[root@gateway ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*nat
:PREROUTING ACCEPT [61245:3738980]
:POSTROUTING ACCEPT [1979:170280]
:OUTPUT ACCEPT [12805:785058]
-A PREROUTING -s ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 82
-A PREROUTING -s 192.168.50.80 -d xxx.xxx.xxx.xxx -j DNAT --to-destination 192.168.10.10
-A PREROUTING -s 192.160.50.200 -d xxx.xxx.xxx.xxx -j DNAT --to-destination xxx.xxx.xxx.xx1
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.2:110
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.2:25
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.0.2:3000
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xx1:80
-A PREROUTING -d 192.168.10.10 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 172.30.143.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -o eth0 -p ipv6-crypt -j ACCEPT
-A POSTROUTING -o eth0 -p ipv6-auth -j ACCEPT
-A POSTROUTING -o tun+ -j ACCEPT
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -s 192.168.10.0/255.255.255.0
-A POSTROUTING -s 172.30.143.0/255.255.255.0
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*mangle
:PREROUTING ACCEPT [421429:89398775]
:INPUT ACCEPT [260482:71643795]
:FORWARD ACCEPT [160586:17704114]
:OUTPUT ACCEPT [216907:62479666]
:POSTROUTING ACCEPT [378010:80308526]
-A PREROUTING -p ipv6-crypt -j MARK --set-mark 0x64
-A PREROUTING -p tcp -m mark ! --mark 0x0 -j ACCEPT
-A PREROUTING -p tcp -j CONNMARK --restore-mark
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
# Generated by iptables-save v1.3.5 on Mon Oct 27 17:53:20 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:drop-lan - [0:0]
-A INPUT -s 64.39.104.38 -i eth0 -j DROP
-A INPUT -s 202.232.235.70 -i eth0 -j DROP
-A INPUT -s 221.239.1.58 -i eth0 -j DROP
-A INPUT -s 190.2.32.27 -i eth0 -j DROP
-A INPUT -s 219.136.252.243 -i eth0 -j DROP
-A INPUT -s 69.60.111.193 -i eth0 -j DROP
-A INPUT -s 211.244.224.3 -i eth0 -j DROP
-A INPUT -s 221.130.183.185 -i eth0 -j DROP
-A INPUT -s 218.23.37.51 -i eth0 -j DROP
-A INPUT -s 221.224.161.102 -i eth0 -j DROP
-A INPUT -s 218.22.88.59 -i eth0 -j DROP
-A INPUT -s 202.99.11.99 -i eth0 -j DROP
-A INPUT -s 193.227.116.16 -i eth0 -j DROP
-A INPUT -s 129.111.112.98 -i eth0 -j DROP
-A INPUT -s 203.142.195.92 -i eth0 -j DROP
-A INPUT -s 200.7.198.162 -i eth0 -j DROP
-A INPUT -s 218.53.97.7 -i eth0 -j DROP
-A INPUT -s 218.22.229.124 -i eth0 -j DROP
-A INPUT -s 218.22.244.45 -i eth0 -j DROP
-A INPUT -s 192.168.0.140 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 167.216.252.1 -i eth0 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1875 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p gre -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p ipv6-crypt -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -p ipv6-auth -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m mark --mark 0x64 -j ACCEPT
-A INPUT -d 192.168.10.10 -m mark --mark 0x64 -j ACCEPT
-A INPUT -d 172.30.143.100 -m mark --mark 0x64 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -s 64.39.104.38 -i eth0 -j DROP
-A FORWARD -s 202.232.235.70 -i eth0 -j DROP
-A FORWARD -s 221.239.1.58 -i eth0 -j DROP
-A FORWARD -s 190.2.32.27 -i eth0 -j DROP
-A FORWARD -s 219.136.252.243 -i eth0 -j DROP
-A FORWARD -s 69.60.111.193 -i eth0 -j DROP
-A FORWARD -s 211.244.224.3 -i eth0 -j DROP
-A FORWARD -s 221.130.183.185 -i eth0 -j DROP
-A FORWARD -s 218.23.37.51 -i eth0 -j DROP
-A FORWARD -s 221.224.161.102 -i eth0 -j DROP
-A FORWARD -s 218.22.88.59 -i eth0 -j DROP
-A FORWARD -s 202.99.11.99 -i eth0 -j DROP
-A FORWARD -s 193.227.116.16 -i eth0 -j DROP
-A FORWARD -s 129.111.112.98 -i eth0 -j DROP
-A FORWARD -s 203.142.195.92 -i eth0 -j DROP
-A FORWARD -s 200.7.198.162 -i eth0 -j DROP
-A FORWARD -s 218.53.97.7 -i eth0 -j DROP
-A FORWARD -s 218.22.229.124 -i eth0 -j DROP
-A FORWARD -s 218.22.244.45 -i eth0 -j DROP
-A FORWARD -s 192.168.0.73 -j DROP
-A FORWARD -s 192.168.50.80 -d 192.168.10.10 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.50.80 -d 192.168.10.10 -o eth2 -j ACCEPT
-A FORWARD -s 192.160.50.200 -d xxx.xxx.xxx.xx1 -o eth1 -j ACCEPT
-A FORWARD -s 192.160.50.200 -d xxx.xxx.xxx.xx1 -o eth2 -j ACCEPT
-A FORWARD -m ipp2p --kazaa --apple --winmx -j DROP
-A FORWARD -m mark --mark 0x64 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -d 192.168.0.2 -o eth2 -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xx1 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xx1 -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -s 192.168.10.0/255.255.255.0
-A FORWARD -s 172.30.143.0/255.255.255.0
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -d 167.216.252.1 -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1875 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p gre -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A drop-lan -j DROP
COMMIT
# Completed on Mon Oct 27 17:53:20 2008
[root@gateway ~]#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Normally typing "iptables-save" will show your current ruleset.
What do your rules look like right now?
Your Linux firewall will need an IP alias configured for each ip range you want to use on the inside. Which is normally done by ethernet aliasing, i.e.
If say on a Redhat firewall, eth1 is your internal private network interface
vi /etc/sysconfig/network-scr
DEVICE=eth1:0
IPADDR=(second range's ip address)
NETMASK=(second internal mask)
normally one might add a range to be allowed with something like
iptables -A FORWARD -i eth1 -s 192.168.20.0/24 -j ACCEPT
But more changes might be needed, depending on how the NAT tables are setup..
A common practice would be to have
-t nat -A POSTROUTING -j MASQUERADE
Essentially; rules that allow the NAT, so long as forwarding is permitted.
Which may in fact sometimes be done with something like
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
(In that case, the firewall only needs to have a gateway IP for each IP range that you want to add)
But most actual firewall appliances will likely have a stricter configuration.
And adding more ranges is a matter of editing that config in a way appropriate to the config you have already built.