iptables in DMZ scenario

                                   workstation  

                                        |

                                        |  10.1.3.0/24

                                        |

internet -------------- firewall ------------------- mail 10.1.1.2

                     102.168.1.1     10.1.1.1

mail server private ip 10.1.1.2 nat to public 102.168.1.2

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 102.168.1.2 --dport 25 \

-j DNAT --to-destination 10.1.1.2:25

for connections originating form 10.1.1.2 add rule

iptables -t nat -A POSTROUTING -s 10.1.1.2 -o eth0 -j SNAT --to-source \

102.168.1.2

for packets coming from workstation network

iptables -t nat -A POSTROUTING -s 10.1.3.0/24 -o eth0 -j SNAT \

--to-source 102.168.1.1

for internal clients accessing SMTP public ip 102.168.1.2

iptables -t nat -A POSTROUTING -i eth1 -d 102.168.1.0/24 -j SNAT --to 10.1.1.1

for directing http traffic to a squid server

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s 10.1.3.0/24 \

-j DNAT --to 10.1.1.3:3128

adding public ip to interface two methods

a) ip aliases for interface which faces outside world eth0

eg eth0:mail

b) use arp to publish NICs MAC address

arp -Ds 102.168.1.2 eth0 pub