iptables in DMZ scenario





internet -------------- firewall ------------------- mail


mail server private ip nat to public

iptables -t nat -A PREROUTING -p tcp -i eth0 -d --dport 25 \

-j DNAT --to-destination

for connections originating form add rule

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source \

for packets coming from workstation network

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT \


for internal clients accessing SMTP public ip

iptables -t nat -A POSTROUTING -i eth1 -d -j SNAT --to

for directing http traffic to a squid server

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s \

-j DNAT --to

adding public ip to interface two methods

a) ip aliases for interface which faces outside world eth0

eg eth0:mail

b) use arp to publish NICs MAC address

arp -Ds eth0 pub