[CentOS] How to access one machine behind iptables, on different subnet?

Fri Oct 29 08:22:52 UTC 2010
Rudi Ahlers <Rudi at SoftDux.com>

Hi all,

I wonder if someone can help me with this: The setup is as follows:

192.168.1.254 - wireless ADSL modem, with DHCP pool on 192.168.100 - 192.168.200
192.168.1.250 - Linux firewall RED interface
192.168.2.250 - Linux firewall GREEN interface.

There are some normal LAN clients behind the Linux firewall's GREEN
interface, which can all access each other's shared services and also
all the clients behind the RED interface. i.e. those clients connected
to the 192.168.1.254 ADSL wifi APP directly.

Now I want the clients on the "outside" to connect to one specific
host on the inside, behind the GREEN interface, on IP 192.168.1.20.
How would I do that? I know I can do this with port fowarding, but
need many ports forwarded. How do I give full access to all ports on
this IP, instead of forwarding every port? Does that make sense?

Currently no clients on the 192.168.1.0 subnect can access any client
on the 192.168.2.0 subnet.



[root at intranet ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:25151

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state
RELATED,ESTAB
                           LISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere
reject-with icmp-po
                                 rt-unreachable
REJECT     all  --  anywhere             anywhere
reject-with icmp-po
                                 rt-unreachable
ACCEPT     all  --  192.168.2.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.2.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at intranet ~]# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0


The Linux firewall runs CentOS 5.5. x64

[root at intranet ~]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root at intranet ~]# iptables -V
iptables v1.3.5

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532