Need help configuring IPtables w/ DMZ, 2 LAN, and INET

I am desperately in need of assistance in configuring an IPtables
firewall on a Red Hat Linux 9.0 server. I'm somewhat familiar with
IPtables, but for the most part have been using example scripts and
configurators to try and help out, so please pardon any ignorance.

I have four NIC cards in the firewall. eth0 (internet -
aaa.bbb.ccc.ddd), eth1 (lan1 - 172.16.1.1), eth2 (dmz - 192.168.1,1),
and eth3 (lan 2 - 10.10.10.1).

From the outside, everything looks good. I can access any of the
servers in the DMZ (mail,http,etc.).

I am able to access the Internet using IP MASQ on both LAN interfaces,
however, the first problem I'm having is accessing the DMZ from either
LAN interface. Any ideas what the problem may be? In particular, I
need a way to access the mail server (192.168.1.9) on the DMZ using
POP as well as the web server also on the same system.

For example, if on LAN2 I try and access POP through
mail.mydomain.com, it resolves to a real IP on the internet, but on
the firewall it's NAT'd to a 192.168.1.9 address. I have also tried
going to 192.168.1.9 directly, without any luck. But I am guessing I
don't want to access the DMZ in that manner. So I'd rather use the
real net address that is NAT'd to the server on the DMZ.

The second issue is using the Transparent Proxy from both LAN
interfaces. This server is currently setup in my DMZ (192.168.1.5). I
have read through the Transparent Proxy mini HOWTO, and I believe I
have all the iptables rules set correctly. Here they are:

### Enable transparent Proxy (for LAN and Clients)
### LAN Proxy (eth1)
/sbin/iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.5 -p tcp
--dport 80 -j DNAT --to 192.168.1.5:3128
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 127.0.0.1/8 -d
192.168.1.5 -j SNAT --to 192.168.1.1

### Client Proxy (eth3)
/sbin/iptables -t nat -A PREROUTING -i eth3 -s ! 192.168.1.5 -p tcp
--dport 80 -j DNAT --to 192.168.1.5:3128
/sbin/iptables -t nat -A POSTROUTING -o eth3 -s 127.0.0.1/8 -d
192.168.1.5 -j SNAT --to 192.168.1.1

I have tried using the example iptables dmz rules from the IPtables
HOWTO, but never was able to get things to talk correctly. I ended up
using NARC (netfilter automatic rule configurator) utility, and that
gave better results, but still have the problem accessing the DMZ from
either LAN interface.

Here is what my IPtables looks like (using iptables -nL):

-- start of iptables rules --

Chain INPUT (policy DROP)
target prot opt source destination
SPOOF_CHK all -- 0.0.0.0/0 0.0.0.0/0
SANITY_CHK tcp -- 0.0.0.0/0 0.0.0.0/0
STATE_CHK all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 127.0.0.0/24 127.0.0.0/24 state NEW
TCP_CHK tcp -- 0.0.0.0/0 0.0.0.0/0
UDP_CHK udp -- 0.0.0.0/0 0.0.0.0/0
ICMP_CHK icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68
dpt:67

Chain FORWARD (policy DROP)
target prot opt source destination
SPOOF_CHK all -- 0.0.0.0/0 0.0.0.0/0
SANITY_CHK tcp -- 0.0.0.0/0 0.0.0.0/0
STATE_CHK all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 192.168.1.2 state NEW
tcp dpt:25 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.2 state NEW
tcp dpt:80 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.2 state NEW
tcp dpt:110 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:80 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:20 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:21 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:80 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:20 flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.9 state NEW
tcp dpt:21 flags:0x16/0x02
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain ICMP_CHK (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
8 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
0 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
3 code 0 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
3 code 1 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
3 code 3 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
3 code 4 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
11 limit: avg 1/sec burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SANITY_CHK (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x09
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x13
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x0B
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x07
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x0F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x17
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x1F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00

Chain SPOOF_CHK (2 references)
target prot opt source destination
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 240.0.0.0/5 0.0.0.0/0
DROP all -- 248.0.0.0/5 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- aaa.bbb.ccc.ddd 0.0.0.0/0 <<-changed to
protect

Chain STATE_CHK (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp flags:!0x16/0x02
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain TCP_CHK (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:113 flags:0x16/0x02 reject-with tcp-reset
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 53,113,22,25,80,443,21,20,110,995,143,993 state NEW length
40:68 tcp flags:0x16/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain UDP_CHK (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 53,113,25,110,143,21,20 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
limit: avg 1/sec burst 5 udp dpts:33434:38000
DROP all -- 0.0.0.0/0 0.0.0.0/0

-- end of iptables rules --

Any help anyone can provide on this issue would be greatly
appreciated. Thank you in advance.

Frank

"Frank Harris" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I am desperately in need of assistance in configuring an IPtables
> firewall on a Red Hat Linux 9.0 server. I'm somewhat familiar with
> IPtables, but for the most part have been using example scripts and
> configurators to try and help out, so please pardon any ignorance.
>
> I have four NIC cards in the firewall. eth0 (internet -
> aaa.bbb.ccc.ddd), eth1 (lan1 - 172.16.1.1), eth2 (dmz - 192.168.1,1),
> and eth3 (lan 2 - 10.10.10.1).
>
> From the outside, everything looks good. I can access any of the
> servers in the DMZ (mail,http,etc.).
>
> I am able to access the Internet using IP MASQ on both LAN interfaces,
> however, the first problem I'm having is accessing the DMZ from either
> LAN interface. Any ideas what the problem may be? In particular, I
> need a way to access the mail server (192.168.1.9) on the DMZ using
> POP as well as the web server also on the same system.
>
> For example, if on LAN2 I try and access POP through
> mail.mydomain.com, it resolves to a real IP on the internet, but on
> the firewall it's NAT'd to a 192.168.1.9 address. I have also tried
> going to 192.168.1.9 directly, without any luck. But I am guessing I
> don't want to access the DMZ in that manner. So I'd rather use the
> real net address that is NAT'd to the server on the DMZ.
>

This is a routing issue rather than a firewall ruleset problem.
Establishing a static route from lan1 and lan2 to your DMZ subnet should fix
that for you.

Sorry I can't help at all on the proxy question.

JW