Need HELP with Red Hat Linux firewall

I am having a problem with a firewall that is simply too strict.
Specifically, I am trying to configure an iptables firewall on Red Hat Linux
9 that protects the servers on our Windows 2000 network from hacker/cracker
attacks. So far, I have 2 Win2k machines behind this firewall, and each of
them has a private IP address. In addition, I configured the firewall to
use DNAT to map valid IP addresses to private ones for those two machines.
As a result, each machine can connect to the Internet and reach (ping) any
other machine on our network, behind the firewall or not. However, whenever
any machine NOT behind the firewall tries to reach any of these 2 machines,
it fails (the farthest a successful ping can go at this point is the
firewall's external interface) even though the policy of every chain in
every table is ACCEPT and only SNAT and DNAT rules are specified. Can
anyone tell me how I could fix this problem? I realize that a firewall
should keep "outsiders" out, but we have servers that we want to protect
from malicious code and yet allow employees in our department limited access
to them.

On Thu, 10 Jul 2003 16:01:49 -0700, Aleksandr Zingorenko wrote:

> I am having a problem with a firewall that is simply too strict.
> Specifically, I am trying to configure an iptables firewall on Red Hat
> Linux 9 that protects the servers on our Windows 2000 network from
> hacker/cracker attacks. So far, I have 2 Win2k machines behind this
> firewall, and each of them has a private IP address. In addition, I
> configured the firewall to use DNAT to map valid IP addresses to private
> ones for those two machines. As a result, each machine can connect to the
> Internet and reach (ping) any other machine on our network, behind the
> firewall or not. However, whenever any machine NOT behind the firewall
> tries to reach any of these 2 machines, it fails (the farthest a
> successful ping can go at this point is the firewall's external interface)
> even though the policy of every chain in every table is ACCEPT and only
> SNAT and DNAT rules are specified. Can anyone tell me how I could fix
> this problem? I realize that a firewall should keep "outsiders" out, but
> we have servers that we want to protect from malicious code and yet allow
> employees in our department limited access to them.

For example, name one service you would like...

Also, looked into Frees/WAN IPsec VPN? or PoPToP PPTP vpn?

-a

Aleksandr Zingorenko wrote:

> Thank you very much for suggesting VPNs. However, I would still like to
> know: is it possible to have several servers with private IP addresses
> behind a firewall that allows the employees of our department, but nobody
> else, to access these servers? As much as I would like to give VPNs a
> try, I find this particular question very interesting.

Couldn't one list the services they can use with their IP addresses
in /etc/hosts.allow ?


--
Timothy Murphy
e-mail: (E-Mail Removed)
tel: +353-86-233 6090
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland