[ale] IPtables question

[Chris Fowler]

On Sun, 2004-07-11 at 22:33, Dow Hurst wrote:
> Chris Fowler wrote:
> 
> >I just added a 3rd nic to my linux firewall.  On that nic I hav it
> >directly connected via cross-over to a server that is running an
> >application.  I did this because my customers will be using that
> >application from the Internet.  If for some reason someone was to gain 
> >access to that box I do not want them to be able to come back to the
> >firewall and jump over to the 2nd nic to my company network.  
> >
> >What would be a good rule that would allow all incoming traffic from
> >the outside and 2nd nic to that box but would disallow any traffic
> >originating from that machine?
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> >  
> >
> To solve this effectively, you can try using Bob's iptables rules in his 
> book (2nd ed.) and adapt a second set of variables for the 3rd 
> interface.  Diagram what you want to go where in map and work your way 
> thru his ruleset to make sure nothing violates the allowed pathways.  I 
> didn't have a 3rd interface so could just test out the ruleset as is.  I 
> only had to tweak one rule to allow incoming SSH connections to any IP 
> in the internal LAN and add one rule to allow access from what I called 
> the DMZ to a license server on the internal LAN.  His egress and 
> loopback rules really make sense once you've worked thru them.  It is 
> also a tested set of rules that you won't have to build yourself.
> Dow
> 

What is the name of the book?

Attached is my script which introduces nat hell.

I tried to place rules that would block traffic from eth2 to eth1 after
this line:

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

But none of them worked. I even tried this:

/sbin/iptables -A INPUT -p tcp -i ${DMZ} -s 0.0.0.0/0 -d 192.168.2.0/24
--dport 22 -j DROP