iptable nat problem

[mibrahim]

Hi all
I used Linux as a router, firwall, DNS (OpenDNS), DHCP and cache server, I created 4 additional virtual Ethernet ports to split network hosts, Linux MASQUERADE hide the public ip of servers attacking my servers, If i disabled MASQUERADE some service are not working. How can i enable my servers to know the IP of servers or users attacking my servers which are behind Linux firewall.


-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.60:3128
-A PREROUTING -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.1.60:3128
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.60:53
-A PREROUTING -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.60:53



-A POSTROUTING -o eth0 -j MASQUERADE


Please help me

[Lazydog]

My first question is the above rules for services that are hosted on the router/firewall? If they are then you should be using REDIRECT instead of DNAT in your PREROUTE rules.

Another thing you do not need separate rules for UDP and TCP when using the same port. One rule that matches just he port will do like the following;

Code:

-A PREROUTING --dport 80 -j .....
-A PREROUTING --dport 53 -j .....

This will match all traffic on port 80 or 53 and do what you want done.