Well, it appears that you have a situation I wrote about – masquerading is a variant of Network Address Translation (NAT), which can rearrange your IPs in any imaginable (and in a lot of unimaginable) ways…
So I really wouldn’t suggest to manipulate your firewall after some advices on a discussion board – somebody skillful enough have to inspect the firewall configuration in details and modify it accordingly. Any modifications suggested here will be just speculative and will not help, in the best case – or will ruin your connection (not just your security) in the worst.
BR and good luck with a consultant,
As I could not load the sketch, please refer this
Linux Firewall PC IP:192.168.11.120
| | |
| | |
PC 1 IP:192.168.111.118 | PC2 IP:192.168.111.2 (Access from PC1 & PC2 is OK)
PC 3 IP:192.168.2.41 |
(How to give access for this ?) |
(How to give access for this ?)
And so on.
Now I hope you understand my question.
The IPs are as follows.
Linux Firewall IP=192.168.111.120
PC#1 IP =192.168.111.118
Access is possible to server by putting the IP in Masquerading in YAST Window by adding as follws.
Requested IP=192.168.111.120 Requested Port=80
Redirection Redirected to Masquaraded IP=192.168.2.0 Requested Port=80
But please explain how to give the access to view the web pages of server who’s IP=192.168.0.2
by the client whos IP Address as
Will be very obliged if you reply in details.
Well, I surely was not able to read the diagram which resides on your hard disk, so the answer will be quite general…
First, if you don’t feel confident in firewall manipulation, better pick a consultant in your location and invite him to do the job.
If you don’t like the idea about consultant, make sure you inspected well your current firewall configuration, at least the FORWARD chain of filter table (as root, of course):
root@firewall# iptables -t filter –line-numbers -nvL FORWARD
Probably you’ll have a chain policy DROP and top (or close to the top) rule allowing packets with states “established” and “related”:
Chain FORWARD (policy DROP xxx packets, xxxK bytes)
num pkts bytes target prot opt in out source destination
1 1593K 1703M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Let the line-number of this rule be 1, then your rule will be:
root@firewall# iptables –table filter –insert FORWARD 2 –source 192.168.2.41 –destination 192.168.2.0 –jump ACCEPT
and so on, for all source addresses of your clients. If you have no related,established rule, just omit the line-number:
root@firewall# iptables –table filter –insert FORWARD –source 192.168.2.41 –destination 192.168.2.0 –jump ACCEPT
This will work if the server IP is really 192.168.2.0 – it’s unusual to have 0 as last number of host IP, but as I already mentioned, you can do almost anything with private IPs. This will work if you have no NAT (network address translation) on firewall host – if you have, better call somebody familiar with the firewalls. This will work if you have no user-defined chains – if you have, follow the advice about consultant…
So, good luck with your firewall.
Please find herewith the sketch.
<img src=”C:\Documents and Settings\ajalil\Desktop\TYPICAL NETWORK.htm” alt=”Typical Network” />
ACCESS TO SERVER IS POSSIBLE FROM 192.168.110.4
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.2.41
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.3.10
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.4.99
I’d rather ask some questions than giving an answer… In fact, I can’t imagine the network topography from the question – since you can do almost everything with the private range IPs in your LAN, please, draw some diagram showing the situation.
Hmmm. I guess the my question here is how you’re routing between the subnets on this diagram. Unless your’re using netmasks wider smaller than /24 (255.255.255.0) and treating all of the LANs as one bigger subnet, you’d need some sort of routing for any of these LANs to talk to each other. Disable the firewall on both machines (service iptables stop) and confirm that you can communicate. If you can’t communicate, fix the routing issue first. Once you can communicate with both firewalls disabled, add rules to iptables to allow the desired traffic.