hehehe.. it's fine pak... well, iptables bekerja dengan cara memeriksa header layer3 & 4. kalo cuman satu domain aja c gapapa. bisa pake DNAT yang seperti dikatakan pak andika. juga dengan syarat merkuri ngak ada service yang running diport tersebut. tapi didalam kasus saya, hal ini blom cukup, karena iptables ngak memeriksa sampe layer7.
On 8/6/08, ░▒▓ ɹɐzǝupɐɥʞ ɐzɹıɯ ▓▒░ <[EMAIL PROTECTED]> wrote: > saya repost kepanjangan kyknya bagan nya > ====== > > kalau saya sih pake DMZ > semoga membantu > ( konsep acak kadul :D:)) ) > -------------------- > ----------------------------------------------------- > eth0 = WAN1 = xxx.xxx.xxx.xxx > eth1 = DMZ = 192.168.222.1 ( Konek ke MAILSERVER & WEBSERVER - > sementara hanya mailserver ) > eth2 = LAN = 192.168.222.2 ( Konek ke PROXY SERVER ) > ------------------------------------------------------ > # Tukang sapu > /sbin/iptables --flush > /sbin/iptables --table nat --flush > /sbin/iptables --delete-chain > /sbin/iptables --table nat --delete-chain > /sbin/iptables -F -t nat > > # Jembatan gantung DMZ <=> LAN > iptables -A FORWARD -i eth2 -o eth1 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth2 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > # Jembatan gantung DMZ <=> Mail Server & Webserver > iptables -A FORWARD -i eth1 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth0 -o eth1 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > # Jembatan gantung WAN1 <=> LAN > iptables -A FORWARD -i eth2 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth0 -o eth2 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > ## Forward port 25 ke mail server > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.5.1 --dport 25 > -j DNAT --to-destination 172.16.0.2 > > ## Forward port 80 ke mail server > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.5.1 --dport 80 > -j DNAT --to-destination 172.16.0.2 > > ## Forward port 110 ke mail server > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.5.1 --dport > 110 -j DNAT --to-destination 172.16.0.2 > > ## Forward port 2810 ke mail server > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.5.1 --dport > 2810 -j DNAT --to-destination 172.16.0.2 > ---------------======================================================== > keterangan ip saya yang saya tulis bisa dilihat di interface saya dibawah > ini > ---------------- > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > # NIC ATAS > auto eth2 > iface eth2 inet static > address 192.168.222.2 > netmask 255.255.0.0 > # network 192.168.0.0 > # broadcast 192.168.255.255 > #### > # NIC Tengah > auto eth1 > iface eth1 inet static > address 172.16.0.1 > netmask 255.255.255.0 > network 172.16.0.0 > broadcast 172.16.255.255 > > > # NIC BAWAH > # auto eth0 > auto eth0 > iface eth0 inet static > address 202.169.5.1 > netmask 255.255.255.240 > #network > #broadcast 202.169.255.255 > gateway 202.169.5.2 > # dns-* options are implemented by the resolvconf package, if > installed > dns-nameservers 202.155.61.80 > -------------------------------------------------------------------------- > lalu di /etc/hosts nya : > [EMAIL PROTECTED]:/home/mirza# cat /etc/hosts > 127.0.0.1 localhost > 192.168.222.2 simulasi.contoh.com. simulasi > 172.16.0.2 it.contoh.com. > -------------------------------------------------------------------------- > install BIND > lalu > [EMAIL PROTECTED]:/home/mirza# cat /etc/bind/db.local > ; > ; BIND data file for local loopback interface > ; > $TTL 604800 > @ IN SOA localhost. root.localhost. ( > 2 ; Serial > 604800 ; Refresh > 86400 ; Retry > 2419200 ; Expire > 604800 ) ; Negative Cache TTL > ; > @ IN NS localhost. > @ IN A > @ IN AAAA ::1 > it.contoh.com. IN MX 10 mail.it.contoh.com. > mail.contoh.com. IN CNAME it.contoh.com. > it.contoh.com. IN A 172.16.0.2 > =========================================================== > lalu create file /etc/bind/db.contoh.com > > [EMAIL PROTECTED]:/home/mirza# cat /etc/bind/db.it.gpi-g.com > ; > ; BIND data file for local loopback interface > ; > $TTL 604800 > @ IN SOA ns.it.contoh.com. root.contoh.com. ( > 2 ; Serial > 604800 ; Refresh > 86400 ; Retry > 2419200 ; Expire > 604800 ) ; Negative Cache TTL > ; > @ IN NS ns.it.contoh.com. > @ IN A 172.16.0.2 > @ IN AAAA ::1 > > ================================= > dengan skema spt berikut > > > ..........................................||=====Mail server > ..........................................|| > ..........................................||======> Web server > ..........................................||--> eth1 > Internet >>>> eth0 -- PC ROUTER -- eth2 >>>>>> [ HUB ] >>>>>>>>CLIENT > > > > > -- > -=-=-=-= > > -- > FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab > Unsubscribe: kirim email ke [EMAIL PROTECTED] > Arsip dan info milis selengkapnya di http://linux.or.id/milis > >
