I have an unfortunate complication in my network - some users/computers are attached to a completely private and firewalled office network that we administer (10.n.n.x/24 intranet), but others are attached to a subnet provided by a third party (129.n.n.x/25) as they need to access the internet via the third party's proxy.
I have previously set up a gateway/router to allow the 10.n.n.x/24 network internet access:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interface
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
However, I now need to enable access to users on our 129.n.n.x/25 subnet to some private servers on the 10.n.n.x/24 network.
I figured that I could do something like:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (10.n.n.x/24)
# eth2 = private interface #2 (129.n.n.x/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interfaces
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
# Allow the two public connections to talk to each other
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
iptables -A FORWARD -i eth0 -o eth2 -j REJECT
My concern is that I know that the computers on our 129.n.n.x/25 subnet can be accessed via a VPN through the larger network operated by the provider - therefore, would it be possible for someone on the provider's supernet (correct term? inverse of subnet?) to be able to access our private 10.n.n.x/24 intranet?
That depends on your routers routing table. If you have a route for addresses from a supernet of 129.n.n.x/25 to your network 10.n.n.x/24, they will have access, otherwise they won't. Still, it may be wise to make your forwarding rules for
eth1
andeth2
more specific (i.e. add source and destination ranges to them).