On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote: > I want to redirect _all_ traffic into the DMZ (is that even possible?) and in > the same time MASQ the LAN. The question is will they collide? If I use a > ruleset such as: > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE > (yes, there's only one computer in the DMZ) > > Will I get return traffic into my lan? won't it be DNATed into the DMZ? You need at least one public IP that is *NOT* in the DMZ. Then change the DMZ rule to exclude on this: iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT --to-destination $DMZ_IP This IP would also be the IP on the outgoing interface of the firewall. So should automatically get used for MASQUERADE. If it's all static, then just use SNAT instead of MASQUERADE and you can specify the IP to be sure of it: iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source <not DMZ IP> Note the '-s' bit on that rule so you only SNAT traffic coming from the LAN, and not that from the DMZ. I'm sure others will correct me if anything in this is wrong ;). -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00292.pgp
Description: PGP signature
