-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 30 January 2003 19:34, Athan wrote: > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote: > > I want to redirect _all_ traffic into the DMZ (is that even possible?) > > and in the same time MASQ the LAN. The question is will they collide? If > > I use a ruleset such as: > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE > > (yes, there's only one computer in the DMZ) > > > > Will I get return traffic into my lan? won't it be DNATed into the DMZ? > > You need at least one public IP that is *NOT* in the DMZ. Then change > the DMZ rule to exclude on this: > > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT > --to-destination $DMZ_IP Well, the problem is I have 1 public IP via a cable modem. So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my private lan, will I even get return traffic? > > This IP would also be the IP on the outgoing interface of the firewall. > So should automatically get used for MASQUERADE. If it's all static, > then just use SNAT instead of MASQUERADE and you can specify the IP to > be sure of it: > > iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source > <not DMZ IP> > > Note the '-s' bit on that rule so you only SNAT traffic coming from the > LAN, and not that from the DMZ. > > I'm sure others will correct me if anything in this is wrong ;). > > -Ath - -- +katriel כתריאל+ pgp key: traum.org.il/gpg.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+OkjODWy+Hv/461sRAvv4AKCFs+zLCmzRs6lgjQtNV9T9IrZGJgCcD5bg 41rSU533ygx88Bjz40TlwXU= =rV9v -----END PGP SIGNATURE-----
