You may need FORWARD rules to your DMZ server(s): iptables -A FORWARD -d <DMZServer> -j ACCEPT or for more security (I'd recommend): iptables -A FORWARD -p tcp -d <DMZserver) 80 -j ACCEPT > -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Tiziano Müller > Sent: Tuesday, February 18, 2003 4:01 PM > To: netfilter@lists.netfilter.org > Subject: 1:1 NAT, DMZ and Masq > > > Hi guys > > I apologize for my first message, it was crap. > sorry. > > Now, I\'ve a little problem and no idea how to > solve it, I hope, someone could give me a hint. > > Situation: > > Internet -- Firewall 1 -- DMZ -- Firewall 2 -- LAN > |-- Webserver = WWW > |-- FTP > |-- DNS > > now, for the Server in the DMZ, I wanted to use a 1:1 > NAT, for the hole rest Masq. So did I the follow (for the > WWW) on the Linux-Router: > > 10.0.0.4 = DMZ IP WWW; x.x.x.165 = Official IP WWW > > ifconfig eth1:1:0 add x.x.x.165 > (as described in the NAT HowTo, necessary for the ARP-Packets) > > iptables -t nat -A PREROUTING -d x.x.x.165 -j DNAT --to > 10.0.0.4 iptables -t nat -A POSTROUTING -s 10.0.0.4 -j SNAT > --to x.x.x.165 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > So far it works well from the inside. From outside I can only > ping the WWW and connect with SSH, but not connect via FTP or > WWW (the services are up and running). > > Has someone an idea, why this happens? Or a better idea to do this? > > Thanks very much in advance > Tiziano >
