You don't need to put the External IPs on the eth0 device for the internal machines to be DNATed. What's the reason you have eth0:0 0:1 and 0:2? -----Original Message----- From: Deshwal Chand [mailto:CDD@xxxxxxxxxxxxx] Sent: Mon 16-Jun-03 8:51 PM To: 'Cedric Blancher' Cc: Netfilter (E-mail) Subject: RE: Using IPTABLES, cannot go to External Interface HI The setup is like this I have a RedHat linux with three LAN cards into it. eth0 = Public IP eth0:0 = Public IP eth0:0 - eth0:3 = Public IPs eth1 = Private IP (Internal Net) eth2 = DMZ IPs (Private ones)(Here I have 4 machines with DMZ IPs) DNAT - Anything entering to eht0 (External Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips. - Anything entering to eth1 (Internal Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips - Anything entering to eth2 (DMZ Interface) looking for eth0:0 - eth0:3 should be DNATted to DMZ Ips SNAT - Anything going out from (Source eth1 (Internal Net) and (DMZ NET) Destination 0.0.0.0/0 and eth2) should be - Anything from DMZ to Internal should be SNATted to DMZ_IF SNATted --to-source eth0 All the traffice from External World is able to reach to my servers in the DMZ. I mean, if someone has to log on to the web server at eth0:0 port 80, he/she is able to do so. But, No one from INTERNAL NET is able to reach to the servers. If I have a mchine with Internal IP Address and want to log onto the web server from within my network, I cannot do so. If I access Yahoo.com or anyother site, I can do so from withing my network using Internal IP Address. Hope this explains. -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: Monday, June 16, 2003 3:46 PM To: Deshwal Chand Cc: Netfilter (E-mail) Subject: Re: Using IPTABLES, cannot go to External Interface Le lun 16/06/2003 à 09:51, Deshwal Chand a Ãcrit : > I am running a script for IPTABLES. > I have assigned 3 more IP addresses to my external interface. > eth0 - x.y.z.1 > eth0:0 - x.y.z.2 > eth0:1 - x.y.z.3 > eth0:2 - x.y.z.4 > I have SNATed my internal network to eth0. I can do all the things. > But, I cannot reach to any of IP addresses x.y.z.1 - 3. Reach them from where ? SNAT is handled through FORWARD. Local trafic is handled though INPUT and OUTPUT. Maybe there's something to look at there. > Though, I can go to any host in the world, but cannot go directly to > eth0. Can you be a little more explicit in your setup and what you exactly want to do ? -- CÃdric Blancher <blancher@xxxxxxxxxxxxxxxxxx> Consultant en sÃcurità des systÃmes et rÃseaux - Cartel SÃcurità TÃl: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
