I have a DMZ between 2 Firewalls. In the DMZ there are Nameserver, HTTP-Server, etc.
I have 10 official IP-Addresses. The DMZ has IP-Adresses 192.168.0.0/24. The LAN has
the net 192.168.1.0/24. With DNAT I transfer the first official IP to lets say 192.168.0.17
for the nameserver. the second to 192.168.0.20 to the mailserver, and so on. This works OK.
The nameserver is authoritativ for the domain lets say "myname.at". when i make a
"dig www.myname.at" from outside i get the right answer. But when I type
"dig www.myname.at" from the LAN at lets say 192.168.1.12 i get the answer "no servers could be reached".
with tcpdump on the outer firewall i see the packet with source 192.168.0.25 (the DMZ-IP of the inner
firewall) and destination the official IP of the nameserver. But no more translation from the official IP to the
DMZ-IP of the nameserver.
In my rules i have put:
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p udp --sport 1024:65535 \
-d $PUBLIC_DNS1 --dport 53 -j DNAT --to-destination $DMZ_DNS1
$IPTABLES -A FORWARD -i $INT_IF -o $INT_IF -p udp --sport 1024:65535 \
-d $DMZ_DNS1 --dport 53 -m state --state NEW -j ACCEPT
but its not working.Has anybody a hint what to do ?
Thanks Fritz
