Am Die, 2003-06-17 um 23.57 schrieb Mailingliste: Hi Mailingliste (??) I answer at the beginning: Do you have a FORWARD rule, which allows the passing of a packet from 192.168.0.25 (int FW) to 192.168.0.17 (NS) on the external firewall? If you filter for the interfaces in the FORWARD chain you have to take into account, that both -i and -o are $INT_IF. Cheers, Ralf > I have a DMZ between 2 Firewalls. In the DMZ there are Nameserver, > HTTP-Server, etc. > I have 10 official IP-Addresses. The DMZ has IP-Adresses 192.168.0.0/24. > The LAN has > the net 192.168.1.0/24. With DNAT I transfer the first official IP to lets > say 192.168.0.17 > for the nameserver. the second to 192.168.0.20 to the mailserver, and so > on. This works OK. > The nameserver is authoritativ for the domain lets say "myname.at". when i > make a > "dig www.myname.at" from outside i get the right answer. But when I type > "dig www.myname.at" from the LAN at lets say 192.168.1.12 i get the answer > "no servers could be reached". > with tcpdump on the outer firewall i see the packet with source > 192.168.0.25 (the DMZ-IP of the inner > firewall) and destination the official IP of the nameserver. But no more > translation from the official IP to the > DMZ-IP of the nameserver. > In my rules i have put: > $IPTABLES -t nat -A PREROUTING -i $INT_IF -p udp --sport 1024:65535 \ > -d $PUBLIC_DNS1 --dport 53 -j DNAT --to-destination $DMZ_DNS1 > > $IPTABLES -A FORWARD -i $INT_IF -o $INT_IF -p udp --sport 1024:65535 \ > -d $DMZ_DNS1 --dport 53 -m state --state NEW -j ACCEPT > but its not working. > > Has anybody a hint what to do ? > > Thanks Fritz > > -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
