Re: prob accessing server in DMZ from LAN with official IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Die, 2003-06-17 um 23.57 schrieb Mailingliste:
Hi Mailingliste (??)

I answer at the beginning:
Do you have a FORWARD rule, which allows the passing of a packet from 
192.168.0.25 (int FW) to 192.168.0.17 (NS) on the external firewall? If
you filter for the interfaces in the FORWARD chain you have to take into
account, that both -i and -o are $INT_IF.

Cheers,

Ralf
 
> I have a DMZ between  2 Firewalls. In the DMZ there are Nameserver, 
> HTTP-Server, etc.
> I have 10 official IP-Addresses. The DMZ has IP-Adresses 192.168.0.0/24. 
> The LAN has
> the net 192.168.1.0/24. With DNAT I transfer the first official IP to lets 
> say 192.168.0.17
> for the nameserver. the second to 192.168.0.20 to the mailserver, and so 
> on. This works OK.
> The nameserver is authoritativ for the domain lets say "myname.at". when i 
> make a
> "dig www.myname.at" from outside i get the right answer. But when I type
> "dig www.myname.at" from the LAN at lets say 192.168.1.12 i get the answer 
> "no servers could be reached".
> with tcpdump on the outer firewall i see the packet with source 
> 192.168.0.25 (the DMZ-IP of the inner
> firewall) and destination the official IP of the nameserver. But no more 
> translation from the official IP to the
> DMZ-IP of the nameserver.
> In my rules i have put:
> $IPTABLES -t nat -A PREROUTING -i $INT_IF -p udp --sport 1024:65535 \
>            -d $PUBLIC_DNS1 --dport 53 -j DNAT --to-destination $DMZ_DNS1
> 
> $IPTABLES -A FORWARD -i $INT_IF -o $INT_IF -p udp --sport 1024:65535 \
>            -d $DMZ_DNS1 --dport 53 -m state --state NEW -j ACCEPT
> but its not working.
> 
> Has anybody a hint what to do ?
> 
> Thanks Fritz
> 
> 
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux