On December 19, 2003 12:31 pm, Cristian Goian wrote: > Hi > My mistake not give in enoght data. I'll start from begining because I made > some modifications: So I have a gatewayPC: > eth0 - INTERNET > eth1 - LAN - 192.168.1.0/24 > eth2 - DMZ - 192.168.0.0/24 > > In DMZ I have 2 PC, one for web and one for content DNS, both deserv same 3 > domains. IP a.b.c.240/28 and I want DNAT for them. > > On gatewayPC I have now RedHAT with 2.4.23 and iptables 1.2.9. Also have > now a proxy DNS to give answers to LAN and localhost. Also, temporary, I > have mailserver to receive and send mail for LAN and 3 domains. > > To configure iptables I use a script modified after Oskar Andeasson' > Tutorial. It is a long script now. > > When I conect from LAN on web server using IP adress it is OK. When a query > DNS (different PC than web one) no respons. When I give traceroute to DNS > server all packets go to my ISP, and then lost ... They are not DNAT to DMZ > !! > Snipped out the mjority of the script. Where/what are the clients on the lan getting their DNS resolution from? What addresses (OUTSIDE or INSIDE) do they recieve. $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN1_IFACE -d $DNS_1A_IP --dport 53 \ -j DNAT --to-destination $DMZ_DNS_1A_IP rules like this are NOT doing anything.... The idea of DNAT (destination Network Address Translation ) is to CHANGE the destination IP address. What ip address does the internal client expect to talk to and what is the real, routable address that it has to get to $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN1_IFACE -d (address client knows) --dport 53 \ -j DNAT --to-destination $DMZ_DNS_1A_IP Presumably your clients will recieve the real, routable ip address (i.e. the OUTSIDE ip address of the host) on DNS lookup -- This means that the PREROUTING rules that catch the real, routable, outside IPS should NOT be interface bound, but catch all inbound requests for the real,routable IP address and DNAT them to the inside,non-routable address (in your script 192.168.0.x addresses. This applies to ALL interfaces. You need only DNAT the connection on the way in (without specifying source interfaces) and the DMZ servers (which should have the firewall DMZ ip as default gateway) will reply towards the firewall which will manage all the unDNATtgin for any interface. > Below are the script. Many thanks in advance. >
