Okay ... I'm firing myself from the list till I get some vacation time in. Ignore my previous on this subject ... I was ...... not in my left mind. Serves me right for answering list mail after a 16hour night shift and 6 hours of christmas shopping *ggaaaa* On December 20, 2003 04:51 pm, Alistair Tonner wrote: > On December 19, 2003 12:31 pm, Cristian Goian wrote: > > Hi > > My mistake not give in enoght data. I'll start from begining because I > > made some modifications: So I have a gatewayPC: > > eth0 - INTERNET > > eth1 - LAN - 192.168.1.0/24 > > eth2 - DMZ - 192.168.0.0/24 > > > > In DMZ I have 2 PC, one for web and one for content DNS, both deserv same > > 3 domains. IP a.b.c.240/28 and I want DNAT for them. > > > > On gatewayPC I have now RedHAT with 2.4.23 and iptables 1.2.9. Also have > > now a proxy DNS to give answers to LAN and localhost. Also, temporary, I > > have mailserver to receive and send mail for LAN and 3 domains. > > > > To configure iptables I use a script modified after Oskar Andeasson' > > Tutorial. It is a long script now. > > > > When I conect from LAN on web server using IP adress it is OK. When a > > query DNS (different PC than web one) no respons. When I give traceroute > > to DNS server all packets go to my ISP, and then lost ... They are not > > DNAT to DMZ !! > > Snipped out the mjority of the script. 1) we need to change the subject. Okay ... I had the right concept in mind. Where are your clients looking to get name resolution from ? case a) clients are directly configured to use DNS(s) in the DMZ -- with OUTSIDE ips only one PREROUTING - FORWARDING rule nessesary for each DNS ipaddress, don't filter by -i device --- HOWEVER -- you also need to allow these DNS servers to be forwarding servers and allow them to connect to OUTSIDE DNS servers to get details of the outside world. case b) clients are directly configured to use DNS(s) in DMZ -- with DMZ addresses -- NO PREROUTING rule nessesary , Forward rule to allow LAN to DMZ connection. See HOWEVER above. case c) clients configured to use OUTSIDE DNS(s) -- you need forward rules to connect the clients to those servers, and you need rules to allow OUTSIDE servers to talk to your (presumably) authoritative servers. Do you know that outside connections are working correctly coming into webservers and DNS servers? Are you sure that all servers in the DMZ have correctly configured netmask/ default gateways? Please tell me this is NOT a flat physical network (you do have two physically separate networks ... not two networks running on the same wire)
