Apologise Alistair for not writing correct your name. Big apologise.
Cristian
Alistair@xxxxxxxxx, UNEXPECTED_DATA_AFTER_ADDRESS@.SYNTAX-ERROR. wrote:
Alistair@xxxxxxxxx, UNEXPECTED_DATA_AFTER_ADDRESS@.SYNTAX-ERROR. wrote:
Okay ... I'm firing myself from the list till I get some vacation time in.
Ignore my previous on this subject ... I was ...... not in my left mind.
Serves me right for answering list mail after a 16hour night shift and 6
hours of christmas shopping *ggaaaa*
On December 20, 2003 04:51 pm, Alistair Tonner wrote:
> On December 19, 2003 12:31 pm, Cristian Goian wrote:
> > Hi
> > My mistake not give in enoght data. I'll start from begining because I
> > made some modifications: So I have a gatewayPC:
> > eth0 - INTERNET
> > eth1 - LAN - 192.168.1.0/24
> > eth2 - DMZ - 192.168.0.0/24
> >
> > In DMZ I have 2 PC, one for web and one for content DNS, both deserv same
> > 3 domains. IP a.b.c.240/28 and I want DNAT for them.
> >
> > On gatewayPC I have now RedHAT with 2.4.23 and iptables 1.2.9. Also have
> > now a proxy DNS to give answers to LAN and localhost. Also, temporary, I
> > have mailserver to receive and send mail for LAN and 3 domains.
> >
> > To configure iptables I use a script modified after Oskar Andeasson'
> > Tutorial. It is a long script now.
> >
> > When I conect from LAN on web server using IP adress it is OK. When a
> > query DNS (different PC than web one) no respons. When I give traceroute
> > to DNS server all packets go to my ISP, and then lost ... They are not
> > DNAT to DMZ !!
>
> Snipped out the mjority of the script.
1) we need to change the subject.
Okay ... I had the right concept in mind. Where are your clients looking to
get name resolution from ?
case a) clients are directly configured to use DNS(s) in the DMZ -- with
OUTSIDE ips
only one PREROUTING - FORWARDING rule nessesary for each DNS ipaddress,
don't filter by -i device ---
HOWEVER -- you also need to allow these DNS servers to be forwarding
servers and allow them to connect to OUTSIDE DNS servers to get details of
the outside world.
case b) clients are directly configured to use DNS(s) in DMZ -- with DMZ
addresses -- NO PREROUTING rule nessesary , Forward rule to allow LAN to DMZ
connection.
See HOWEVER above.
case c) clients configured to use OUTSIDE DNS(s) -- you need forward rules
to connect the clients to those servers, and you need rules to allow OUTSIDE
servers to talk to your (presumably) authoritative servers.
Do you know that outside connections are working correctly coming into
webservers and DNS servers?
Are you sure that all servers in the DMZ have correctly configured netmask/
default gateways?
Please tell me this is NOT a flat physical network (you do have two
physically separate networks ... not two networks running on the same wire)
Do you Yahoo!?
Yahoo! Photos - Get your photo on the big screen in Times Square
