Re: DMZ to DMT through ROUTER problem !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 20 May 2004 17:07, Antony Stone wrote:
> If you do not in fact already have the PREROUTING DNAT rules, then what do
> you mean by "Each DMZ server is mapped to its PUBLIC IP"?   Maybe I
> misunderstood what you have already done, and already have working, and
> what problem is still left to solve?

Here's the problem (TCPDUMP on 192.168.0.1):
root@bastion:/etc/rc.d# tcpdump -i eth2 dst 151.8.47.B
17:45:52.507152 IP 192.168.0.2.45621 > 151.8.47.B.pop3: S 
1931786477:1931786477(0) win 5840 <mss 1460,sackOK,timestamp 107802174[|tcp]>
17:45:55.506855 IP 192.168.0.2.45621 > 151.8.47.B.pop3: S 
1931786477:1931786477(0) win 5840 <mss 1460,sackOK,timestamp 107805174[|tcp]>
17:46:01.506454 IP 192.168.0.2.45621 > 151.8.47.B.pop3: S 
1931786477:1931786477(0) win 5840 <mss 1460,sackOK,timestamp 107811174[|tcp]>

but on 151.8.47.B (192.168.0.3) no any packet arrive. This is a piece of 
rc.firewall:

#
# 4.3.8 POSTROUTING chain
#

$IPTABLES -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -j 
SNAT --to 192.168.0.1

$IPTABLES -t nat -A POSTROUTING -s $DMZ_SIENA_IP -o $INET_IFACE -j SNAT 
- --to-source $SIENA_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_DOMINI_IP -o $INET_IFACE -j SNAT 
- --to-source $DOMINI_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_EXCHANGE_IP -o $INET_IFACE -j SNAT 
- --to-source $EXCHANGE_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_ELEKTRA_IP -o $INET_IFACE -j SNAT 
- --to-source $ELEKTRA_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_LEONARDO_IP -o $INET_IFACE -j SNAT 
- --to-source $LEONARDO_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_PROXYSAT_IP -o $INET_IFACE -j SNAT 
- --to-source $PROXYSAT_IP

The problem is still here :-(

- -- 
What is algebra, exactly?  Is it one of those three-cornered things?
		-- J.M. Barrie
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFArNSCYuBSFbgkEysRApQsAKCACoGu7IIxbBGI8r5BOOPwQAUzMgCeI/g0
ODxv+ha7hSWSLOr1RdU2g7o=
=kqyU
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux