-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 May 2004 19:44, Antony Stone wrote: > The same applies to your FORWARDing rules as well, by the way, so these > will need changing before the packets can get through your firewall to > their destination. OK ! Thanks a lot...now all works perfeclty. But i still have a problem with UDP. My DNS server inside DMZ, 192.168.0.2 ($DMZ_SIENA_IP), is mapped to two public ip: 151.8.47.A ($SIENA_IP) 81.113.95.B ($SIENA2_IP) and the rules to allow UDP to this server from those IP are: $IPTABLES -A FORWARD -p TCP -o $DMZ_IFACE -d $DMZ_SIENA_IP -m multiport - --dports 25,53,110 -j allowed $IPTABLES -A FORWARD -p UDP -o $DMZ_IFACE -d $DMZ_SIENA_IP -m multiport - --dports 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -o $DMZ_IFACE -d $DMZ_SIENA_IP -j icmp_packets $IPTABLES -t nat -A PREROUTING -p TCP -d $SIENA_IP -m multiport --dports 25,53,80,110 -j DNAT --to-destination $DMZ_SIENA_IP $IPTABLES -t nat -A PREROUTING -p UDP -d $SIENA_IP -m multiport --dports 53 -j DNAT --to-destination $DMZ_SIENA_IP $IPTABLES -t nat -A PREROUTING -p TCP -d $SIENA2_IP -m multiport --dports 25,53,80,110 -j DNAT --to-destination $DMZ_SIENA_$ $IPTABLES -t nat -A PREROUTING -p UDP -d $SIENA2_IP -m multiport --dports 53 - -j DNAT --to-destination $DMZ_SIENA_IP With the $SIENA_IP all work. With $SIENA2_IP not :-(. Is possible that the UDP reply packet source is wrong because: ... $IPTABLES -t nat -A POSTROUTING -s $DMZ_SIENA_IP -o $INET_IFACE -j SNAT - --to-source $SIENA_IP ... ? Oz - -- What we wish, that we readily believe. -- Demosthenes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFArcwqYuBSFbgkEysRAmcOAJ9cZZgIyBMqGg9e2kFMzgVc2j1gtgCfZl8e CwVcZex0I1X51bAUYx3FKJk= =Rgex -----END PGP SIGNATURE-----
