Re: DMZ to DMT through ROUTER problem !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 21 May 2004 10:30 am, O-Zone wrote:

> On Thursday 20 May 2004 19:44, Antony Stone wrote:
> > The same applies to your FORWARDing rules as well, by the way, so these
> > will need changing before the packets can get through your firewall to
> > their destination.
>
> OK ! Thanks a lot...now all works perfeclty. But i still have a problem
> with UDP. My DNS server inside DMZ, 192.168.0.2 ($DMZ_SIENA_IP), is mapped
> to two public ip:
>
> 151.8.47.A ($SIENA_IP)
> 81.113.95.B ($SIENA2_IP)

How do you route reply packets from those two public IPs back to the sender?

Netfilter will correctly apply reverse nat rules to reply packets which are in 
response to original packets matching nat rules in your ruleset - therefore 
if you map both the above public IPs to a single DMZ private IP, reply 
packets will be correctly reverse natted to have the appropriate public 
source IP.   However, you may need to make sure that packets with one source 
IP go via one ISP and those with the other source IP go via the other ISP 
(I'm assuming here that you have two entirely different public IPs because 
you have Internet connections from two ISPs?), as both ISPs may drop packets 
which have source addresses outside the range they have allocated to you (or 
which have been allocated to the ISP).

If you haven't already looked into iproute2 at http://lartc.org now would be a 
good time to find out about it.

Regards,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used 
a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux