On Wed, 2004-09-01 at 23:17, Payal Rathod wrote: > On Wed, Sep 01, 2004 at 11:04:56PM -0400, Jason Opperisano wrote: > > i assume the squid proxy can already fetch content from the web server > > in the DMZ for your LAN--if this is not the case; please post your > > current rules: > > Yes, it can access the DMZ using public IP right now. Now I want something > very simple, I want to allow only the client to access the machine. > > > iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \ > > -s 1.2.3.4 --sport 1024:65535 -d 10.10.10.3 --dport 80 \ > > -j ACCEPT > > Can you make this a bit simpler? I am not too worried about security of > designs (no need for VPN). I just want only the client's IP to access it. > Right now I have, > -A PREROUTING -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3 i can simplify it to: -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT the rules i post in my responses mimic the rules that i actually use on my firewalls--i don't mean to over-complicate things... > 5.6.7.8 is my external IP of the DMZ machine. > > I am afraid if I give it as, > -A PREROUTING -s 1.2.3.4 -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3 > > it will block access from my local LAN also via. the squid proxy and yes > the gateway (squid proxy) machine does have 3 cards. yes--you're probably right that it would break access from the local LAN in your current configuration -j -- Jason Opperisano <opie@xxxxxxxxxxx>