On Thu, 2004-09-02 at 15:04, Payal Rathod wrote: > On Thu, Sep 02, 2004 at 09:13:25AM -0400, Jason Opperisano wrote: > > i think there's some confusion here...there are three rules involved in > > this scenario: > > Yes, I already have the 3 rules. The only thing I am worrying about > is how do I let my internal LAN users access the DMZ machine using > its public IP if I use the 3 rules given by you below. The below rules > will effectively block all traffic except from 1.2.3.4 no. please review the differences between INPUT, FORWARD, and OUTPUT. http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES the request from your LAN users only traverses the INPUT chain for the request to the squid proxy. the request from the squid proxy then traverses the OUTPUT chain to fetch content from the web server. LAN -> SQUID -> Web Server *never* enters to FORWARD chain. the rule you are worrying about is in the FORWARD chain. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
