Hiya, [07:09:48 root@gateway root]$ cat /proc/sys/net/ipv4/ip_forward 1 It would seem that the one rule that is causing the issue is this one: Works: $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADEb Does not: $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -j MASQUERADE The lan is on 192.168.0.0/24. DMZ is on 192.168.254.0/24 Ie the -d ! $LAN_IP_RANGE LAN_IP_RANGE="192.168.0.0/16" So should the DMZ be natted to the LAN? I would assume yes. Are there any good guides to 3 inteface'ed firewalls - ie lan, dmz, red? Greg On Tue, 25 Jan 2005 14:11:30 -0800, Gary W. Smith <gary@xxxxxxxxxxxxxxx> wrote: > Greg, > > This might be real dump but do you have IP forwarding enabled? If you > do then NAT's isn't necessary between the LANs. > > Gary > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Greg Cope > > Sent: Tuesday, January 25, 2005 2:07 PM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: Re: Help debugging iptables firewall.... > > > > > Bingo. > > > > Seemed to have solved it. I noticed that without the firewall running > > the following rule was in the stop section: > > > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE > > > > Looking at the tcp dumps when it "worked" without the firewall the db > > server thought it was talking to the firewall. > > > > When the firewall was on the db server was failing to talk to the > > webserver, and the conection packet got through, but there never > > seemed to be an ack packet backout. > > > > I am a bit confused, but it seems to work now - which is good until > > tomorrow morning. > > > > Thanks for your help. > > > > Not sure what the right way to do it is. I suppose the LAN should be > > masqueraded to the DMZ hosts, as the DMZ hosts should not have > > detailed knowledge of the LAN side. > > > > Greg >
