> jonathan@xxxxxxxxxxxxxxxxxxxx wrote: >> Kind of... I'm trying to redirect _any_ traffic destined for my DMZ >> address to be forwarded to the machines themselves. I tried the rule >> you >> suggested, and I also realized that I had already tried that. >> >> Basically, I want to forward any traffic destined for DMZ address pass >> the >> firewall and onto the DMZ machines themselves, well once they gone >> through >> some bad packet checks... > > Ok, if you are wanting all traffic to be destined you will need to > statefully inspect packets and return them to your LAN accordingly before > you forward the traffic off to your DMZ server. That is unless you have a > different globally routable IP for your DMZ system than you do for your > router. > > You will probably need to DNAT in the PREROUTING chain for both inbound > interfaces, your LAN and WAN connection. > What would I DNAT (--to-source) to. My understanding is to check for ESTABLISHED,RELATED state and forward onto either LAN/DMZ interface, but how do I receive where -to-source should be? >> FYI, the rule didn't work as expected. The following is my script thus >> far: >> >> #************************************ >> /sbin/modprobe ip_tables >> /sbin/modprobe ip_conntrack >> /sbin/modprobe ip_conntrack_ftp >> /sbin/modprobe iptable_filter >> /sbin/modprobe ipt_LOG >> /sbin/modprobe ipt_limit >> /sbin/modprobe iptable_nat >> /sbin/modprobe ipt_REJECT >> /sbin/modprobe ipt_state >> >> # >> # Enable IP forwarding >> # >> >> echo "1" > /proc/sys/net/ipv4/ip_forward >> >> $ipt -F >> $ipt -X >> $ipt -Z >> >> >> $ipt -P INPUT DROP >> $ipt -P OUTPUT ACCEPT >> $ipt -P FORWARD DROP >> >> ########################################### >> # >> # Rules >> # >> >> # >> # Accept EST. and REL. packets >> # >> $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >> $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> # >> # Forward all from LAN through WAN >> # >> $ipt -A FORWARD -i $LAN_INTERFACE -o $WAN_INTERFACE -j ACCEPT >> >> # >> # NAT all outgoing packets >> # >> $ipt -t nat -A POSTROUTING -o $WAN_INTERFACE -j SNAT --to-source >> $WAN_IP > > If your LAN is on a different subnet you could add an "-s <LAN subnet>" > extension to this to make sure that you are only SNATing your LAN traffic. > Ah...thanks. Didn't think about that >> # >> # temp - this does the actual allowing of outgoing packets >> # from the dmz server... but it still nat's them... I don't want to nat >> # them, I want them to appear as they are >> # >> $ipt -A FORWARD -i $DMZ_INTERFACE -o $WAN_INTERFACE -j ACCEPT >> ############################################################ >> # >> # Firewall specific rules >> # >> >> # >> # Allow access from LAN to firewall >> # >> $ipt -A INPUT -i $LAN_INTERFACE -j ACCEPT >> >> # >> # Save rules >> # >> /etc/init.d/iptables save >> >> #************************************ >> >> this is basic, as I'm trying to take it one step at a time. I'm >> currently >> dealing with 2 issues. the one mentioned above...and the other is not >> NATing the outgoing DMZ packets... I would like them to go out with >> their >> IP addresses... > > I take it that your DMZ system is running a globally routable IP? If this > is the case can we get a list of said IPs (scrubbed if need be) for > discussion? > > IP Network = xx.xx.xx.182 Router WAN interface = xx.yyy.y.241 Router LAN interface = xx.xx.xx.183 Firewall eth0 connected to LAN switch = 10.123.x.x Firewall eth1 connected to router = xx.xx.xx.184 Firewall eth2 connected to DMZ switch = xx.xx.xx.185 DMZ server eth0 connected to DMZ switch = xx.xx.xx.186 LAN stuff works just fine...well, at least from what I can tell and it's the only section with local IP's. The others are all using globally routable IP's from my block. Currently, and as stated before, I can access everything from the firewall itself, just can't pass through. **Once I get a basic setup going, I should be able to figure it out... it's just this hurdle right now
