On Thu, February 9, 2006 11:18, Greg Cope wrote:
> Hi All,
>
> I have a simple firewall/router.
>
> Behind are a few servers.
>
> I need to be able to;
>
> - Let clients use external dns (does not work)
> - ssh onto firewall (works)
> - NAT packets onto webservers behind firewall (works)
>
> This is a simple problem, but I can't seem to crack it - please can
> someone point out my stupidity;
>
> Some of the rules I have;
>
> ${IPTABLES} -A INPUT -p udp -s ${EXT_DNS_IP} --source-port 53 -d
> ${DMZ_IP_RANGE} -j ACCEPT
> ${IPTABLES} -A INPUT -p udp -s ${EXT_DNS_IP2} --source-port 53 -d
> ${DMZ_IP_RANGE} -j ACCEPT
> ${IPTABLES} -A FORWARD -p udp -s ${EXT_DNS_IP} -d ${DMZ_IP_RANGE}
> --sport 53 -j ACCEPT
I'm sorry, but for me it's not enough information. Are your clients DMZ
servers or real clients ? I think there's some rules missing to evaluate it
properly.
For your problem :
> - Let clients use external dns (does not work)
You need to create rules like these (I'll assume your "clients" are DMZ
servers) :
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -i <if_dmz> -s <net_dmz> \
[-d <ip_ext_dns>] -p udp --dport 53 -j ACCEPT
$ipt -A FORWARD -m state --state NEW -i <if_dmz> -s <net_dmz> \
[-d <ip_ext_dns>] -p tcp --dport 53 -j ACCEPT
$ipt -t nat -A POSTROUTING -o <if_inet> -s <net_dmz> [-d <ip_ext_dns>] \
-p udp --dport 53 -j SNAT <ip_inet>
$ipt -t nat -A POSTROUTING -o <if_inet> -s <net_dmz> [-d <ip_ext_dns>] \
-p tcp --dport 53 -j SNAT <ip_inet>
Gr,
Rob
