[Shorewall-newbies] A DMZ issue with private addresses
matthew at ozpoz.com
Wed Jan 21 22:32:25 PST 2004
Tom, I am sorry I did not explain myself fully, an idiot indeed. Dual homing
the boxes is indeed a solution, but I do not want normal routed traffic
coming from the net to this DMZ through a second router, only portforwarded
I full appreciate that routing cannot be done to a DMZ that hangs off
another box, nor would I try, maybe I am not quite the idiot I make myself
out to be?
I am doing since the data path via the DSL service will be a lot cheaper
compared to a per byte charged ISDN service.
I am trying to do this using:
Shorewall 1.4.9, iptables 1.2.8 kernel 2.4.20 (Bering 1.2)
and my rule is this:
DNAT net dmz:a.b.c.d:80 tcp 54321
But to no avail, although I also have another DNAT service that is working,
without any port translation though
DNAT net loc:192.168.45.22 tcp 1723
DNAT net loc:192.168.45.22 47 -
DNAT net loc:192.168.45.22 tcp 1701
for a M$ PPTP VPN server sitting behind. I cannot think why this first DNAT
won't work while the second/third/fourth do. Can you still see a problem?
From: Tom Eastep [mailto:teastep at shorewall.net]
Sent: Sunday, 18 January 2004 2:23 AM
To: Matthew Pozzi
Cc: shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] A DMZ issue with private addresses
Basically, you have created a routing nightmare. The only way that I know
of to make this work is to dual-home all of the systems in the DMZ then
use policy routing on those systems so that the outgoing traffic is routed
to the internet via the path that you want (or in some cases, so that
replies return via the path that the request came in on).
Another (simpler) solution is to have a single gateway system for both the
ISDN and ADSL internet links and use policy routing on that gateway to
direct traffic. There are instructions in the Shorewall FAQ (copied
directly from the LATRC Howto).
More information about the Shorewall-newbies