[Shorewall-newbies] A DMZ issue with private addresses

Tom Eastep teastep at shorewall.net
Wed Jan 21 07:24:23 PST 2004


On Wednesday 21 January 2004 04:32 am, Matthew Pozzi wrote:
> Tom, I am sorry I did not explain myself fully, an idiot indeed. Dual
> homing the boxes is indeed a solution, but I do not want normal routed
> traffic coming from the net to this DMZ through a second router, only
> portforwarded traffic.
>
> I full appreciate that routing cannot be done to a DMZ that hangs off
> another box, nor would I try, maybe I am not quite the idiot I make myself
> out to be?
>
> I am doing since the data path via the DSL service will be a lot cheaper
> compared to a per byte charged ISDN service.
>
> I am trying to do this using:
> Shorewall 1.4.9, iptables 1.2.8 kernel 2.4.20 (Bering 1.2)
>
> and my rule is this:
>
> DNAT	net	dmz:a.b.c.d:80	tcp	54321
>
> But to no avail, although I also have another DNAT service that is working,
> without any port translation though
>
> DNAT    net             loc:192.168.45.22       tcp     1723
> DNAT    net             loc:192.168.45.22       47      -
> DNAT    net             loc:192.168.45.22       tcp     1701
>
> for a M$ PPTP VPN server sitting behind. I cannot think why this first DNAT
> won't work while the second/third/fourth do. Can you still see a problem?

Does the default route on a.b.c.d go through the Bering box?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list