On 2007-07-12 Marco wrote: > This is the network: > > LAN (10.10.10.0/24) <-> (10.10.10.12) FW (192.168.10.1) <-> > (192.168.10.2) webserver > > I have set up a firewall who redirects some ports to another > server in che DMZ with iptables: > > iptables -t nat -A PREROUTING -i ! $DMZIF -p tcp --dport 80 -j > DNAT --to 192.168.10.2 > iptables -A FORWARD -p tcp -d 192.168.10.2 --dport 80 -j ACCEPT > > Everything works correctly from the LAN, PCs can connect to > webserver and it replays, but if on the firewall i try to > connect to http://10.10.10.12 don't works, it says connection > refused.
Well, of course. 10.10.10.12 is the LAN interface of your firewall, but the webserver is located in the DMZ, not in the LAN. If you want to connect from the firewall box to the webserver, you need to use the DMZ address (http://192.168.10.2). Anyway, you have two private networks here, so you don't need to do NAT in the first place. You only need NAT when public networks are involved, because private IP addresses mustn't be routed over public networks. iptables -A FORWARD -p tcp -d 192.168.10.2 --dport 80 -j ACCEPT and appropriate routes should suffice. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
