/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi,
Your portfw command is incorrect, because you are listening for connections
to your $dmzIP and forwarding them to your $intIP. You should be listening
on your $ExtIP, and forwarding to your $dmzIP:
ipmasqadm portfw -a -P tcp -L $ExtIP 25 -R $dmzIP 25
ipmasqadm portfw -a -P tcp -L $extIP 80 -R $dmzIP 80
Then you should set up ipchains to allow those connections:
ipchains -A forward -d $dmzIP 25 -p tcp -j ACCEPT
ipchains -A forward -d $dmzIP 80 -p tcp -j ACCEPT
And masquerade outgoing connections:
ipchains -A forward -s $dmzIP -j MASQ
This will get your dmz to be accessible from outside your network, it will
not make your internal hosts access your dmz. To do that, one suggestion is
to use split DNS.
Jan Stifter wrote:
> hello all,
> i have the simple problem to forward port 25 of an ip in the dmz to
> port 25 of an internal ip.
>
> my situation looks like
>
> |
> | eth0
> +--------------+
> | | servers, $dmzIP
> | firewall +-----------------
> | | eth1
> +---+----------+
> | eth2
> |
> |
> | internal 192.168.0.x
> | $intIP
>
> the $intIP can surf the internet (masqueraded) and is pingable from a
> server of the dmz.
>
> i used the following commands:
>
> ipmasqadm portfw -f
> ipmasqadm portfw -a -P tcp -L $dmzIP 25 -R $intIP 25
> ipmasqadm portfw -a -P tcp -L $dmzIP 80 -R $intIP 80
>
> as well as:
>
> ipchains -A input -d $dmzIP 25 -j ACCEPT
> ipchains -A input -d $dmzIP 80 -j ACCEPT
>
> # do not masq from intern to servers, just forward
> ipchains -A forward -s $intIP -d $serverNET -j ACCEPT
>
> # masq everything else
> ipchains -A forward -s $intIP -j MASQ
>
> now, i have a forwarding problem in the logs:
>
> Oct 27 06:20:24 gorgon kernel: Packet log: forward DENY eth1 PROTO=6
> an.external.ip.any:1141 $dmzIP:25 L=60 S=0x00 I=17008 F=0x4000 T=53
> SYN (#12)
>
> which rule do i need to forward the package correctly ?
> what is going wrong?
>
> the ipmasqadm portfw -n -l shows:
> gorgon:/ # ipmasqadm portfw -l -n
> prot localaddr rediraddr lport rport pcnt pref
> TCP $dmzIP $intIP 80 80 10 10
> TCP $dmzIP $intIP 25 25 10 10
> gorgon:/ #
>
> many thanks for fast replys! it should work in 1.5 hours from this
> mail :-(((
>
> jan
>
> ---
> Jan Stifter
> http://www.medres.ch/~jstifter/
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
--
-------------------------------------------
Joco Neves
[EMAIL PROTECTED]
Fabrica de Ideias
sbs - ed. empire center - bl. s - sala 109
cep 70070-904 - brasilia-df - brazil
tel: (61) 321 1357
fax: (61) 321 6096
-------------------------------------------
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
