/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Jan Stifter wrote:
> hello all,
> i have the simple problem to forward port 25 of an ip in the dmz to
> port 25 of an internal ip.
>
> my situation looks like
>
> |
> | eth0
> +--------------+
> | | servers, $dmzIP
> | firewall +-----------------
> | | eth1
> +---+----------+
> | eth2
> |
> |
> | internal 192.168.0.x
> | $intIP
>
> the $intIP can surf the internet (masqueraded) and is pingable from a
> server of the dmz.
>
> i used the following commands:
>
> ipmasqadm portfw -f
> ipmasqadm portfw -a -P tcp -L $dmzIP 25 -R $intIP 25
> ipmasqadm portfw -a -P tcp -L $dmzIP 80 -R $intIP 80
>
> as well as:
>
> ipchains -A input -d $dmzIP 25 -j ACCEPT
> ipchains -A input -d $dmzIP 80 -j ACCEPT
>
> # do not masq from intern to servers, just forward
> ipchains -A forward -s $intIP -d $serverNET -j ACCEPT
>
> # masq everything else
> ipchains -A forward -s $intIP -j MASQ
>
> now, i have a forwarding problem in the logs:
>
> Oct 27 06:20:24 gorgon kernel: Packet log: forward DENY eth1 PROTO=6
> an.external.ip.any:1141 $dmzIP:25 L=60 S=0x00 I=17008 F=0x4000 T=53
> SYN (#12)
>
> which rule do i need to forward the package correctly ?
> what is going wrong?
>
> the ipmasqadm portfw -n -l shows:
> gorgon:/ # ipmasqadm portfw -l -n
> prot localaddr rediraddr lport rport pcnt pref
> TCP $dmzIP $intIP 80 80 10 10
> TCP $dmzIP $intIP 25 25 10 10
> gorgon:/ #
the problem is that this only works when the destination address that
you are rewriting is the/one-of-the address(es) of the firewall/masquerading
host. that's not what you're doing.
some options in no particular order are:
(1) give the dmz ip address in question to the firewall host
as an alias so the port forwarding will work (requires extra
fiddles with iproute2 - see fwup.org for details) - probably
too fiddly
(2) place the internal host into the dmz (where it belongs :-)
(3) use transparent proxying - i'm not sure if this will do what
you want but it's worth checking out.
(4) put a proxy program on the dmz host to forward the packets
appropriately.
(5) get iproute2 and nat the packets as they arrive at the firewall
host.
(6) get linux kernel 2.4 (still in beta - not recommended) and
nat the packets using iptables.
(7) try redir - not as efficient as kernel methods but might do what
you want.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
