On Monday 03 June 2002 10:58 pm, John Jones wrote: > > (By the way, you should change that --sport in the last rule > > to --dport.) > > Okay, sorry I typoed. I fixed the typo, however, and that doesn't solve > it.
No, I didn't think it would solve the whole problem, but it's a step closer... > We have two firewalls, one for the LAN and one for the DMZ. Whoa !!! That's significant ! There's all sorts of complicated routing issues which come in now :-) Let's see if I've got this understood now: You have some sort of router connected to the Internet; there's a hub or switch on the inside of that router, and you have two firewalls both with publicly-routable external addresses on them connected to that hub. Both firewalls have exactly two interfaces. One firewall has a LAN on its internal interface; the other firewall has a DMZ, with a DNS server on its internal interface (the address of this DNS server is 10.0.0.10) You are trying to redirect all DNS requests from machines on the LAN (ie inside one firewall) to the DNS server on your DMZ (ie inside the other firewall). Is that correct ? If so, then I have got confused with the last ruleset you posted - was that for the LAN firewall or the DMZ firewall - they're both important, and they need to be different, so I think now you've said you have two, it's important to be clear which one we're discussing at a given time. Briefly, you need to do this on your LAN firewall: PREROUTING translate all TCP and UDP packets from the internal interface destined for port 53 to the external address of your DMZ firewall FORWARD packets to TCP and UDP ports 53 FORWARD all ESTABLISHED and RELATED packets Plus anything else you want your LAN firewall to do... Then, on your DMZ firewall: PREROUTING translate all TCP and UDP packets addressed to the firewall itself for port 53, to 10.0.0.10 FORWARD packets to TCP and UDP ports 53 FORWARD all ESTABLISHED and RELATED packets POSTROUTING translate all outgoing packets to have a source address of the DMZ firewall See if that helps ? Antony.
