Re: [Shorewall-users] DNAT: Use new DNS

Wed, 13 Dec 2006 10:17:22 -0800 

Christian Bayer wrote:
> Hello,
> 
> following problem:
> 
> I have a network 172.17.180.64/255.255.255.192 (LOC). Default Gateway 
> 172.17.180.67
> The Shorewall Firewall is Defaultgateway and has IP 172.17.180.67.
> 
> Behind a OTHER CISCO Gateway 172.17.180.68 is a DMZ which uses the 
> Subnet 10.100.100.0/255.255.255.0
> In this DMZ is a DNS Server with IP 10.100.100.11
> 
> The Problem:
> On all Clients in the 172.17.180.64/255.255.255.192 net the OLD DNS 
> Server (10.10.10.11 !!!) is written in the Network Settings,
> and the CISCO Accepts only Packets to the 10.100.100.x subnet.
> 
> The only thing i want is to FORWARD all UDP/TCP 53 connects to 
> 10.10.10.11 to the new DNS 10.100.100.11 !!!
> 
> I already used the follwing RULE on 172.17.180.67:
> DNAT      loc     loc:10.100.100.11               udp     53   -   
> 10.10.10.11
> DNAT      loc     loc:10.100.100.11               tcp     53   -   
> 10.10.10.11
> 
> but this doesnt work.
> 
> Please Help !!
> 

A configuration such as yours is covered in the Shorewall documentation in the
article at http://www.shorewall.net/Multiple_Zones.html (From the documentation
index, follow the link labeled "Routing on ONe Interface").

As described there, you need to: set the 'routeback' option on your local
interface in /etc/shorewall/interfaces.

You *may* also need to add this entry to your /etc/shorewall/masq file.

        <local_if>:10.100.100.11      172.17.180.0/26      172.17.180.67

but simply adding 'routeback' (along with your DNAT rules) should be enough.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to