Hello,
I need some help about a routing problem on a complex configuration.
The problem is that I can''t reach from services outside from my DMZ.
The scenario is a gateway linked to three internet connections, so that
I used three distinct iproute2 tables for routing. The gw is running
ipvs for balancing over the dmz''s servers.
DMZ servers are on 192.168.1.0/24 network, .
Every table has the route to reach :
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
I''m using iptables to NAT a server on my DMZ to reach DNS services
outsides:
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100
--dport 53 -j SNAT --to-source 81.77.88.99
Looking inside the cache I find only the route to reach the dns server,
but not the one that the dns needs to reach my server:
151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src 192.168.1.249
cache <src-direct> mtu 1500 advmss 1460 metric10 64 iif eth0
I experieced in the past that reentering the iptables nat command
worked, but it seems a random effect and not always works.
Thank''s in advance,
Luca Maragnani
>Hello, >I need some help about a routing problem on a complex configuration.>The problem is that I can''t reach from services outside from my DMZ.>The scenario is a gateway linked to three internet connections, so that >I used three distinct iproute2 tables for routing. The gw is running >ipvs for balancing over the dmz''s servers.>DMZ servers are on 192.168.1.0/24 network, .>Every table has the route to reach : >192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1>I''m using iptables to NAT a server on my DMZ to reach DNS services outsides: >iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 >--dport 53 -j SNAT --to-source 81.77.88.99Have u try to use DNAT from iptables because dnat is in PREROTING , and if u have a dns service u need to make the outside service connection to connect 2 your dns server !>Looking inside the cache I find only the route to reach the dns server, >but not the one that the dns needs to reach my server: >151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src 192.168.1.249 > cache <src-direct> mtu 1500 advmss 1460 metric10 64 iif eth0 > >I experieced in the past that reentering the iptables nat command >worked, but it seems a random effect and not always works. > >Thank''s in advance, >Luca Maragnani_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Sorry, surely I did''nt explained well the problem. I don''t have DNS services. I need to access dns server at 151.99.0.100 from my servers which have private ip addresses. I think the only thing I need is to SNAT the connection. Thank''s all the same Luca Ionut Popovici wrote:>> Hello, >> I need some help about a routing problem on a complex configuration. > > >> The problem is that I can''t reach from services outside from my DMZ. > > >> The scenario is a gateway linked to three internet connections, so >> that I used three distinct iproute2 tables for routing. The gw is >> running ipvs for balancing over the dmz''s servers. > > >> DMZ servers are on 192.168.1.0/24 network, . > > >> Every table has the route to reach : >> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > > >> I''m using iptables to NAT a server on my DMZ to reach DNS services >> outsides: >> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d >> 151.99.0.100 --dport 53 -j SNAT --to-source 81.77.88.99 > > Have u try to use DNAT from iptables because dnat is in PREROTING , > and if u have a dns service u need to make the outside service > connection to connect 2 your dns server ! > >> Looking inside the cache I find only the route to reach the dns >> server, but not the one that the dns needs to reach my server: >> 151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src >> 192.168.1.249 >> cache <src-direct> mtu 1500 advmss 1460 metric10 64 iif eth0 >> >> I experieced in the past that reentering the iptables nat command >> worked, but it seems a random effect and not always works. >> >> Thank''s in advance, >> Luca Maragnani > > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >