I have a "fairly standard" 3-NIC set up with a public internet connection, a private LAN, and a DMZ zone. From inside the LAN, I can access my DMZ server without any problems. From the internet, I can access the DMZ on appropriate ports via DNAT. But when I attempt to access the public IP (on a DNATed port) from inside the firewall, I get nothing. Here''s the log entry. Apr 22 05:49:48 flute kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=205.152.37.254 DST=67.33.121.68 LEN=76 TOS=0x00 PREC=0x00 TTL=250 ID=4056 DF PROTO=UDP SPT=29525 DPT=34238 LEN=56 The DST is my public IP address, which is on ppp0. Can someone translate this and tell me what''s kicking it out? David
On Tue, 22 Apr 2003, David Corbin wrote:> I have a "fairly standard" 3-NIC set up with a public internet > connection, a private LAN, and a DMZ zone. From inside the LAN, I can > access my DMZ server without any problems. From the internet, I can > access the DMZ on appropriate ports via DNAT. But when I attempt to > access the public IP (on a DNATed port) from inside the firewall, I get > nothing. Here''s the log entry. > > Apr 22 05:49:48 flute kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= > SRC=205.152.37.254 DST=67.33.121.68 LEN=76 TOS=0x00 PREC=0x00 TTL=250 > ID=4056 DF PROTO=UDP SPT=29525 DPT=34238 LEN=56 > > The DST is my public IP address, which is on ppp0. > > Can someone translate this and tell me what''s kicking it out? >Please see Shorewall FAQ #2. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 22 Apr 2003, Tom Eastep wrote:> > > > Please see Shorewall FAQ #2. >Although your question isn''t quite the same as FAQ #2 because you have a DMZ. You have rules of the form: DNAT net dmz tcp x That defines DNAT from the ''net'' zone to the ''dmz''. What makes you think that rule works when the source zone is ''loc''? In other words, you also need: DNAT loc dmz tcp x - <external ip address> -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net