chris
2003-Jul-18 00:38 UTC
[Shorewall-users] forward all traffic from aliased ip to DMZ..? how?
If I wanted to set up a maz on its own subnet and use nat to forward all traffic from a single ip address on my firewall to it how would I do that. I have been playing around with nat and snat but haven''t found the combination yet to get it to work or I have the options wrong.... the external interface also has 5 ips assigned to it. though for now I''m only using three. How would I go about forwarding all traffic from one of the aliased ips to the dmz on it own subnet . by all traffic I mean all ports. So that the dmz is free to be wide open to the outside world. And will obviously have to have its own firewall. The dmz client is also running bsd if that helps any?... Any help is appreciated I have been working on this for a few nights now.... I have a bad case of insomnia... hehe.... so thank you for any help in advance.... you can feel free to just email me if that''s what you want.... chrisj
Tom Eastep
2003-Jul-18 07:08 UTC
[Shorewall-users] forward all traffic from aliased ip to DMZ..? how?
On Fri, 2003-07-18 at 00:38, chris wrote:> If I wanted to set up a maz on its own subnet and use nat to forward all > traffic from a single ip address on my firewall to it how would I do > that. > I have been playing around with nat and snat but haven''t found the > combination yet to get it to work or I have the options wrong.... the > external interface also has 5 ips assigned to it. though for now I''m > only using three. How would I go about forwarding all traffic from one > of the aliased ips to the dmz on it own subnet . by all traffic I mean > all ports. > So that the dmz is free to be wide open to the outside world. And will > obviously have to have its own firewall. The dmz client is also running > bsd if that helps any?... > > Any help is appreciated I have been working on this for a few nights > now.... I have a bad case of insomnia... hehe.... so thank you for any > help in advance.... you can feel free to just email me if that''s what > you want....I would use Proxy ARP -- see http://www.shorewall.net/ProxyARP.htm and http://www.shorewall.net/shorewall_setup_guide.htm Given that you have multiple external IP addresses, you should have alread read the latter document. You can then set up the following policies: net dmz ACCEPT dmz net ACCEPT -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net