Hello Users, I need to do the following: I have a local network 192.168.0.0/24, the dns-entry of the clients pointing to my shorewall interface eth0 IP 192.168.0.1 . The nameserver(192.168.100.6) runs on the DMZ, the shorewall-interface to the DMZ is eth2 with IP 192.168.100.1 It was no problem route to the DNS-traffic from the local net to the nameserver in the DMZ. But this nameserver just accept (and it should stay as it is) requests on port 53 from the shorewall-DMZ-interface-IP 192.168.100.1 in that case it's needed to "translate" always the source IP ( from the LAN 192.168.0.XXX ) to the IP of shorewalls DMZ-Interface ( 192.168.100.1 ) Maybe the IPTABLES-Rules of my old firewall could help you to understand what I need: $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p udp -m udp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1 Alex. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Hello Users, Sorry for double-post, I forgot to disable HTML... I need to do the following: I have a local network 192.168.0.0/24, the dns-entry of the clients pointing to my shorewall interface eth0 IP 192.168.0.1 . The nameserver(192.168.100.6) runs on the DMZ, the shorewall-interface to the DMZ is eth2 with IP 192.168.100.1 It was no problem route to the DNS-traffic from the local net to the nameserver in the DMZ. But this nameserver just accept (and it should stay as it is) requests on port 53 from the shorewall-DMZ-interface-IP 192.168.100.1 in that case it''s needed to "translate" always the source IP ( from the LAN 192.168.0.XXX ) to the IP of shorewalls DMZ-Interface ( 192.168.100.1 ) Maybe the IPTABLES-Rules of my old firewall could help you to understand what I need: $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1 $IPTABLES -t nat -A POSTROUTING -o eth2 -p udp -m udp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1 Alex. ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
On 03/30/2013 11:55 PM, Jens Hanusch wrote:> Hello Users, > > Sorry for double-post, I forgot to disable HTML... > > I need to do the following: > I have a local network 192.168.0.0/24, the dns-entry of the clients pointing to my shorewall interface eth0 IP 192.168.0.1 . > The nameserver(192.168.100.6) runs on the DMZ, the shorewall-interface to the DMZ is eth2 with IP 192.168.100.1 > It was no problem route to the DNS-traffic from the local net to the nameserver in the DMZ. > But this nameserver just accept (and it should stay as it is) requests on port 53 from the shorewall-DMZ-interface-IP 192.168.100.1 > in that case it''s needed to "translate" always the source IP ( from the LAN 192.168.0.XXX ) to the IP of shorewalls DMZ-Interface ( 192.168.100.1 ) > Maybe the IPTABLES-Rules of my old firewall could help you to understand what I need: > $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 > $IPTABLES -t nat -A PREROUTING -p udp -m udp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j DNAT --to-destination 192.168.100.6 > $IPTABLES -t nat -A POSTROUTING -o eth2 -p tcp -m tcp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1 > $IPTABLES -t nat -A POSTROUTING -o eth2 -p udp -m udp -s 192.168.0.0/24 -d 192.168.100.6 --dport 53 -j SNAT --to-source 192.168.100.1/etc/shorewall/rules: DNAT lan dmz:192.168.100.6 udp,tcp 53 192.168.0.1 Note: You don''t mention which Shorewall version you are running; if your version doesn''t accept multiple protocols in a single rule, then you will need separate rules for udp and tcp. /etc/shorewall/masq eth2:192.168.100.6 192.168.0.0/24 192.168.100.1 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2