From: Payal Rathod <payal-netfilter@scriptkitchen.com>
To: Netfilter ML <netfilter@lists.netfilter.org>
Subject: Re: firewall problem continued
Date: Mon, 9 Aug 2004 06:39:42 -0400 [thread overview]
Message-ID: <20040809103942.GA15462@tranquility.scriptkitchen.com> (raw)
In-Reply-To: <200408090932.13099.Antony@Soft-Solutions.co.uk>
On Mon, Aug 09, 2004 at 09:32:13AM +0100, Antony Stone wrote:
> I think you should specify the output interface in your MASQUERADE rules, so
> that only packets going out of the Internet interface get SNATted - otherwise
> packets going between your internal LAN and the DMZ are going to get SNATted
> too, which is not really what you want.
Does this look OK?
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth2 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth2 -j MASQUERADE
> This may be because you say you have a Squid proxy running on the firewall
> itself. If you were just doing standard HTTP, the ruleset you have posted
> looks like you should have access to TCP dport 80 on the DMZ from the LAN.
Yes I do have squid running on firewall machine itself.
> Why would you need to access 25/110 from the firewall? Surely it isn't
> acting as a mail client?
Right now I will keep it as they are if they are not harming much. I will
remove them a bit later.
> What Squid access controls do you have?
Nothing much, it is very simple.
acl designs src 192.168.0.0/255.255.0.0
http_access allow designs
> What URL are you using to access the mail server from the LAN?
Direct IP. http://<public Ip>/mail
> There is a default ACCEPT policy, there are also some ACCEPT rules (and no
> DROP rules), and the -m state rule is included twice....
People here suggested to me that default ACCEPT policy was OK.
As I said earlier, I am unable to access DMZ's external IP from the
firewall machine. If I try
telnet <external IP of DMZ> 80
I cannot reach it,
But I can reach the same with,
telnet 10.10.10.2 80
What do you think the problem is?
Thanks a lot for the help.
With warm regards,
-Payal
next prev parent reply other threads:[~2004-08-09 10:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-09 8:12 firewall problem continued Payal Rathod
2004-08-09 8:32 ` Antony Stone
2004-08-09 10:39 ` Payal Rathod [this message]
2004-08-09 10:55 ` Antony Stone
2004-08-09 11:19 ` Payal Rathod
2004-08-09 11:31 ` Antony Stone
2004-08-09 15:22 ` Payal Rathod
2004-08-10 8:14 ` Payal Rathod
2004-08-10 8:26 ` Antony Stone
2004-08-10 8:43 ` Payal Rathod
2004-08-10 9:14 ` Antony Stone
2004-08-10 11:46 ` Payal Rathod
2004-08-10 18:45 ` Antony Stone
2004-08-11 7:18 ` Payal Rathod
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040809103942.GA15462@tranquility.scriptkitchen.com \
--to=payal-netfilter@scriptkitchen.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.