From: Greg Cope <gregcope@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: Help debugging iptables firewall....
Date: Wed, 26 Jan 2005 07:19:26 +0000 [thread overview]
Message-ID: <c0e9781f0501252319f7b6f27@mail.gmail.com> (raw)
In-Reply-To: <27594E8BA9D5CA458F5EF87D88B6B48F019924@pxtvjoexd01.pxt.primeexalia.com>
Hiya,
[07:09:48 root@gateway root]$ cat /proc/sys/net/ipv4/ip_forward
1
It would seem that the one rule that is causing the issue is this one:
Works:
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADEb
Does not:
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -j
MASQUERADE
The lan is on 192.168.0.0/24.
DMZ is on 192.168.254.0/24
Ie the -d ! $LAN_IP_RANGE
LAN_IP_RANGE="192.168.0.0/16"
So should the DMZ be natted to the LAN? I would assume yes.
Are there any good guides to 3 inteface'ed firewalls - ie lan, dmz, red?
Greg
On Tue, 25 Jan 2005 14:11:30 -0800, Gary W. Smith <gary@primeexalia.com> wrote:
> Greg,
>
> This might be real dump but do you have IP forwarding enabled? If you
> do then NAT's isn't necessary between the LANs.
>
> Gary
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Greg Cope
> > Sent: Tuesday, January 25, 2005 2:07 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Help debugging iptables firewall....
> >
>
> > Bingo.
> >
> > Seemed to have solved it. I noticed that without the firewall running
> > the following rule was in the stop section:
> >
> > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> >
> > Looking at the tcp dumps when it "worked" without the firewall the db
> > server thought it was talking to the firewall.
> >
> > When the firewall was on the db server was failing to talk to the
> > webserver, and the conection packet got through, but there never
> > seemed to be an ack packet backout.
> >
> > I am a bit confused, but it seems to work now - which is good until
> > tomorrow morning.
> >
> > Thanks for your help.
> >
> > Not sure what the right way to do it is. I suppose the LAN should be
> > masqueraded to the DMZ hosts, as the DMZ hosts should not have
> > detailed knowledge of the LAN side.
> >
> > Greg
>
next prev parent reply other threads:[~2005-01-26 7:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-25 22:11 Help debugging iptables firewall Gary W. Smith
2005-01-26 7:19 ` Greg Cope [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-01-25 20:00 Gary W. Smith
2005-01-25 22:06 ` Greg Cope
2005-01-25 18:31 Gary W. Smith
2005-01-25 19:08 ` Greg Cope
2005-01-25 18:09 Gary W. Smith
2005-01-25 18:18 ` Greg Cope
2005-01-25 17:46 Gary W. Smith
2005-01-25 17:59 ` Greg Cope
2005-01-25 17:13 Gary W. Smith
2005-01-25 17:24 ` Greg Cope
2005-01-25 16:53 Greg Cope
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0e9781f0501252319f7b6f27@mail.gmail.com \
--to=gregcope@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.