From: Greg Cope <gregcope@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: Help debugging iptables firewall....
Date: Wed, 26 Jan 2005 07:19:26 +0000 [thread overview]
Message-ID: <c0e9781f0501252319f7b6f27@mail.gmail.com> (raw)
In-Reply-To: <27594E8BA9D5CA458F5EF87D88B6B48F019924@pxtvjoexd01.pxt.primeexalia.com>
Hiya,
[07:09:48 root@gateway root]$ cat /proc/sys/net/ipv4/ip_forward
1
It would seem that the one rule that is causing the issue is this one:
Works:
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADEb
Does not:
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -j
MASQUERADE
The lan is on 192.168.0.0/24.
DMZ is on 192.168.254.0/24
Ie the -d ! $LAN_IP_RANGE
LAN_IP_RANGE="192.168.0.0/16"
So should the DMZ be natted to the LAN? I would assume yes.
Are there any good guides to 3 inteface'ed firewalls - ie lan, dmz, red?
Greg
On Tue, 25 Jan 2005 14:11:30 -0800, Gary W. Smith <gary@primeexalia.com> wrote:
> Greg,
>
> This might be real dump but do you have IP forwarding enabled? If you
> do then NAT's isn't necessary between the LANs.
>
> Gary
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Greg Cope
> > Sent: Tuesday, January 25, 2005 2:07 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Help debugging iptables firewall....
> >
>
> > Bingo.
> >
> > Seemed to have solved it. I noticed that without the firewall running
> > the following rule was in the stop section:
> >
> > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> >
> > Looking at the tcp dumps when it "worked" without the firewall the db
> > server thought it was talking to the firewall.
> >
> > When the firewall was on the db server was failing to talk to the
> > webserver, and the conection packet got through, but there never
> > seemed to be an ack packet backout.
> >
> > I am a bit confused, but it seems to work now - which is good until
> > tomorrow morning.
> >
> > Thanks for your help.
> >
> > Not sure what the right way to do it is. I suppose the LAN should be
> > masqueraded to the DMZ hosts, as the DMZ hosts should not have
> > detailed knowledge of the LAN side.
> >
> > Greg
>
next prev parent reply other threads:[~2005-01-26 7:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-25 22:11 Help debugging iptables firewall Gary W. Smith
2005-01-26 7:19 ` Greg Cope [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-01-25 20:00 Gary W. Smith
2005-01-25 22:06 ` Greg Cope
2005-01-25 18:31 Gary W. Smith
2005-01-25 19:08 ` Greg Cope
2005-01-25 18:09 Gary W. Smith
2005-01-25 18:18 ` Greg Cope
2005-01-25 17:46 Gary W. Smith
2005-01-25 17:59 ` Greg Cope
2005-01-25 17:13 Gary W. Smith
2005-01-25 17:24 ` Greg Cope
2005-01-25 16:53 Greg Cope
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0e9781f0501252319f7b6f27@mail.gmail.com \
--to=gregcope@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox