Re: Port forwarding and local firewall connections
On 2007-07-12 Marco wrote:
> This is the network:
>
> LAN (10.10.10.0/24) <-> (10.10.10.12) FW (192.168.10.1) <->
> (192.168.10.2) webserver
>
> I have set up a firewall who redirects some ports to another
> server in che DMZ with iptables:
>
> iptables -t nat -A PREROUTING -i ! $DMZIF -p tcp --dport 80 -j
> DNAT --to 192.168.10.2
> iptables -A FORWARD -p tcp -d 192.168.10.2 --dport 80 -j ACCEPT
>
> Everything works correctly from the LAN, PCs can connect to
> webserver and it replays, but if on the firewall i try to
> connect to http://10.10.10.12 don't works, it says connection
> refused.
Well, of course. 10.10.10.12 is the LAN interface of your firewall, but
the webserver is located in the DMZ, not in the LAN. If you want to
connect from the firewall box to the webserver, you need to use the DMZ
address (http://192.168.10.2).
Anyway, you have two private networks here, so you don't need to do NAT
in the first place. You only need NAT when public networks are involved,
because private IP addresses mustn't be routed over public networks.
iptables -A FORWARD -p tcp -d 192.168.10.2 --dport 80 -j ACCEPT
and appropriate routes should suffice.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: