[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Forwarding data

regarding Q1 I'm not sure why it would have worked in the past but

iptables -t nat -A POSTROUTING -s $LAN_NET -j MASQUERADE
this will masq all connections from the 192.168.1.0/24 range, even those that goto 192.168.2.0/24 
instead you should probably want something like

iptables -t nat -A POSTROUTING -o $WAN_NIC -j MASQUERADE

so that any traffic routed outside the network gets nat'd


Lars wrote:

Hi
I have a couple of questions, but first I'll describe my simple setup. I got a Debian Etch gateway with two NIC's; eth0 192.168.1.1/24 (LAN), eth0:1 192.168.2.1/24 (DMZ), eth1 10.0.0.2 (input from isp router). I've pasted part of my firewall script here, http://pastebin.ca/1066314 I left out the variables definitions and cut down on all the different rules.
Q1) When I access my webserver in DMZ from LAN I can't see the source address in the webservers log, I only get 192.168.2.1 (DMZ gateway address). The same happens vice-versa and it's a problem due to ACL and etc. The strange thing is that it used to work, the source address appeared, but unfortunately it stopped. I don't know what I've done, cause the firewall script is still the same rules.
Q2) I would like have a mail server in DMZ, but for now I only got a working smtp-server. Because of sorbs and reverse lookup I'm forced relay my mails through my ISP's smtp server and that's no problem as long as I only have the smtp-setup. But as soon as I redirect port 25 down to the mail server in DMZ to receive mails Postfix report about mail loop. That also happens only when I use Postfix for smtp. I can't see why I can't redirect the port. Perhaps cause my ISP answers on port 25 which redirects to my smtp-server. Am I missing something or is there a work-around?
Q3) I always prefer to only open the ports I need, but with SopCat (video streaming network) I got a "problem". Sopcast connect on 2-3 specific ports, but when it comes to streaming the video it uses from port 32000 and up (as a new connection). What does you normally do in those cases, opens all the port, cause it makes no real difference?
Reply to: