On Wed, 13 Sep 2000, Uwe Guenther wrote: Hallo, I have the following Firewall : isdn -----> firewall ------> local net ippp0(dynIP) | eth0 192.168.1.40 | eth1 | 192.168.2.40 \ / DMZ Is there a way to route a connect on port 80(firewall) to the dmz port 80. I have Kernel 2.2.16 with some Patches from SuSE. The distribution is SuSE 6.4 with all updates from ftp.suse.com. I have running the SuSE Firewall Script. Do I need a public IP for the DMZ-Linux-Box or does it work with a 192.168.x.x ?
Ich habe irgendwann im Kaufhaus im Linuxmagazin mal gelesen, das man eine Anfrage an einen bestimmten Port(ippp0) auf einen Rechner in der DMZ forwarden kann. Jetzt weis ich aber nicht ob das mit dem 2.2.16 von SuSE 6.4 geht. In /etc/rc.config.d/firewall.rc.config ist zwar sowas vorgesehen, aber da steht das man fuer den Rechner in der DMZ eine offizielle IP braucht, die ich aber nicht habe.
... may the Tux be with you! =Uwe=
... may the Tux be with you! =Uwe= -- Uwe Günther \\:// mailto:uwe@cscc.de Haupstraße 88 (o -) http://www.cscc.de 98631 Behrungen ---ooO-(_)-Ooo--- tel.:+49.36944.54448 Germany Linux, enjoy the ride ...!
* Uwe Guenther wrote on Fri, Sep 22, 2000 at 12:41 +0200:
On Wed, 13 Sep 2000, Uwe Guenther wrote: Is there a way to route a connect on port 80(firewall) to the dmz port 80.
Yep :) You could use some transparent proxy or a tcp relay like rindetd (include in SuSE distribution IIRC) which is set up quickly and should do what you need. Finally, you could use ipmasqadm (IIRC it's still marked as EXPERIMENTAL), here an example from the man page: Redirect all web traffic to internals hostA and hostB, where hostB will serve 2 times hostA connections. Forward rules already masq internal hosts to outside (typical). ipchains -I input -p tcp -y -d yours.com/32 80 -m 1 ipmasqadm mfw -I -m 1 -r hostA 80 -p 10 ipmasqadm mfw -I -m 1 -r hostB 80 -p 20
Do I need a public IP for the DMZ-Linux-Box or does it work with a 192.168.x.x ?
At least it works. But AFAIK a DMZ is that part of the network that is behind a firewall but is able to get connected direcly, so maybe the name DMZ is not excactly the best here ;) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Steffen Dettmer
-
Uwe Guenther