On Mon, 15 Sep 2003, Chris de Orla wrote:
I want to reverse masquerade on port 25 from the internet to a DMZ address.
[...]
If I make the reverse-masq to something on the internal network, it connects no problem, anything on the DMZ does not and no failures in syslog.
What am I missing here ?
I am running SuSE 7.3 and iptables 1.2.8
Below is my firewall2.rc.config :
FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="eth2"
eth2: Is it a private net-address? (e. g. 192.168.0.1 = yyy.yyy.yyy.yyy)
FW_ROUTE="yes" FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="xxx.xx.x.x/24"
I asume xxx.xxx.xxx.xxx as your private LAN net-address? (e. g. 192.168.1.1) You should include yyy.yyy.yyy.yyy/aa or at least the ports the DMZ should reach in the internet.
FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="123 25" ^^^^ You don't need this, because the service (smtpd) is not running on the firewall.
FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="25" ^^^^ Here the same. You don't need this.
FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 123 25 10000" ^^^^ And again.
FW_SERVICES_INT_UDP="123" FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD=""
Here you have to put in the services which should be routed from LAN to DMZ (in general packets from private network to private network or from official IPs to official IPs which don't need NAT oder DNAT)
FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"
This should be ok, if y.y.y.y is a private IP-address in the DMZ. All the FW_*_*-parameters are just for this case, if the services are running _ON_ the firewall.
# # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # #
[...] Best regards, Thomas Schweiger