Forward to DMZ addresses

jonathan at jonathan at
Sat Aug 13 20:19:55 CEST 2005

I have a machine that I using as a firewall, separting WAN / LAN / DMZ

Rules thus far are to NAT all outgoing packets that come in from the LAN

>From the machine itself, I can ping machines on my DMZ interface (eth2)
and my LAN interface (eth0)

I'm having trouble getting through the firewall to my DMZ machines, but I
can access the NIC that routes to the DMZ machine via SSH...  I've tried
various forwarding rules, and even changed the default FORWARD policy to
ACCEPT anything.  Here is a basic rule I'm trying:

#eth1 = WAN NIC
#eth2 = DMZ NIC
iptables -A FORWARD -i eth1 -o eth2 -d xx.xx.xx.xx  -p tcp --dport 22 -j

now, if I do a netstat on the firewall nothing... if I do a netstat on the
machine I'm attempting to connect from... all I see is SYN_SENT

**I'm trying from external machines...i.e. machines not on my network.

physical network is

router -> vlan -> firewall -> DMZ
router -> vlan -> firewall -> LAN

I can also access the DMZ machine via the firewall itself and vice versa,
but once logged into the DMZ machine, I can't get to anything past the
firewall.  I have the following rules for that

iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT

Kinda confused here...

the LAN stuff works... at least for now... to simply forward the packets
out through the WAN NIC and NAT them...


More information about the netfilter mailing list