Forward to DMZ addresses

jonathan at innovativesource.net jonathan at innovativesource.net
Sat Aug 13 20:19:55 CEST 2005


I have a machine that I using as a firewall, separting WAN / LAN / DMZ

Rules thus far are to NAT all outgoing packets that come in from the LAN
interface.

>From the machine itself, I can ping machines on my DMZ interface (eth2)
and my LAN interface (eth0)

I'm having trouble getting through the firewall to my DMZ machines, but I
can access the NIC that routes to the DMZ machine via SSH...  I've tried
various forwarding rules, and even changed the default FORWARD policy to
ACCEPT anything.  Here is a basic rule I'm trying:

#eth1 = WAN NIC
#eth2 = DMZ NIC
iptables -A FORWARD -i eth1 -o eth2 -d xx.xx.xx.xx  -p tcp --dport 22 -j
ACCEPT

now, if I do a netstat on the firewall nothing... if I do a netstat on the
machine I'm attempting to connect from... all I see is SYN_SENT

**I'm trying from external machines...i.e. machines not on my network.

physical network is

router -> vlan -> firewall -> DMZ
router -> vlan -> firewall -> LAN

I can also access the DMZ machine via the firewall itself and vice versa,
but once logged into the DMZ machine, I can't get to anything past the
firewall.  I have the following rules for that

iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT

Kinda confused here...

the LAN stuff works... at least for now... to simply forward the packets
out through the WAN NIC and NAT them...

*shrug*






More information about the netfilter mailing list