I did try that...exactly as you had it, there...I'll have to try again. On 19 Jan 2002, Bret Hughes wrote:
> On Fri, 2002-01-18 at 23:51, Mike Burger wrote: > > I'm sorry...feeble mind syndrome set in. > > > > Try http://www.bubbanfriends.org/~mburger/fwscript.txt > > > > Damn. > > > > Better. > > Did you say you already tried a version of this with the internal > interface? g it would look like : > > # > # HTTP to the server > # > $IPTABLES -t nat -A PREROUTING -i eth0 -d 216.140.122.113 -p tcp --dport > 80 -j DNAT --to 192.168.0.1 > $IPTABLES -A FORWARD -p tcp --dport 80 -m state --state NEW -d > 192.168.0.1 -j ACCEPT > # > > I am thinking it would look like : > > ## HTTP to the server from then internal network > # > $IPTABLES -t nat -A PREROUTING -i eth1 -d 216.140.122.113 -p tcp --dport > 80 -j DNAT --to 192.168.0.1 > > I am thinking that the forwarding line in the original rule wouls take > care of the forwarding thing. > > > The reference I was refering to was in the nat how to > http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-5.html > > > Since the DNAT rule is prerouting I honestly do not know what happens > when a machine gets a packet directed to it on an interface for another > machine with the same subnet. Isn't there some sort of redirection > thing that occurs? Somthing like hey buddy you don't need to send me > these packets they are on the same subnet we are all on. then the src > machine says huh? I was sending this to 216.... not 192.... why are > you telling me all this? might be some arp or routing magic that needs > to be done here. > > I wish I had a test lab setup for this I would like to try it. > > One of the reasons I wanted to see this work is that I am about to > build a new firewall for our office and am working on the network > architechure. I am seriously considering putting all publically > availible services on a machine(s) in a DMZ setup like : > > > internet ------- firewall ----- DMZ net (192.168.3.0/24) > | > | > | > internal net > 192.168.0.0/24 > > THis type of setup will atleast get me around the very issues you are > having (I think) > > Bret > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
