[Firewall] Port forwarding natted DMZ to natted LAN

Kenneth Henderick khenderick at plesetsk.be
Sun Oct 11 17:11:30 CEST 2015


Hi,

I have issues getting devices in my DMZ to reach a certain service on a
device insite my LAN.

Network setup:
* DMZ: 192.168.17.0/24
** For devices I don't trust (TV, guest wifi, ...)
* LANs: 192.168.(25,33,34,35,41).0/24

Routing:
* My firewall/router is configured to NAT between public internet and DMZ
and the 192.168.25.0/24 LAN. Between the LANs themself, routing is provided
by my layer 3 switch
* Until now, devices in the DMZ and LANs cannot access eachother (which
generally speaking is good)

What I want to achieve: I want one devices on the DMZ to reach a service
running on a server inside one of the LANs. That is, DMZ device
192.168.17.50 should be able to access 192.168.35.52 port 8086.

My guess was DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086" but
that doesn't seem to work.

Below is some debug information, please note that current port forwards
from internet to LAN have been redacted to e.g. 111, 222, 333, ...
* My full configuration file:
http://paste.roguecoders.com/p/f20c537d2c0bd569ec92f21bef9da7e9.txt
* Output of arno-iptables-firewall status:
http://paste.roguecoders.com/p/5cdfb8eda6b974d51ec3be50fb7b4d59.txt

Can somebody help me out?

Best regards,

Kenneth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20151011/12646056/attachment.html>


More information about the Firewall mailing list