[Firewall] Port forwarding natted DMZ to natted LAN

Kenneth Henderick khenderick at plesetsk.be
Sun Oct 11 17:11:30 CEST 2015


I have issues getting devices in my DMZ to reach a certain service on a
device insite my LAN.

Network setup:
* DMZ:
** For devices I don't trust (TV, guest wifi, ...)
* LANs: 192.168.(25,33,34,35,41).0/24

* My firewall/router is configured to NAT between public internet and DMZ
and the LAN. Between the LANs themself, routing is provided
by my layer 3 switch
* Until now, devices in the DMZ and LANs cannot access eachother (which
generally speaking is good)

What I want to achieve: I want one devices on the DMZ to reach a service
running on a server inside one of the LANs. That is, DMZ device should be able to access port 8086.

My guess was DMZ_LAN_HOST_OPEN_TCP=">" but
that doesn't seem to work.

Below is some debug information, please note that current port forwards
from internet to LAN have been redacted to e.g. 111, 222, 333, ...
* My full configuration file:
* Output of arno-iptables-firewall status:

Can somebody help me out?

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20151011/12646056/attachment.html>

More information about the Firewall mailing list