[Firewall] Port forwarding natted DMZ to natted LAN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Oct 11 18:05:10 CEST 2015

Hi Kenneth,

You were correct in using:

I'm like you and put my "don't trust" devices in my DMZ, and I just tested DMZ_LAN_HOST_OPEN_TCP and it works as expected for me.

1) Try enabling more logging to see where your TCP packet is being dropped (if it is) with DMZ_LAN_HOST_OPEN_TCP defined.

2) I see you have multiple subnets on a single bridge (br0) interface, possibly you have a routing issue for the return packet ?

I see you are using VLAN's off a single interface, (router-on-a-stick), could the br0 be separated out as a few more separate VLAN's or is that wireless or such.


On Oct 11, 2015, at 10:11 AM, Kenneth Henderick <khenderick at plesetsk.be> wrote:

> Hi,
> I have issues getting devices in my DMZ to reach a certain service on a device insite my LAN.
> Network setup:
> * DMZ:
> ** For devices I don't trust (TV, guest wifi, ...)
> * LANs: 192.168.(25,33,34,35,41).0/24
> Routing:
> * My firewall/router is configured to NAT between public internet and DMZ and the LAN. Between the LANs themself, routing is provided by my layer 3 switch
> * Until now, devices in the DMZ and LANs cannot access eachother (which generally speaking is good)
> What I want to achieve: I want one devices on the DMZ to reach a service running on a server inside one of the LANs. That is, DMZ device should be able to access port 8086.
> My guess was DMZ_LAN_HOST_OPEN_TCP=">" but that doesn't seem to work.
> Below is some debug information, please note that current port forwards from internet to LAN have been redacted to e.g. 111, 222, 333, ...
> * My full configuration file: http://paste.roguecoders.com/p/f20c537d2c0bd569ec92f21bef9da7e9.txt
> * Output of arno-iptables-firewall status: http://paste.roguecoders.com/p/5cdfb8eda6b974d51ec3be50fb7b4d59.txt
> Can somebody help me out?
> Best regards,
> Kenneth
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

More information about the Firewall mailing list