[Firewall] Port forwarding natted DMZ to natted LAN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Oct 11 18:05:10 CEST 2015


Hi Kenneth,

You were correct in using:
--
DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
--

I'm like you and put my "don't trust" devices in my DMZ, and I just tested DMZ_LAN_HOST_OPEN_TCP and it works as expected for me.

1) Try enabling more logging to see where your TCP 192.168.35.52~8086 packet is being dropped (if it is) with DMZ_LAN_HOST_OPEN_TCP defined.

2) I see you have multiple subnets on a single bridge (br0) interface, possibly you have a routing issue for the return 192.168.17.50 packet ?

I see you are using VLAN's off a single interface, (router-on-a-stick), could the br0 be separated out as a few more separate VLAN's or is that wireless or such.

Lonnie


On Oct 11, 2015, at 10:11 AM, Kenneth Henderick <khenderick at plesetsk.be> wrote:

> Hi,
> 
> I have issues getting devices in my DMZ to reach a certain service on a device insite my LAN.
> 
> Network setup:
> * DMZ: 192.168.17.0/24
> ** For devices I don't trust (TV, guest wifi, ...)
> * LANs: 192.168.(25,33,34,35,41).0/24
> 
> Routing:
> * My firewall/router is configured to NAT between public internet and DMZ and the 192.168.25.0/24 LAN. Between the LANs themself, routing is provided by my layer 3 switch
> * Until now, devices in the DMZ and LANs cannot access eachother (which generally speaking is good)
> 
> What I want to achieve: I want one devices on the DMZ to reach a service running on a server inside one of the LANs. That is, DMZ device 192.168.17.50 should be able to access 192.168.35.52 port 8086.
> 
> My guess was DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086" but that doesn't seem to work.
> 
> Below is some debug information, please note that current port forwards from internet to LAN have been redacted to e.g. 111, 222, 333, ...
> * My full configuration file: http://paste.roguecoders.com/p/f20c537d2c0bd569ec92f21bef9da7e9.txt
> * Output of arno-iptables-firewall status: http://paste.roguecoders.com/p/5cdfb8eda6b974d51ec3be50fb7b4d59.txt
> 
> Can somebody help me out?
> 
> Best regards,
> 
> Kenneth
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list