[Firewall] Port forwarding natted DMZ to natted LAN
khenderick at plesetsk.be
Sun Oct 11 18:53:22 CEST 2015
Thanks for helping me out. I'm going to enable some more logging and check
whether I can find something with tcpdump.
br0 is stitching the 192.168.41.0/24 network together with a tap-device for
my site-to-site VPN (slighly over-engineered home network here). Slightly
redacted output from "ip a" and "ip r":
On Sun, Oct 11, 2015 at 6:05 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com>
> Hi Kenneth,
> You were correct in using:
> I'm like you and put my "don't trust" devices in my DMZ, and I just tested
> DMZ_LAN_HOST_OPEN_TCP and it works as expected for me.
> 1) Try enabling more logging to see where your TCP 192.168.35.52~8086
> packet is being dropped (if it is) with DMZ_LAN_HOST_OPEN_TCP defined.
> 2) I see you have multiple subnets on a single bridge (br0) interface,
> possibly you have a routing issue for the return 192.168.17.50 packet ?
> I see you are using VLAN's off a single interface, (router-on-a-stick),
> could the br0 be separated out as a few more separate VLAN's or is that
> wireless or such.
> On Oct 11, 2015, at 10:11 AM, Kenneth Henderick <khenderick at plesetsk.be>
> > Hi,
> > I have issues getting devices in my DMZ to reach a certain service on a
> device insite my LAN.
> > Network setup:
> > * DMZ: 192.168.17.0/24
> > ** For devices I don't trust (TV, guest wifi, ...)
> > * LANs: 192.168.(25,33,34,35,41).0/24
> > Routing:
> > * My firewall/router is configured to NAT between public internet and
> DMZ and the 192.168.25.0/24 LAN. Between the LANs themself, routing is
> provided by my layer 3 switch
> > * Until now, devices in the DMZ and LANs cannot access eachother (which
> generally speaking is good)
> > What I want to achieve: I want one devices on the DMZ to reach a service
> running on a server inside one of the LANs. That is, DMZ device
> 192.168.17.50 should be able to access 192.168.35.52 port 8086.
> > My guess was DMZ_LAN_HOST_OPEN_TCP="192.168.17.50>192.168.35.52~8086"
> but that doesn't seem to work.
> > Below is some debug information, please note that current port forwards
> from internet to LAN have been redacted to e.g. 111, 222, 333, ...
> > * My full configuration file:
> > * Output of arno-iptables-firewall status:
> > Can somebody help me out?
> > Best regards,
> > Kenneth
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> Arno's (Linux IPTABLES Firewall) Homepage:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Firewall