> > > On Mon, 23 Aug 2004 11:27:09 -0400, Rodolfo Alcázar > > > <rodolfo.alcazar@xxxxxxxxxxxx> wrote: > > > > Hi, this is my first post. Greetings all of you! > > > > > > > > I have a 3-card (internet, LAN, DMZ) firewall installed. I have > > configured > > > > this rule for users who wants to visit my web site: > > > > > > > > iptables -t nat -A PREROUTING -d 200.80.120.71 -p tcp -m tcp --dport > > 80 -j > > > > DNAT --to-destination 192.168.1.2:80 > > > > (explained: If a internet users requests http service from > > 200.87.120.71, > > > > the request is redirected to 192.168.1.2 on my DMZ) > > > > > > > > but when I type "$ lynx www.mysite.org" from my very firewall, I got > > > > "Alert!: Unable to connect to remote host.". Obvious. The www.mysite.org > > DNS > > > > entry is related with my own firewall, 200.87.120.71, which has no web > > > > server, the request is redirected to 127.0.0.1. Damn! I tried a lot of > > > > rules, but I can´t find the right one. > > > > > > > > I explained the problem in a simple way, but the real one is when I run > > > > squid or a ppp-dialup server. > > > > > > > > Which is the right iptables rule? (writing lynx 192.168.1.2 do work, but > > is > > > > NOT the solution!) > > > > > > > > Rodolfo > > > > > > > have you tried from an external connection? Don't test NAT rules on > > > the firewall itself!!! > > > > > > Yang > > > > On Mon, 23 Aug 2004 12:13:07 -0400, Rodolfo Alcázar > <rodolfo.alcazar@xxxxxxxxxxxx> wrote: > > Thanks, Yang. Sorry if I didn´t clarify this point. > > > > Yes, all my rules work fine from external connections. But I need this type > > of access from the firewall... > > > > R > Errr, this is a classic case for a split DNS setup, you need to setup > DNS to point to it's DMZ interface on/within the firewall, or just add > it in the hosts file, don't try to connect to the external interface > and use the NAT, it don't work that way. I could be wrong. > > Yang Thanks, Yang. I didn´t heard about split DNS setup. I will try it. Best regards. Rodolfo
