This is the problem: [1] As desired, tcp 3389 is forwarded (DNAT) from the Bering-uClibc/shorewall box to a server on the local LAN, when using the the firewall's external interface.
[2] When using a DMZ address, tcp 3389 is also forwarded to that server on the local LAN, and NOT the desired DMZ host. [3] The desired result is tcp 3389 to DMZ host when DMZ host is specified; and forwarded to local LAN when firewall external address is specified. I think that I know what is going on here; but, I do NOT know what is the proper configuration. What is the correct configuration for this? What do you think? ---------- Here is a brief summary of the configuration. I will gladly provide more information, as required. Network: 67.63.3.80 /28 Gateway: 67.63.3.81 Bering eth0: 67.63.3.82 Bering eth1: 10.0.0.254 /24 Bering eth2: 192.168.1.1 /24 Proxy Arp DMZ: 67.63.3.83 - 67.63.3.94 ---------- /etc/shorewall/rules: DNAT net loc:10.0.0.4 tcp 3389 ---------- Appropriate iptable: Chain net2loc (1 references) pkts bytes target prot opt in out source destination 1021K 767M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1900 100K ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.2 tcp dpt:25 23 1120 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.4 tcp dpt:3389 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
signature.asc
Description: Digital signature