Rommel Rodriguez Toirac <romme...@nauta.cu> wrote:
>> Your DNS server is returning *private* (RFC1918) addresses to systems in
>> the Municipal Network. To those systems, it must return the public IP
>> address of your firewall. This is addressed by using split DNS -- let
>> your DMZ server handle local clients and let your DMZ server handle
>> external clients.
> This mean that I must change the registers of my external view to something in 172.16.120.0/24 range?
NO !
I think there is some basic knowledge missing here.
Addresses in the 172.16.0.0/12 range (which includes your 172.16.120.0/24) are NOT accessible from anywhere on the internet - and the same for 192.168.0.0/16 and 10.0.0.0/8. These ranges are expressly set aside for PRIVATE use and all internet routers should be configured to drop all packets using these addresses.
So, taking for example your device gtmem.gtm.onat.gob.cu, your external view resolves this to 172.16.120.4 - this is NOT accessible from anywhere on the internet.
What you will need to do is use Masq/NAT/Port forwarding to forward packets to a PUBLIC Ip address to 172.16.120.4 and then put the public address in your external DNS view.
Lets say your ISP gives you a.b.c.32/29 - is a.b.c.33 to a.b.c.38 usable, one of them might be used for your router. You might forward a.b.c.34 to 172.16.120.4, and then you'd need to make gtmem.gtm.onat.gob.cu resolve to a.b.c.34.
If you are hosting your own DNS, then you would set the nameservers for gtm.onat.gob.cu to be at a.b.c.<something> and Masq/NAT/Port forward port 53 (TCP and UDP) to your actual DNS servers in the 172.16.120.0/24 range.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users