DMZ / iptables

[sKewlBoy]

I have an Allied Telecyn router (something included in my ISP contract) but this router has to be rebooted each time I change the port mapping options, so I used one great option it has: setting up a DMZ machine.
So now, all ports go to my DMZ, where I have gentoo 1.4 with iptables.

This is my rules script:
iptables --flush
iptables -t nat --flush
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 2000:3000 -j ACCEPT
iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport 139 -j DROP
iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --tcp-flags SYN,ACK,FIN SYN -j DROP

The problem is how to forward ports to other s machine in the LAN. Like, I've tried "iptables -t nat -A PREROUTING -p tcp --dport X -j DNAT --to-destination OTHER_MACHINE:X" but doesnt work. No packets get there.
And I've inserted it before the last line in my script. Indeed, I have tried as the only rules.

What am I doing wrong ?

[bluesky]

I don't know about your router but the DMZ setting of my linksys only means that every port is open to the internet(forwarded). So if your router has the option to block wan request( similar to NAT) then DMZ won't work work iptables's NAT.
_________________
bluesky

"free as the wind"

[sKewlBoy]

Yes, you're right. I misexplained myself =)
But, the problem still exists.
How do you use you DMZ machine to forward ports to other machines in the lan ?
I've used netcat with "-e" and netcat again sucessfully, like:
nc -l -p X -e forward.sh
and then forward.sh = nc other_machine X

it works for someprotocols, but I believe there's betetr solutions...
how do you do it, bluesky ?

[bluesky]

Well. I am not sure if I explained clearly myself . What I said is:

1. Setting a computer to DMZ only exposes(or forward) all its ports to the internet. The computer is still under the effects of other options of the router.So, if your router is blocking the iptables 's NAT then DMZ won't help.

2. Different router may have different behaviour toward firewalling. For example, I can only say for linksys: if I enable "block wan request", it will definitely block all the iptables's nat functions whether or not my computer is set in DMZ or not.
_________________
bluesky

"free as the wind"

[sKewlBoy]

So, I'll check wan options in my router...
But I want the router to NAT ...
So, if the router blocks iptables's NAT, how can I forward ports ?
I mean, I know my computer (DMZ) receives the packets (with a packet dumper), so there must be a way I can forward the ports to other machine in the network ... ? No ... ? Even if the router NATs the packets the second machine sends out, iptables should be able to resend the incoming packets to another machine .... right ... ?

[bluesky]

This is the way my linksys works:

If I set one of my computers to DMZ then ALL its ports will be forwarded. BUT if another computer in the same LAN uses the forward option of the router to forward port(ex:80) then the later computer has priority on port 80 over the computer in the DMZ zone. It means that the DMZ computer cannot forward port 80 anymore.

Do you have dynamic ip or static ip(s)? and what do you want to do? As I understand, computers within a LAN do not need to forward ports to see each other.

(edited)

>so there must be a way I can forward the ports to other machine in the network ..

I am not sure I understand it. Can the other computers just receive the packets themselves?

Perhaps your setup may be: router-->your DMZ computer-->all other computers. Not a good setup. The other computers should be connected directly to the router.
_________________
bluesky

"free as the wind"

[sKewlBoy]

And they are! Of course I wouldnt connect m,y computers to the DMZ computer, otherwise, I would turn my DMZ into the router.

I have modem - router - LAN (DMZ included)

And this is what I want to do:
I dont want to have to change port mapping options in my router again, because if I do, I need to reboot it (lame software).
So, I setup the DMZ machine to25 forward itself the packets to other computer.
Imagine, in my LAN I have:
the DMZ, the webserver and a mailserver

I want the DMZ to forward incoming packets on 80 to the webserver and 25/110 to the mailserver.
In the DMZ machine I accept ports 2000:3000 to use with DCTC.

So, what do you suggest ?

[bluesky]

>I want the DMZ to forward incoming packets on 80 to the webserver and 25/110 to the mailserver.

I am not sure how can you do that unless you use your DMZ as a second firewall router.
_________________
bluesky

"free as the wind"

[sKewlBoy]

OK, I've given up anyway =)
I'll just take out the router of my LAN and use DMZ machine as router. Easier this way

Thanks anyway.

[bluesky]

Me too. I am going to give up my linksys router soon once I got a free computer to build a firewall box. Very soon. I understand your feeling, but that's the way to go.
_________________
bluesky

"free as the wind"