Dear All,
I have an fw, which has wan, dmz, lan1, lan2. I have a server (SRV1) in dmz for which I would like to pass from/to the internet traffic 1:1, without conntrack or filtering. I tried to make two rules like these:
1)Traffic comming from wan and dst-address=SRV1_IP the notrack:
chain=prerouting action=notrack in-interface=wan dst-address=SRV1_IP comment="incoming from internet to SRV1"
2)Traffic from SRV1 through wan to the interenet:
chain=prerouting action=notrack out-interface=wan src-address=SRV1_IP comment="incoming from SRV1 to internet"
The failure is that: outgoing interface matching not possible in input and prerouting chains. That’s too bad 
My problem, if I use the the in-interface instead, so the rule looks like this:
chain=prerouting action=notrack IN-interface=DMZ src-address=SRV1_IP comment="incoming from SRV1 to internet"
so my problem is that this rule allows traffic to the direction lan1, lan2 as well if those rules allowed. While lan1,lan2 addresses are private addresses which are not travels on the internet, the backward connection to the SRV1 can be routed back on the firewall itselft because it SRV1 is in the local network to the firewall.
However I can add a filter that discard the local networks like this:
chain=prerouting action=notrack IN-interface=DMZ src-address=SRV1_IP dst-address-list=!MY_NETWORKS comment="incoming from SRV1 to internet"
where MY_NETWORKS list includes lan1, lan2
Is there any gotcha in this solution? Or rather is there any better way using the raw filters in this case?
(It is not possible to put the SRV1 into the public network on the wan side…)
Thnk you very much
