> > You *DO* need to have your DMZ system setup correctly, however. It needs an > > IP in the 291.268.10.0/24 subnet, and it needs to use the DMZ interface of > > the firewall (192.168.10.254) as it's default gateway. > > I assume that you meant 192.168.1.0/24.
Acutally, I meant 192.168.10.0/24...I guess we're both typing too fast :-) > Here is the output from route on > the host: > > $ /sbin/route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.10.0 * 255.255.255.0 U 0 0 0 > eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 > lo > default 192.168.10.254 0.0.0.0 UG 0 0 0 > eth0 Looks OK as for the DMZ system configuration... > But I still can't browse. In fact I really don't seem to be able to get > past the firewall > at all. We know pings don't get out. FTP will work between the subnets This should mean that the DMZ system is configured correctly...any other problems are likely configuration on the firewall end. > but I can't resolve > names outside the firewall. This could be caused by many things, including DNS setup on the DMZ system. > > I don't recall off-hand exactly what you'll need for the autoforward and > > masquerade rules, and don't have time to dig into it right now...you can use > > the rules created for the simple service (www/ssh) as an example. Note that > > you *CAN* use port-ranges in the ipchains masquerade rules, just not when > > doing port-forwarding. If memory serves, you'll wind up with a port-forward > > rule for each service (auto-forward for your game-server range), and a > > reverse-masquerade rule to the internal network for each service or > > port-range. > > OK Here is what I thought would work: > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 4242 -p tcp -j ACCEPT > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27901 -p tcp -j ACCEPT > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27901 -p udp -j ACCEPT > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27910:27961 -p udp -j ACCEPT > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27950:27952 -p tcp -j ACCEPT > > $IPMASQADM portfw -a -P tcp -L $EXTERN_IP 4242 -R 192.168.10.1 4242 > $IPMASQADM portfw -a -P tcp -L $EXTERN_IP 27901 -R 192.168.10.1 27901 > $IPMASQADM portfw -a -P udp -L $EXTERN_IP 27901 -R 192.168.10.1 27901 > $IPMASQADM autofw -A -r udp 27910 27961 -h 192.168.10.1 > $IPMASQADM autofw -A -r tcp 27950 27952 -h 192.168.10.1 Big problem...IPCHAINS isn't defined. Use $IPCH instead. > But I get : > Starting Network: [IP Always Defrag: ENABLED] > IP filters: 1: not found > 1: not found > 1: not found > 1: not found > 1: not found > firewall [IP Forwarding: ENABLED] > Loopback interface: lo > Starting interface: eth1 eth2 > Hostname: markii > Static NS: 4 hosts > > I don't see where this is coming from at all. Perhaps from the missing IPCHAINS variable? Regardless, DO NOT try modifying any of the firewall rules until AFTER you've gotten basic DMZ functionality working. In other words, get your DMZ system surfing the 'net and serving up a web page, ssh connection, or similar simple service, THEN start playing with custom rules...otherwise, it's very difficult to remotely diagnose any problems you're having. If your DMZ interface is properly configured (use "ip route" and "ip addr" to check), you basically only need to have proper settings for the following: DMZ_SWITCH=PROXY DMZ_IF=??? DMZ_NET=192.168.10.0/24 DMZ_SERVER0=??? DMZ_OUTBOUND_ALL=YES and your DMZ system should be able to web-browse, and whatever service you entered for DMZ_SERVER0 should work properly. NOTE: The ???'s, above, indicate settings you should customize for your system, not what you should actually enter :-) NOTE: Since you're port-forwarding services from the public IP of your firewall, you'll need to open the appropriate port(s) if they are "low" ports (ie <1024). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
