I have pretty much given up on the DMZ setup for now. I am at a point where I believe that something may be wrong with eth2 in the Dach box. I simply can't get name resolution to work from the DMZ to the internet. I tried swapping a windows laptop in place of the Red Hat machine since on my primary net and had the same problem with it. I then created a new Dach disk and decided to try setting up a second non DMZ internal network since I had reached the conclusion that my primary net would not play nice with game servers on the DMZ even if I got it working. The secondary internal network seemed to configure OK but still could not resolve names with either the RH or Win machines. I also tried a crossover cable and a hub to no avail.
The plan for now is to use the RH box as a game/ftp server on the primary internal net. I already have port forward and Masq rules that work for the game servers. I will write a script that renames the ipchains.forward file and executes the /etc/init.d/network reload command to turn access on and one to turn it off. That way I can have access when I need it and not leave the network open all the time. Since the forwarding will be to a Linux box and the rest of the network is all Win98 machines I would think there is little security risk if the RH machine was cracked anyway. All file and print sharing is done via netbeui between the Win machines and ftp to the Linux box. Aside from allowing myself to admit defeat, does anyone see a flaw in the plan I am missing? I will try again with the DMZ or second internal net one of these days after I upgrade the NIC's in the firewall since the whole purpose of the exercise was to learn mot about Linux networking. Kory Charles Steinkuehler wrote: > > > > You *DO* need to have your DMZ system setup correctly, however. It > needs an > > > IP in the 291.268.10.0/24 subnet, and it needs to use the DMZ interface > of > > > the firewall (192.168.10.254) as it's default gateway. > > > > I assume that you meant 192.168.1.0/24. > > Acutally, I meant 192.168.10.0/24...I guess we're both typing too fast :-) > > > Here is the output from route on > > the host: > > > > $ /sbin/route > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > > Iface > > 192.168.10.0 * 255.255.255.0 U 0 0 0 > > eth0 > > 127.0.0.0 * 255.0.0.0 U 0 0 0 > > lo > > default 192.168.10.254 0.0.0.0 UG 0 0 0 > > eth0 > > Looks OK as for the DMZ system configuration... > > > But I still can't browse. In fact I really don't seem to be able to get > > past the firewall > > at all. We know pings don't get out. FTP will work between the subnets > > This should mean that the DMZ system is configured correctly...any other > problems are likely configuration on the firewall end. > > > but I can't resolve > > names outside the firewall. > > This could be caused by many things, including DNS setup on the DMZ system. > > > > I don't recall off-hand exactly what you'll need for the autoforward and > > > masquerade rules, and don't have time to dig into it right now...you can > use > > > the rules created for the simple service (www/ssh) as an example. Note > that > > > you *CAN* use port-ranges in the ipchains masquerade rules, just not > when > > > doing port-forwarding. If memory serves, you'll wind up with a > port-forward > > > rule for each service (auto-forward for your game-server range), and a > > > reverse-masquerade rule to the internal network for each service or > > > port-range. > > > > OK Here is what I thought would work: > > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 4242 -p tcp -j ACCEPT > > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27901 -p tcp -j ACCEPT > > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27901 -p udp -j ACCEPT > > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27910:27961 -p udp -j ACCEPT > > $IPCHAINS -A input -s 0/0 -d $EXTERN_IP/32 27950:27952 -p tcp -j ACCEPT > > > > $IPMASQADM portfw -a -P tcp -L $EXTERN_IP 4242 -R 192.168.10.1 4242 > > $IPMASQADM portfw -a -P tcp -L $EXTERN_IP 27901 -R 192.168.10.1 27901 > > $IPMASQADM portfw -a -P udp -L $EXTERN_IP 27901 -R 192.168.10.1 27901 > > $IPMASQADM autofw -A -r udp 27910 27961 -h 192.168.10.1 > > $IPMASQADM autofw -A -r tcp 27950 27952 -h 192.168.10.1 > > Big problem...IPCHAINS isn't defined. Use $IPCH instead. > > > But I get : > > Starting Network: [IP Always Defrag: ENABLED] > > IP filters: 1: not found > > 1: not found > > 1: not found > > 1: not found > > 1: not found > > firewall [IP Forwarding: ENABLED] > > Loopback interface: lo > > Starting interface: eth1 eth2 > > Hostname: markii > > Static NS: 4 hosts > > > > I don't see where this is coming from at all. > > Perhaps from the missing IPCHAINS variable? Regardless, DO NOT try > modifying any of the firewall rules until AFTER you've gotten basic DMZ > functionality working. In other words, get your DMZ system surfing the 'net > and serving up a web page, ssh connection, or similar simple service, THEN > start playing with custom rules...otherwise, it's very difficult to remotely > diagnose any problems you're having. > > If your DMZ interface is properly configured (use "ip route" and "ip addr" > to check), you basically only need to have proper settings for the > following: > > DMZ_SWITCH=PROXY > DMZ_IF=??? > DMZ_NET=192.168.10.0/24 > DMZ_SERVER0=??? > DMZ_OUTBOUND_ALL=YES > > and your DMZ system should be able to web-browse, and whatever service you > entered for DMZ_SERVER0 should work properly. > > NOTE: The ???'s, above, indicate settings you should customize for your > system, not what you should actually enter :-) > > NOTE: Since you're port-forwarding services from the public IP of your > firewall, you'll need to open the appropriate port(s) if they are "low" > ports (ie <1024). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
