> I just got a dsl line installed, and am using the dachstein-cd leaf
> release. I've got my router setup with 3 ethernet cards. All my internal
> machines (192.168.1.x) can connect to the internet fine, and
> portforwarding on the router's external interface to ports on internal
> machines work fine, too.
>
> However, I'd like to be able to connect to multiple internal boxes on the
> same ports. My ISP gave me a "routed subnet" - they set things up so a
> range of ip addresses will route to my router's external ip address. I
> figured, I'd setup DMZ to handle forwarding these addresses to my internal
> lan machines.
>
> I added another ip address to one of my internal boxes (originally it was
> 192.168.1.3 - I did the following two commands: )
>
> "ifconfig eth0:1 192.168.2.1"
> "route add -host 192.168.2.1 dev eth0:1"
>
> And then altered the router's network.conf like so:
>
> IF_AUTO="eth0 eth1 eth2"
>
> eth2_IPADDR=192.168.2.254
> eth2_MASKLEN=24
> eth2_BROADCAST=+
> eth2_ROUTES=192.168.2.1/10
> eth2_IP_SPOOF=YES
> eth2_IP_KRNL_LOGMARTIANS=NO
> eth2_IP_SHARED_MEDIA=NO
> eth2_BRIDGE=NO
> eth2_PROXY_ARP=NO
> eth2_FAIRQ=NO
>
> DMZ_SWITCH=YES
> DMZ_IF="eth2"
> DMZ_NET=192.168.2.1/10
> DMZ_SRC=216.158.54.224/229
> DMZ_HIGH_TCP_CONNECT=NO
> DMZ_OPEN_DEST=" tcp_${DMZ_NET}_80
> tcp_${DMZ_NET}_22
> tcp_${DMZ_NET}_110
> tcp_${DMZ_NET}_25"
> DMZ_SERVER0="tcp 216.158.54.224 ssh 192.168.2.1 ssh"
>
> I ran "/etc/init.d/network stop", followed by start, to bring up the new
> interface.
>
> This allows me to ping 192.168.2.1 (internal computer) from the router,
> and ping 192.168.2.254 (router) from the internal computer, but I cannot
> ping 216.158.54.224 from outside the lan.
>
> All connections are going through the same hub, if that makes any sort of
> difference.
>
> Can anyone point out where I am going wrong?
Several things. First of all, the DMZ scripts are designed to create a DMZ
network...a third network for server (and other publicly visable) systems
that is completely seperate from both your external interface and the
internal network. Trying to overlap the DMZ network on the same network
segment as your internal network will simply create confusion, and probably
won't work without modifying the default scripts.
Another major error is the DMZ configuration. You have a routed DMZ, which
means the DMZ IP's should be public (in the 216.158.54.224/229 range, if I'm
understanding your config file, although I hope that 229 is actually "29"
with a typo, otherwise I'm really confused), rather than the private IP's
you've assigned. With nothing in place to translate your public IP's to the
private IP's used internally, you won't have any external connectivity. If
you want to keep the private IP's internally, you'll at least need to setup
a static NAT entries for each public IP (or range of IP's).
I strongly suggest you post details on exactly what you're trying to
accomplish. In general, providing internal systems with public IP's, and
making them visible from the internet is a high security risk. There may be
a way to provide the functionality you're after in a more secure way, that
would also fit better with the default firewall rules. The setup I think
you're trying to achieve is possible, but you'll have to re-work a lot of
network and firewall configuration manually.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
