If I follow this correctly, your "new" Webserver is on the DMZ (eth2), at local address 192.168.1.1. It is supposed to respond to traffic at the public IP address, 62.49.239.88 (DNAT'd on the LEAF router's eth0). The general setup works for the outgoing traffic you have tested it on. You have two problems:
1. Internet users cannot connect to the Webserver.
2. Some SMTP mail does not work. Due to the way you've phrased this second problem --
What we cannot do is get external users (with addresses outside 62.49.239.80/28) to browse our new webserver, nor receive SMTP mail from our ISP.
-- I cannot tell if the SMTP problem is with outgoing or incoming mail. So the first thing you need to do is to clarify the description of the symptom, including your e-mail setup (does "from our ISP" mean that you use the ISP's Smarthost for outgoing mail? or are you trying to get incoming mail through their server, perhaps using POP3 or IMAP? or something else? I *really* don't know what you are describing here).
I'm leaving out a bunch of possibilities that I believe are ruled out by the assumption that your old Webserver worked properly. If there was anything special about the arrangements for running it that you did not think to mention, it might invalidate that assumption.
I also need to warn you that I do not myself use Shorewall. The following observations derive from my understanding of the underlying iptables, but I may be missing something, or getting something wrong, because I do not know everything that Shorewall does. In any case, these comments would benefit from review and commentary from Tom, or someone else who is a Shorewall expert.
So, with that background ...
1. You specify the address of the new Webserver as 62.49.239.88. But the external (eth0) address of the LEAF router is 62.49.239.93, and the router has neither an interface with address 62.49.239.88 nor a route to 62.49.239.88. And from here, I can ping 62.49.239.93 but not 62.49.239.88, which implies (but does not prove, depending on how your firewall rulesets handle ping) that there is no proxy-arp entry for that address. In iptables itself (this is the "I don't know Shorewall" part), DNAT does not create a pseudo-interface or a proxy-arp entry for the DNAT'd address; it just handles the address rewriting. So you need either to use 62.49.239.93 as the Webserver's address, or tell the router that 62.49.239.88 is an eth0 address, or (in this context, I am unsure if this one will work) tell the router to proxy-arp 62.49.239.88 on eth0.
2. I don't see anythere a rule to ACCEPT port-80 and port-443 traffic from net to dmz.
3. You speak of what you have done as including "Allow LAN workstations full access to a few specific public IP addresses". I can't tell from this if you mean you allow general access to the Internet but just tested a few addresses, or if you have rules in place that block LAN users from accessing all but a small number of IP addresses on the Internet. If the second, this is a sufficiently non-standard arrangement that it might have the side effect of blocking access from Internet clients to your Webserver; whether it does or not depends on the details of how you implemented it, and I can't extract them from the subset of information you provided.
Of these three, #1 is surely your Webserver problem. Whether #2 and #3 will matter after #1 is fixed is unclear to me.
I've left your original message intact below, to make sure that anyone else who is able to clarify or correct my remarks has convenient access to the original query.
At 02:21 PM 6/16/2003 +0100, Chris Hall wrote:
As newbies to linux and routers we have been trying for to set up a Shorewall server that can replace the old router and proxy server in the diagram. We also want to move websites from the old webserver to the new webserver. We curently have our new webserver 192.168.1.1 running the website 62.49.239.88 which was originally on the old webserver.
ISP / /_ / / ------------- | ISDN Router | ------------- 62.49.239.81 | | 62.49.239.80/28
+----------------------------+--------------------- | | | | |62.49.239.87, | | |62.49.239.90, | eth0| 62.49.239.93 |62.49.239.92 |62.49.239.83 ---------------- ---------------- ---------------- 192.168.1.254 | Shorewall | | Old Webserver | | Old Router | ---------| Router | | | | | | eth2| | | | | | | ---------------- ---------------- ---------------- |DMZ eth1| 192.168.102.1 | 192.168.102.2 |192.168.1.0/24 | | | | | | 192.168.1.1 | Internal LAN 192.168.102.0/24 | ---------------- --+-----+----------------+-------------------+----+------------+- | New Webserver | | | | | | | ----------------- ---------------- ---------------- --------------- ---------------- |Database servers| | Workstations | | Proxy Server | |Mail Server | | | | | | Old router NATs| |Old router NATs| | | | | | to 62.49.239.85| |to 62.49.239.84| ---------------- ---------------- ---------------- ---------------
Already we can: Allow LAN workstations tcp, ftp access to external websites etc. Allow LAN workstations to maintain webservers on the DMZ. Allow LAN workstations full access to a few specific public IP addresses. Send SMTP mail to external IP addresses.
What we cannot do is get external users (with addresses outside 62.49.239.80/28) to browse our new webserver, nor receive SMTP mail from our ISP. We must be doing something simple incorrectly with eth0. Can anyone see what we've got wrong?
This is our configuration:
etc/network/interfaces: auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 62.49.239.93 masklen 28 gateway 62.49.239.81
auto eth1 iface eth1 inet static address 192.168.102.1 masklen 24 broadcast 192.168.102.255
auto eth2 iface eth2 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255
etc/shorewall/zones: net Net Internet loc Local Local Networks dmz DMZ Demilitarised Zone
etc/shorewall/interfaces: net eth0 detect routefilter,norfc1918 loc eth1 detect dmz eth2 detect
etc/shorewall/policy: net all DROP ULOG all all REJECT ULOG
etc/shorewall/masq: eth2 eth0 eth2 eth1 eth1 eth2 eth0 eth1 eth0 eth2
etc/shorewall/rules: #Standard stuff ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53
#(ping ACCEPT rules omitted for brevity) #Standard stuff ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 ACCEPT dmz fw udp 53 ACCEPT dmz fw tcp 80
#New webserver DNAT net dmz:192.168.1.1 tcp 80 - 62.49.239.88 DNAT net dmz:192.168.1.1 tcp 443 - 62.49.239.88 DNAT net dmz:192.168.1.1 udp 80 - 62.49.239.88 DNAT loc dmz:192.168.1.1 tcp 80 - 62.49.239.88 DNAT loc dmz:192.168.1.1 tcp 443 - 62.49.239.88 DNAT loc dmz:192.168.1.1 udp 80 - 62.49.239.88
#(SQL between dmz and loc ACCEPT rules omitted for brevity)
#Local users access net and do maintenance on DMZ ACCEPT loc net tcp 80 - ACCEPT loc net tcp 443 - ACCEPT loc net udp 53 - ACCEPT loc dmz all - -
#SMTP in and out DNAT net loc:192.168.102.6 tcp smtp - 62.49.239.80/28 ACCEPT loc net tcp smtp -
#(Specific public IP access ACCEPT rules omitted for brevity)
We're using: Linux Firewall 2.4.20 Bering version 1.2 Shorewall Version 1.4.2. Other mandatory info: ::Interfaces:: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:a0:50:69 brd ff:ff:ff:ff:ff:ff inet 62.49.239.93/28 scope global eth0 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:ed:a7:83 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global eth1 5: eth2: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:ee:49:49 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2
::Routes:: 62.49.239.80/28 dev eth0 proto kernel scope link src 62.49.239.93 192.168.102.0/24 dev eth1 proto kernel scope link src 192.168.102.1 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.254 default via 62.49.239.81 dev eth0
Modules: ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc 2880 1 ip_conntrack_ftp 3648 1 ne2k-pci 4684 3 8390 5820 0 [ne2k-pci]
Any help would be greatly appreciated.
------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
