Re: [leaf-user] Help needed with dmz routes

[Victor McAllister]

Kory Krofft wrote:

I am trying to set up a small web server on a DMZ and I am having 
trouble with connecting to the DMZ computer from my internal network.
My set up is as follows:

Bering 1.2 firewall

Shorewall configured per 3 interfaces examples.

DMZ uses a stripped version of Bering 1.2. It will eventually run 
qmail and weblet open to the internet. My goal is to be able to host 
my own domain using ezipupdate with local access to pop mail and 
simple web pages. I may also host some ebay photos.
I plan to boot the DMZ from a CD with only data files stored on the 
attached IDE drive.

The firewall is working well as configured for the loc zone (eth1)

ip addr show results
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
   link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
   link/ether 00:a0:c9:9c:a7:a7 brd ff:ff:ff:ff:ff:ff
   inet 24.210.193.xxx/21 brd 255.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
   link/ether 00:a0:c9:86:30:05 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
   link/ether 00:60:97:df:a7:7e brd ff:ff:ff:ff:ff:ff
   inet 192.168.10.254/24 brd 192.168.10.255 scope global eth2
ip route show results
# ip route show
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
192.168.10.0/24 dev eth2  proto kernel  scope link  src 
192.168.10.254
24.210.192.0/21 dev eth0  proto kernel  scope link  src 
24.210.193.xxx default via 24.210.192.1 dev eth0

Shorewall stuff

Interfaces:
net     eth0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
dmz     eth2            detect
 

I could not get DNAT to work with routefilter.  Shorewall says 
routefilter turns on kernel route filtering for this interface 
(anti-spoofing measure).Try it without routefilter and see if your DNAT 
commands start working.

Policy
#SOURCE         DEST            POLICY          LOG LEVEL       
LIMIT:BURST
loc             net             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG

Rules
#ACTION         SOURCE          DEST            PROTO   DEST    
SOURCE  ORIGINAL
#                                                       PORT    
PORT(S) DEST
#
#       Accept DNS connections from the firewall to the network
#
DROP            net             fw              tcp     67,68
DROP            net             fw              tcp     4662
DROP            net             fw              udp     4662
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
#
#       Accept SSH connections from the local network for 
administration
#
ACCEPT          loc             fw              tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              dmz             icmp    8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT          loc             fw              udp     53
ACCEPT          loc             fw              tcp     80
#
#Enable Samba ports
ACCEPT          loc             fw              udp     137,138
ACCEPT          loc             fw              tcp     139
#
#Open http and mail ports on dmz
DNAT            net             dmz:192.168.10.1 tcp    80
DNAT            net             dmz:192.168.10.1 tcp    25
DNAT            net             dmz:192.168.10.1 udp    25

I can ping eth2 on the firewall from the DMZ
I can ping loc machines from the firewall
I can ping the DMZ from the firewall
I cannot ping from loc (Win2K) to the DMZ
Pinging 192.168.10.1 with 32 bytes of data:
 

Does the Win machine know the route to the DMZ?  Does it have 
192.168.1.254 as the gateway to 192.168.10.1 ?

Request timed out.
Request timed out.
I can ping loc machines from the DMZ
after I issued ip route add 192.168.1.0 via 192.168.10.254 on the DMZ
I cannot browse the weblet on the dmz using the internal IP 
192.168.10.1.

If I point a browser at the external IP address I get the firewall 
weblet not the DMZ.

I know I am missing something simple but I can't figure out what.

Any suggestions are appreciated.

Kory Krofft
 





-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html