Kory Krofft wrote:
I am trying to set up a small web server on a DMZ and I am having
trouble with connecting to the DMZ computer from my internal network.
My set up is as follows:
Bering 1.2 firewall
Shorewall configured per 3 interfaces examples.
DMZ uses a stripped version of Bering 1.2. It will eventually run
qmail and weblet open to the internet. My goal is to be able to host
my own domain using ezipupdate with local access to pop mail and
simple web pages. I may also host some ebay photos.
I plan to boot the DMZ from a CD with only data files stored on the
attached IDE drive.
The firewall is working well as configured for the loc zone (eth1)
ip addr show results
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:c9:9c:a7:a7 brd ff:ff:ff:ff:ff:ff
inet 24.210.193.xxx/21 brd 255.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:c9:86:30:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:97:df:a7:7e brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth2
ip route show results
# ip route show
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
192.168.10.0/24 dev eth2 proto kernel scope link src
192.168.10.254
24.210.192.0/21 dev eth0 proto kernel scope link src
24.210.193.xxx default via 24.210.192.1 dev eth0
Shorewall stuff
Interfaces:
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
I could not get DNAT to work with routefilter. Shorewall says
routefilter turns on kernel route filtering for this interface
(anti-spoofing measure).Try it without routefilter and see if your DNAT
commands start working.
Policy
#SOURCE DEST POLICY LOG LEVEL
LIMIT:BURST
loc net ACCEPT
net all DROP ULOG
all all REJECT ULOG
Rules
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL
# PORT
PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
DROP net fw tcp 67,68
DROP net fw tcp 4662
DROP net fw udp 4662
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#
# Accept SSH connections from the local network for
administration
#
ACCEPT loc fw tcp 22
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw dmz icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#
#Enable Samba ports
ACCEPT loc fw udp 137,138
ACCEPT loc fw tcp 139
#
#Open http and mail ports on dmz
DNAT net dmz:192.168.10.1 tcp 80
DNAT net dmz:192.168.10.1 tcp 25
DNAT net dmz:192.168.10.1 udp 25
I can ping eth2 on the firewall from the DMZ
I can ping loc machines from the firewall
I can ping the DMZ from the firewall
I cannot ping from loc (Win2K) to the DMZ
Pinging 192.168.10.1 with 32 bytes of data:
Does the Win machine know the route to the DMZ? Does it have
192.168.1.254 as the gateway to 192.168.10.1 ?
Request timed out.
Request timed out.
I can ping loc machines from the DMZ
after I issued ip route add 192.168.1.0 via 192.168.10.254 on the DMZ
I cannot browse the weblet on the dmz using the internal IP
192.168.10.1.
If I point a browser at the external IP address I get the firewall
weblet not the DMZ.
I know I am missing something simple but I can't figure out what.
Any suggestions are appreciated.
Kory Krofft
-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html