Hello everyone, After a few days trying to get this to work, I'm out of possibilitys. I read all documentation I could found. I read many post about this subject. And I tried some thinks I found on the net.
The one thing I try to do is setup my router with 3 network interfaces to give me a working dmz. My network is working wonderfull. But I can’t get my dmz to do what I want. I want to set up a webserver but I want to be able to do the maintance on my server from my local network. (server is a machine without keyboard and monitor). The problem: I can’t ping to my server. I think my firewall is blocking the reply packets. Loc: 192.168.1.0/24 DMZ: 192.168.3.0/24 VPN: 192.168.2.0/24 My IP addres: 192.168.1.145 I can ping to 192.168.1.254 (the ipaddres of my router (loc)) I can ping to 192.168.3.1 (the ipaddres of my router (dmz), but I understand that this is normal because the ip address belongs to my machine and not to an interface) I can ping from my router to 192.168.3.2 (ip addres of my server) I can ping from my server to 192.168.3.1 (ip address of my router (dmz)) I can’t ping from my server to 192.168.1.254 (ip address of my router (loc), this I find strange)) I can’t ping from my server to 192.168.1.145 (my own ip) I checked my configuration a few times. But I don’t find a configuration setting that can explain this behaviour. So I tried to set everything open between dmz and loc (bad way to work with a firewall, but I didn’t know what to do anymore). Nothing works. Below you find all the information I thougt would be interesting to know and to analyse my problem. If you have not enough information to help me, please tell me so I can provide you with the nessesary information. PS: I tried to followe the following website: http://www.shorewall.net/three-interface.htm But as an inexperienced user, I hope I did it good. Thanks in advance, Jan RouterJan# uname -a Linux RouterJan 2.4.33 #1 Mon Sep 4 15:52:08 CEST 2006 i686 unknown RouterJan# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:d0:b7:4c:6e:3b brd ff:ff:ff:ff:ff:ff inet 213.118.207.166/24 brd 213.118.207.255 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:90:27:a5:00:40 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:90:27:ed:3c:69 brd ff:ff:ff:ff:ff:ff inet 192.168.3.1/24 brd 192.168.3.255 scope global eth2 6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 192.168.2.1 peer 192.168.2.2/32 scope global tun0 RouterJan# ip route show 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 213.118.207.0/24 dev eth0 proto kernel scope link src 213.118.207.166 192.168.3.0/24 dev eth2 proto kernel scope link src 192.168.3.1 192.168.2.0/24 via 192.168.2.2 dev tun0 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 213.118.207.1 dev eth0 RouterJan# iptables -nvL Chain PREROUTING (policy ACCEPT 11963 packets, 3525K bytes) pkts bytes target prot opt in out source destination 9490 3312K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 65 packets, 7148 bytes) pkts bytes target prot opt in out source destination 825 40533 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 64 packets, 7088 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 772 36943 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 RouterJan# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 11963 packets, 3525K bytes) pkts bytes target prot opt in out source destination 9490 3312K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 65 packets, 7148 bytes) pkts bytes target prot opt in out source destination 825 40533 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 64 packets, 7088 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 772 36943 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 RouterJan# /sbin/shorewall status Shorewall-3.2.3 Status at RouterJan - Mon Mar 26 20:32:50 UTC 2007 Shorewall is running State:Started (Thu Mar 22 23:55:50 UTC 2007) /etc/shorewall/zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 dmz ipv4 vpn ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc dmz ACCEPT dmz loc ACCEPT loc vpn ACCEPT vpn loc ACCEPT loc net ACCEPT net all DROP ULOG # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT ULOG #LAST LINE -- DO NOT REMOVE /etc/shorewall/rules ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW # Accept DNS connections from the firewall to the network # and from the local network to the firewall (in case dnsmasq is DNS/ACCEPT fw net DNS/ACCEPT loc fw DNS/ACCEPT dmz fw # Accept SSH connections from the local network for administrati # SSH/ACCEPT loc fw # Allow Ping to Firewall # Ping/ACCEPT net fw Ping/ACCEPT loc fw Ping/ACCEPT vpn fw Ping/ACCEPT dmz fw Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT fw dmz Ping/ACCEPT dmz fw # # Allow all ICMP types (including ping) from firewall ACCEPT fw loc icmp ACCEPT fw net icmp ACCEPT fw dmz icmp ACCEPT loc dmz icmp ACCEPT dmz loc icmp # # Allow net to webserver, loc all DNAT net dmz:192.168.3.2 tcp 80 8080 Web/ACCEPT loc dmz:192.168.3.2 # Allow local network to access weblet/webconf # Web/ACCEPT loc fw Web/ACCEPT vpn fw ACCEPT fw net tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/masq ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
