Hi all,
After having successfully recompiled my ubuntu kernel for CONNMARK support
to get multi-isp support working, I am now working on adding a couple of hosts
in my DMZ using Proxyarp and having what appears to be a weird issue. My first
test is to hit a web server on port 80.
On my router/firewall, eth0 is the internal network, and eth1-x are my
different ISPs. On eth0 I have VLANs setup for various internal networks. My
dmz is on one of these vlans. I have a /29 on eth1 so I have 5 public IP
addresses. Let's call it 198.162.214.240/29.
eth1 is 198.162.214.242, subnet mask 255.255.255.248, gateway 198.162.214.241
I am adding a host in my dmz with an address of 198.162.214.243, subnet mask
255.255.255.248, gateway 198.162.214.241.
The host is on VLAN 120. On the router, on interface eth0.120 there is an
address of 192.168.120.254, subnet mask of 255.255.255.0 (as I read, that part
really shouldn't matter)
in /etc/shorewall/proxyarp I have one line
Address Interface External Haveroute
198.162.214.243 eth0.120 eth1 No
in /etc/shorewall/policy I have all traffic originating in the dmz to any other
zone to be REJECTed, and any traffic coming from the internet to the dmz zone
marked to DROP.
in /etc/shorewall/rules
ACCEPT $FW dmz icmp
Ping/ACCEPT net dmz:198.162.214.243 icmp
ACCEPT net dmz:198.162.214.243 tcp 80
I then restarted shorewall, and I did "ip route ls" I see as the first line:
198.162.214.243 dev eth0.120 scope link
I find that I can successfully ping 198.162.214.243 from the firewall.
However if I come in from the internet to the web site, I see nothing, and if I
look in the log I see this:
Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1 MAC=00 SRC=x.x.x.x
DST=198.162.214.243 LEN=60 TOS=00 PREC=0x00 TTL=59 ID=44361 CE DF PROTO=TCP
SPT=14259 DPT=80 SEQ=2177425409
If I ping I see a similar rejection.
What surprises me here, is that IN and OUT are both eth1 and thats the
obvious reason it is being REJECTed.
Why do I get eth1 on both IN and OUT? shouldn't OUT be eth0.120 ?? Am I
missing an entry that I should have in another file?
Regards,
John
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news,
photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
