I have a firewall box with four NIC cards, eth0 is connected to a fiber modem through which I connect to the ISP using pppoe and gets its static IP through dhcp, giving me ppp0, eth1 is my home network on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is my dmz on 172.16.1/24
I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 networks. I am runninf dansguardian/squid for the 192.168.3/24 network and squid for the 10.1.1/24 network. servers in the dmz have static IP addresses and are using proxyarp through shorewall. I also have a pptp vpn for outside access to the offic network. Here is my interfaces file: net ppp0 - norfc1918,blacklist home eth1 192.168.3.255 dhcp offic eth2 10.1.1.255 dhcp dmz eth3 172.16.1.255 offic ppp+ The problem I am seeing is that when is enable the shorewall rules to redirect the port 80 traffic from the home and offic zones through dansguardian on port 8080 and squid on port 3128 respectively, I cannot reach the web servers on the machines in the dmz from the outside world. The redirect rules are: REDIRECT home 8080 tcp http ACCEPT home fw tcp 8080 ACCEPT fw fw tcp 3128 # these rules are probably not needed # as the policy for net to fw is DROP DROP net fw tcp 8080 DROP net fw tcp 3128 REDIRECT offic 3128 tcp http ACCEPT offic fw tcp 3128 I have rules for the machines in the dmz to accept: ACCEPT net dmz:166.70.103.226 tcp ssh ACCEPT net dmz:166.70.103.226 tcp ftp,ftp-data ACCEPT net dmz:166.70.103.226 tcp http ACCEPT net dmz:166.70.103.226 tcp https # allow ping/traceroute Ping/ACCEPT net dmz:166.70.103.226 Trcrt/ACCEPT net dmz:166.70.103.226 ACCEPT net dmz:166.70.103.238 tcp ssh ACCEPT net dmz:166.70.103.238 tcp ftp,ftp-data ACCEPT net dmz:166.70.103.238 tcp domain ACCEPT net dmz:166.70.103.238 udp domain ACCEPT net dmz:166.70.103.238 tcp http ACCEPT net dmz:166.70.103.238 tcp https # allow ping/traceroute Ping/ACCEPT net dmz:166.70.103.238 Trcrt/ACCEPT net dmz:166.70.103.238 Traffic to the dmz machines works fine on the other ports, and when I disable the redirects for the outgoing port 80 traffic on the home and offic zones, incomming port 80 to the dmz machines works fine. Any help on what I am configuring wrong will be greatly appreciated. --Richard ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
