Hi,
Please accept my apologies for the long email.
The router is running (thanks Dan for your tip re the formatting).
I can ping the external interface (eth0) now but I cannot ping the DMZ
(eth1), see diagram.
I have had to comment out a lot of the original script because I
understand this setup doesn't have an internal network - only a DMZ.
I am sure I have stuffed something up along the way.
How can I analyse the problem?
I have the suspicion that I did not cater for the fact that the
networks of the external router address and the DMZ network are 2
different networks.
The DMZ server interfaces are defined as network xxx.yyy.109.0/29
The router (IP3) is on an external network xxx.yyy.49.64/26
(xxx.yyy same in both)
Below is what I could get out of the system (after reading the
helpful doc at lrp.c0wz.com/dox/lrp-list-howtos/LRP-ts-req-HowTo.html
~~~~~~~~~~~~~~~~~~~~~~
{ Internet }
~~~~~~~~~~~~~~~~~~~~~~
|
---------------
| ISP |
---------------
|
|
Ethernet
|
IP3 (public, assigned by ISP)
-----------------------
| eth0 |
| LRP ROUTER |
| eth1 |
-----------------------
|
|
|
|
-----------------------
| IP1 eth0 | public IP
| | IP2 eth0:0| public IP
|Web Server | |
| Web Server |
-----------------------
#ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:08:0a:83:1a brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:0d:a5:ff brd ff:ff:ff:ff:ff:ff
inet xxx.yyy.49.93/26 brd xxx.yyy.49.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:80:5f:46:47:0d brd ff:ff:ff:ff:ff:ff
inet xxx.yyy.49.93/26 brd xxx.yyy.49.127 scope global eth1
#ip route show
xxx.yyy.193.202 dev eth1 scope link
xxx.yyy.193.203 dev eth1 scope link
default dev eth0
#ip neighbour show
<empty>
#netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:23 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:13 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:9 0.0.0.0:*
LISTEN
udp 0 0 0.0.0.0:69 0.0.0.0:*
udp 0 0 0.0.0.0:37 0.0.0.0:*
udp 0 0 0.0.0.0:13 0.0.0.0:*
udp 0 0 0.0.0.0:9 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:*
raw 0 0 0.0.0.0:6 0.0.0.0:*
Active UNIX domain sockets (including servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 1305 @00000002
unix 0 [ ACC ] STREAM LISTENING 1289 /dev/log
unix 1 [ ] STREAM CONNECTED 1292 @00000001
unix 1 [ ] STREAM CONNECTED 1306 /dev/log
unix 1 [ ] STREAM CONNECTED 1293 /dev/log
/etc/network.conf
NETWORK_CONF_VERSION=20010330
###############################################################################
# General Settings
###############################################################################
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=NO
CONFIG_DNS=NO
###############################################################################
# Interfaces
###############################################################################
# Start pppd PPP interfaces first as pppd's use of DNS can delay
startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
IF_AUTO="eth0 eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out
allowed
# values
BRG_EXEMPT_PROTOS=""
eth0_IPADDR=xxx.yyy.49.93
eth0_MASKLEN=26
eth0_BROADCAST=xxx.yyy.49.127
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running
these.
eth0_DEFAULT_GW=0.0.0.0
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# Additional routes for this interface, if any
# format: <PREFIX>[_<more ip route options>]
# NewTek Config for SanFrancisco note:
# This tells linux the Defalt GW is via this interface
# All other public IP traffic will go out the DMZ interface
# SA_TX Config note: 0.0.0.2 added to prevent martian errors
# and allow connections from the Ops net (.2 public IP) to work
#eth0_ROUTES="0.0.0.1 0.0.0.2"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
# This setting affects the processing of ICMP redirects. Setting it to
NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on
proxy ARP!
# - YES/NO
eth0_PROXY_ARP=YES
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
eth1_IPADDR=xxx.yyy.49.93
eth1_MASKLEN=26
eth1_BROADCAST=xxx.yyy.49.127
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=YES
eth1_FAIRQ=NO
# An attempt to make the DMZ visible...
eth1_ROUTES="xxx.yyy.193.202 xxx.yyy.193.203"
# PPP interface stuff - these apply to all ASYNC ppp interfaces,
options
# same as ethernet above.
ppp_BNDWIDTH=30Kbit
ppp_FAIRQ=YES
ppp_TXQLEN=30
ppp_IABURST=20
ppp_IARATE=10Kbit
ppp_PXMTU=1500
###############################################################################
# IP Filter setup - can pull in settings from above
###############################################################################
# Set up the basic type of filtering. Can be one of
(none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading,
and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP
management
SNMP_MANAGER_IPS=""
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh"
# This set of variables is used with the basic routing filter setup
# This set of variables is used with a basic IP masquerading firewall
setup
#Notation - IP addresses/masklen
#
# NOTE: Do NOT turn on the DMZ network or ANY external port
masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
# Added for DHCP support
# Setting this to YES causes the script to read EXTERN_IP directly
from
# the interface
EXTERN_DHCP=NO # - YES/NO
# The interface to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead
of your
# actual IP address. Set this to NO for typical ethernet setups, even
if you
# are using DHCP
# External Address dynamically assigned
EXTERN_DYNADDR=NO # - YES/NO
# -- OR --
EXTERN_IP=$eth0_IPADDR # External Interface IP number
# If external interface is DHCP, read the IP address
# This should probably be moved to the init.d network script, but it
seemed
# I put it here for now, as it is more obvious what it is doing, in
case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" ] || \
[ "$EXTERN_DHCP" = "Yes" ] || \
[ "$EXTERN_DHCP" = "yes" ]; then
# This computes the IP address of $EXTERN_IF
# Grep extracts just the line(s) with IP address information from
the output
# of ip addr. The first sed gets rid of all but the first line (in
case
# there are several IP addresses for some reason), and next sed
extracts
# just the IP address in dot quad notation.
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | \
sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# Debugging - Remove if you like
echo Extern IP: $EXTERN_IP
# If the external address is not configured, use a bogus address for
the
# external interface to prevent a bunch of (harmless) errors that
spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# Silent Deny list added by Charles Steinkuehler to prevent filling
the
# logs with denied packets you know about and don't want logged
anymore
# These packets are denied very early in the ipchains rules, so be as
# specific as possible with their definitions
# - proto_srcip/mask_dstport
#SILENT_DENY="udp_0.0.0.1_route udp_0.0.0.0/24_37"
# Extra rule scripts added by Charles Steinkuehler to more easily
support
# non-standard extentions of the pre-configured ipchains rules
#IPCH_IN=/etc/ipchains.input
#IPCH_FWD=/etc/ipchains.forward
#IPCH_OUT=/etc/ipchains.output
## UDP Services open to outside world
# - srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
#EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc"
# TCP services open to outside world
# - srcip/mask_dstport
#EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp"
#EXTERN_TCP_PORTS="0/0_ssh"
# Generic Services open to outside world
# - protocol_srcip/mask_dstport
#EXTERN_PORTS=" 50_207.235.86.252/32
# 51_207.235.86.252/32"
# Internal interface
#No internal interface in case of proxy-arp ???
#INTERN_IF="eth1" # Internal Interface
#INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
# Alternate form of INTERN_NET:
#INTERN_NET="192.168.1.0/24 192.168.2.0/24 192.168.4.0/24"
#INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=NO # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from inside to outside.
proto_destnet_port
# Allows the firewall to be trusted for ssh access to routers...
# Override for below
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
# services not to be masqueraded
#NOMASQ_DEST="tcp_0/0_ssh"
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<extern-ip>_<extern-port>_<intern-ip>_<intern-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make
available
#INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make
available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make
available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make
available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make
available
#INTERN_SSH_SERVER=192.168.1.26 # Internal SSH server to make
available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
# What is difference between YES and PROXY?
# DMZ setup
# Whether you want a DMZ or not (YES, PROXY, NO)
DMZ_SWITCH=PROXY
DMZ_IF="eth1" # DMZ Interface
DMZ_NET=xxx.yyy.109.200/29 # DMZ Network
# For Proxy-Arp DMZ's only:
# These IP's are on the external net...all others in the network are
assumed
# to be DMZ addresses
# The external net is different again from the public DMZ net.
# Di=o I need this?
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $eth0_IPADDR"
# Shorthands for DMZ firewall rules:
zappa="xxx.yyy.109.2"
dudley="xxx.yyy.109.3"
## Both of the following should be used together - ie if you turn on
## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
# Allows inbound connections to high tcp ports (>1023)
# You can also allow to specific machines using 1024: as the dest port
range
# in DMZ_OPEN_DEST
#DMZ_HIGH_TCP_CONNECT=YES
## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
#DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
# Inbound services to allow to the DMZ
# <protocol>_<destination IP/network>_<destination port or range>
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_${dudley}_www
tcp_${zappa}_www"
###############################################################################
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons
started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
###############################################################################
... functions deleted
###############################################################################
# Hostname Requires: CONFIG_HOSTNAME=YES
###############################################################################
HOSTNAME=myhostname
###############################################################################
# Hosts file (Static domainname entires) Requires:
CONFIG_HOSTSFILE=YES
###############################################################################
# IP FQDN hostname alias1 alias2..
#HOSTS0="$eth0_IPADDR $HOSTNAME.private.network $HOSTNAME mr rtr"
###############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
###############################################################################
#DOMAINS="mydomain.com"
DNS0=xxx.yyy.65.2
DNS1=xxx.yyy.66.2
###############################################################################
# QoS/Fariqueing functions
###############################################################################
... functions deleted
###############################################################################
# End
###############################################################################
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
