hi shane, a few thoughts:
1. before i got my firewall running, it was very useful to ssh in from a remote host. when you ssh to the external IP from a remote host, do you get your internal server, do you get the firewall or can you not connect at all? this might tell you whether the problem is in ipchains or port forwarding. 2. the electric cool-aid acid test: go onto your firewall. do: a. ipcchains -F b. ipmasqadm portfw -f ok, now you have a tabula rasa. c. add a default gateway (route add default gw blah) d. use ipmasqadm to forward your ports if you can't pass this test (and are confident in your knowledge of ipchains, ipmasqadm, route and ifconfig) then something is *seriously* wrong. pete begin Shane Veness <[EMAIL PROTECTED]> > Hi Peter, > > Have tried all the settings you suggested etc. > Everything discussed seems to be working, ie. ipmasqadm portfw -l and > ipchains have all the right information. Do not know what else I can try? > When I try to access the web site externally I get "Web Site Found > Waiting for reply", then it comes up with an internal server error, any > thoughts? > > Thanks > Shane > > -----Original Message----- > From: Peter Jay Salzman <[EMAIL PROTECTED]> > To: Shane Veness <[EMAIL PROTECTED]> > Date: Sat, 5 Jan 2002 09:11:55 -0800 > Subject: Re: [Leaf-user] Help needed with portfw - Dachstein release > > > hi shane, > > > > begin Shane Veness <[EMAIL PROTECTED]> > > > I am very new to LRP and have downloaded the latest Dachstein floppy > > > release. I am trying to get to > > > my internal web server from outside the network using port forwarding > > but am > > > having no success. I have > > > read through some of the mailing list, but this confuses me more. > > > > > > The firewall is running perfectly and I can get internet access from > > the > > > clients inside the network. > > > > > > My settings are as follows - eth0 - 196.33.41.70/28 (external ip) - > > eth1 - > > > 192.6.31.252/24 (internal ip) > > > > > > I am trying to forward requests on 196.33.41.70:80 to 192.6.31.253:80 > > > > > > do I need to run the command: "ipmasqadm portfw -a -P tcp -L > > > 196.33.41.70 80 -R 192.6.31.253 80" > > > > no -- you don't. dachstein will do this for you. > > > > one *big* word of advice. if everything looks good but portforwarding > > isn't working, don't forget to: > > > > 1. look at what port forwarding is already in place: > > > > ipmasqadm portfw -l > > > > 2. look at your hosts.deny and hosts.allow file. > > > > 3. look at ipchains -L > > > > to see exactly where the problem is. 3 might be difficult unless > > you're > > really comfortable with pouring through ipchains entries (after more > > than a year and a half of using ipchains, i'm still not very good at > > it). but 1 and 2 should be easy enough. > > > > also, when you make changes to network.conf, don't forget to restart > > networking. > > > > /etc/init.d/network stop; /etc/init.d/network start > > > > i put it on one line in case you're working through an ssh connection > > from one of your internal machines. (otherwise, you lose the > > connection. that's already happened to me). i noticed that the init.d > > scripts don't have the standard "restart" directive. > > > > > # INTERN_SERVERS="tcp_196.33.41.70_80_192.6.31.253_80" > > (HAVE > > > TRIED THIS!!!) > > > > > > # These lines use the primary external IP address...if you need to > > > port-forward > > > # an aliased IP address, use the INTERN_SERVERS setting above > > > #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make > > available > > > INTERN_WWW_SERVER=192.6.31.253 # Internal WWW server to make > > available > > > #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make > > available > > > #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make > > available > > > #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make > > available > > > #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make > > available > > > #EXTERN_SSH_PORT=24 # External port to use for internal SSH access > > > > comment: i currently use both INTERN_SERVERS and INTERN_X_SERVER. i > > don't really understand what the difference is between them. perhaps > > some kind soul on the list would care to comment on this? > > > > > > also -- did you open up holes in your firewall for the services? i > > think you do this with the EXTERN_ variables. here's what i have: > > > > # TCP services open to outside world > > # Space seperated list: srcip/mask_dstport > > EXTERN_TCP_PORTS="0/0_ssh 0/0_www 0/0_smtp 169.237.105.80/0_123 > > 128.115.14.97/0_ 123 0/0_1023 0/0_6346" > > > > without defining the EXTERN_TCP_PORTS, your firewall will be willing to > > forward stuff to an internal server, but won't allow the packets to > > enter in the first place (bride waiting at the doors of the chapel, but > > the doors are locked...) > > > > pete > > > > -- > > PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D > > PGP Public Key: finger [EMAIL PROTECTED] > > > > _______________________________________________ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > ***************************************************************** > Disclaimer and confidentiality note > > This e-mail message is privileged and confidential. If you are not the > intended recipient please delete the message and notify the sender. > Any views or opinions presented are solely those of the author. > > -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
