At 07:08 PM 2/11/02 -0700, Scott Sandeman-Allen wrote:
>Hi,
>
>I've been trying to configure LEAF Dachstein CD to firewall 5 IP
>addresses. I have tried several configurations but cannot get the
>beast to work. I have changed the IP's and removed the comments to
>make it a shorter message... I hope those who may help are okay with
>this.
When you change numbers, you always risk hiding something that matters.
Here, I'm proceeding on the following assumptions:
1. That the "231.123.123" substitues for a "real" class C
address, not a private-space address
2. That the fourth number in the quad is the real number.
>Here is what I have:
> Router/firewall with 3 NIC's.
> Five (5) class C static IP's i.e. 231.123.123.242:245
This is 4 addresses, not 5. I assume you have:
network: a.b.c.240/29
addresses: a.b.c.241-245
gateway: a.b.c.246
broadcast: a.b.c.247
> ISP Gateway 231.123.123.246
> 2 servers on DMZ
> 192.168.71.242 WWW & SSH
> 192.168.71.243 SSH (SQL for WWW)
>
>What I'm trying to do is this:
> DMZ the two servers
> NAT to workstations on 192.168.70.0/24 (each w/static IP)
>
>With the following configuration, I get an ipchains table which I
>have condensed and added below. I have removed the packet counts and
>the logging options except for the one '!y' in the forwarding
>section. When I test this and other configs, using
> ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www
I believe there is a typo in the test line. It should read:
ipchains -C -p tcp -i eth0 -s 0.0.0.0 www -d 231.123.123.242 www
^^
I don't know if the typo is just here in this message or in your actual test
as well. If it is in your tests, I couldn't predict what would happen.
>I get a deny, even though the chains list shows
> ACCEPT tcp eth0 0/0 231.123.123.242 * -> 80
>
>I'm thinking the problem is a line lower down which states:
>
> DENY all eth0 0/0 0/0 n/a
Not quite. ipchains rules are ... well, they are a chain, which means they
get looked at in order, going down until the first rule that matches a
packet is encountered. In your case, -before- the ACCEPT rule you quote
above (from your input chain) is located after another inpu-chain rule that
reads:
>DENY all eth0 231.123.123.242 0/0 n/a
Since the packet hits this general DENY rule before getting to the rule that
ACCEPTs port 80, the packet gets denied.
This rule is one of a set of 5 that together block all 5 of the IP addresses
you are trying to respond to.
>Soooo, have I messed up and not set something right or am I just a
>loonie and should go back to some basket weaving... or is there a
>problem with a script (I tried to figure them out but I have a ways
>to go before I get into that).
I'm not the best person here at spotting script problems ... in fact, I'm
close to the worst among the regulars ... so someone else is likely to offer
better suggestions than I could. One thing:
>eth0_DEFAULT_GW=231.123.123.241
Should be
eth0_DEFAULT_GW=231.123.123.246
[diagnostics and config files deleted]
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
