Re: [leaf-user] Help needed with dmz routes

[Victor McAllister]

Kory Krofft wrote:

Victor, Ray,

I added the route on the win machine and I can now browse the weblet 
in the 192.168.10.1 ip. and once I removed routefilter I could access 
the weblet intermittently on the external IP but when I tested from a 
friends machine over the internet it reports "connection refused".
By intermittently I mean that I can load pages from the dmz but not 
images located out on the net referenced on those pages. Additionally 
I can no longer reach the firewall weblet on the internal ip. Instead 
I get the dmz weblet. 

 

How does your dmz boxen resolve names?  Can you ping by name the 
machines on the net with the images?  Does it go back to the firewall 
and dnscache?  If so you might want to add the other interface card in 
the leaf box in the first section (# 1 in lrcfg dnscache configuration.)

should look like this if this if eth2 is 192.168.10.245
192.168.1.254 192.168.10.245

setup as it is currently:

routes on the  win machine:
Active Routes:
Network Destination        Netmask          Gateway       Interface  
Metric
         0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.1   
   1
       127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   
   1
     192.168.1.0    255.255.255.0      192.168.1.1     192.168.1.1   
   1
     192.168.1.1  255.255.255.255        127.0.0.1       127.0.0.1   
   1
   192.168.1.255  255.255.255.255      192.168.1.1     192.168.1.1   
   1
    192.168.10.1  255.255.255.255    192.168.1.254     192.168.1.1   
   1
       224.0.0.0        224.0.0.0      192.168.1.1     192.168.1.1   
   1
 255.255.255.255  255.255.255.255      192.168.1.1     192.168.1.1   
   1
Default Gateway:     192.168.1.254

routes on the dmz:
192.168.1.0 via 192.168.10.254 dev eth0
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1
default via 192.168.10.245 dev eth0
shorewall rules

.........

DNAT            net             dmz:192.168.10.1 tcp    80
DNAT            net             dmz:192.168.10.1 tcp    25
DNAT            net             dmz:192.168.10.1 udp    25
DNAT            loc             dmz:192.168.10.1:80 tcp 80 - $ETH0_IP
 

loc cannot send port 80 to two different places.  It sounds like your 
dmz machine is also a leaf  box.  You will need to reconfigure weblet on 
one of the boxes to use another port such as 8080.  You can then access 
it from your browser like http://192.168.10.1:8080

........

shorewall policy

#SOURCE         DEST            POLICY          LOG LEVEL       
LIMIT:BURST
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw             net             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG
dmz            net             ACCEPT

I think I need to specify the gateway on the dmz. It also does not 
seem to be able to resolve dns queries. 
What is the proper way to provide the default gateway and dns 
resolution?

I also need to sort out shorewall rules and policy to get DNAT to 
work.

 

sounds like its working to me.

I have
initrd.lrp
root.lrp
etc.lrp
local.lrp
modules.lrp
sftp.lrp
weblet.lrp
loaded on the dmz.
Thanks guys,

Kory
 





-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html