[EMAIL PROTECTED] wrote: > Hello everyone, > > After a few days trying to get this to work, I'm out of possibilitys. I read > all documentation I could found. I read many post about this subject. And I > tried some thinks I found on the net. > > The one thing I try to do is setup my router with 3 network interfaces to > give me a working dmz. My network is working wonderfull. But I can’t get my > dmz to do what I want. > I want to set up a webserver but I want to be able to do the maintance on my > server from my local network. (server is a machine without keyboard and > monitor). > > The problem: I can’t ping to my server. I think my firewall is blocking the > reply packets. > > Loc: 192.168.1.0/24 > DMZ: 192.168.3.0/24 > VPN: 192.168.2.0/24 > > My IP addres: 192.168.1.145 > > I can ping to 192.168.1.254 (the ipaddres of my router (loc)) > I can ping to 192.168.3.1 (the ipaddres of my router (dmz), but I understand > that this is normal because the ip address belongs to my machine and not to > an interface) > > I can ping from my router to 192.168.3.2 (ip addres of my server) > I can ping from my server to 192.168.3.1 (ip address of my router (dmz)) > I can’t ping from my server to 192.168.1.254 (ip address of my router (loc), > this I find strange)) > I can’t ping from my server to 192.168.1.145 (my own ip) > > I checked my configuration a few times. But I don’t find a configuration > setting that can explain this behaviour. So I tried to set everything open > between dmz and loc (bad way to work with a firewall, but I didn’t know what > to do anymore). Nothing works. > > Below you find all the information I thougt would be interesting to know and > to analyse my problem. If you have not enough information to help me, please > tell me so I can provide you with the nessesary information. > > PS: I tried to followe the following website: > http://www.shorewall.net/three-interface.htm > But as an inexperienced user, I hope I did it good. > > Thanks in advance, > > Jan > > > > RouterJan# uname -a > Linux RouterJan 2.4.33 #1 Mon Sep 4 15:52:08 CEST 2006 i686 unknown > > RouterJan# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop > link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff > 3: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen > 1000 > link/ether 00:d0:b7:4c:6e:3b brd ff:ff:ff:ff:ff:ff > inet 213.118.207.166/24 brd 213.118.207.255 scope global eth0 > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:90:27:a5:00:40 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:90:27:ed:3c:69 brd ff:ff:ff:ff:ff:ff > inet 192.168.3.1/24 brd 192.168.3.255 scope global eth2 > 6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/[65534] > inet 192.168.2.1 peer 192.168.2.2/32 scope global tun0 > > RouterJan# ip route show > 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 > 213.118.207.0/24 dev eth0 proto kernel scope link src 213.118.207.166 > 192.168.3.0/24 dev eth2 proto kernel scope link src 192.168.3.1 > 192.168.2.0/24 via 192.168.2.2 dev tun0 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 > default via 213.118.207.1 dev eth0 > > RouterJan# iptables -nvL > Chain PREROUTING (policy ACCEPT 11963 packets, 3525K bytes) > pkts bytes target prot opt in out source > destination 9490 3312K net_dnat all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 65 packets, 7148 bytes) > pkts bytes target prot opt in out source > destination 825 40533 eth0_masq all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 64 packets, 7088 bytes) > pkts bytes target prot opt in out source > destination > Chain eth0_masq (1 references) > pkts bytes target prot opt in out source > destination > 772 36943 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > RouterJan# iptables -t nat -nvL > Chain PREROUTING (policy ACCEPT 11963 packets, 3525K bytes) > pkts bytes target prot opt in out source > destination > 9490 3312K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 65 packets, 7148 bytes) > pkts bytes target prot opt in out source > destination 825 40533 eth0_masq all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 64 packets, 7088 bytes) > pkts bytes target prot opt in out source > destination > > Chain eth0_masq (1 references) > pkts bytes target prot opt in out source > destination > 772 36943 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > RouterJan# /sbin/shorewall status > Shorewall-3.2.3 Status at RouterJan - Mon Mar 26 20:32:50 UTC 2007 > > Shorewall is running > State:Started (Thu Mar 22 23:55:50 UTC 2007) > > > /etc/shorewall/zones > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > vpn ipv4 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > > > > /etc/shorewall/policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > loc dmz ACCEPT > dmz loc ACCEPT > loc vpn ACCEPT > vpn loc ACCEPT > loc net ACCEPT > net all DROP ULOG > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > #fw net ACCEPT > > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT ULOG > #LAST LINE -- DO NOT REMOVE > > > /etc/shorewall/rules > ############################################################################################################# > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) DEST > LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > # Accept DNS connections from the firewall to the network > # and from the local network to the firewall (in case dnsmasq is > DNS/ACCEPT fw net > DNS/ACCEPT loc fw > DNS/ACCEPT dmz fw > > # Accept SSH connections from the local network for administrati > # > SSH/ACCEPT loc fw > > # Allow Ping to Firewall > # > Ping/ACCEPT net fw > Ping/ACCEPT loc fw > Ping/ACCEPT vpn fw > Ping/ACCEPT dmz fw > Ping/ACCEPT loc dmz > Ping/ACCEPT dmz loc > Ping/ACCEPT fw dmz > Ping/ACCEPT dmz fw > > # > # Allow all ICMP types (including ping) from firewall > ACCEPT fw loc icmp > ACCEPT fw net icmp > ACCEPT fw dmz icmp > ACCEPT loc dmz icmp > ACCEPT dmz loc icmp > > # > # Allow net to webserver, loc all > DNAT net dmz:192.168.3.2 tcp 80 8080 > Web/ACCEPT loc dmz:192.168.3.2 > > # Allow local network to access weblet/webconf > # > Web/ACCEPT loc fw > Web/ACCEPT vpn fw > ACCEPT fw net tcp 80 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > /etc/shorewall/masq > ############################################################################### > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth0 eth1 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ >
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/