As newbies to linux and routers we have been trying for to set up a Shorewall server that can replace the old router and proxy server in the diagram. We also want to move websites from the old webserver to the new webserver. We curently have our new webserver 192.168.1.1 running the website 62.49.239.88 which was originally on the old webserver.
ISP / /_ / / ------------- | ISDN Router | ------------- 62.49.239.81 | | 62.49.239.80/28 +----------------------------+--------------------- | | | | |62.49.239.87, | | |62.49.239.90, | eth0| 62.49.239.93 |62.49.239.92 |62.49.239.83 ---------------- ---------------- ---------------- 192.168.1.254 | Shorewall | | Old Webserver | | Old Router | ---------| Router | | | | | | eth2| | | | | | | ---------------- ---------------- ---------------- |DMZ eth1| 192.168.102.1 | 192.168.102.2 |192.168.1.0/24 | | | | | | 192.168.1.1 | Internal LAN 192.168.102.0/24 | ---------------- --+-----+----------------+-------------------+----+------------+- | New Webserver | | | | | | | ----------------- ---------------- ---------------- --------------- ---------------- |Database servers| | Workstations | | Proxy Server | |Mail Server | | | | | | Old router NATs| |Old router NATs| | | | | | to 62.49.239.85| |to 62.49.239.84| ---------------- ---------------- ---------------- --------------- Already we can: Allow LAN workstations tcp, ftp access to external websites etc. Allow LAN workstations to maintain webservers on the DMZ. Allow LAN workstations full access to a few specific public IP addresses. Send SMTP mail to external IP addresses. What we cannot do is get external users (with addresses outside 62.49.239.80/28) to browse our new webserver, nor receive SMTP mail from our ISP. We must be doing something simple incorrectly with eth0. Can anyone see what we've got wrong? This is our configuration: etc/network/interfaces: auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 62.49.239.93 masklen 28 gateway 62.49.239.81 auto eth1 iface eth1 inet static address 192.168.102.1 masklen 24 broadcast 192.168.102.255 auto eth2 iface eth2 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255 etc/shorewall/zones: net Net Internet loc Local Local Networks dmz DMZ Demilitarised Zone etc/shorewall/interfaces: net eth0 detect routefilter,norfc1918 loc eth1 detect dmz eth2 detect etc/shorewall/policy: net all DROP ULOG all all REJECT ULOG etc/shorewall/masq: eth2 eth0 eth2 eth1 eth1 eth2 eth0 eth1 eth0 eth2 etc/shorewall/rules: #Standard stuff ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 #(ping ACCEPT rules omitted for brevity) #Standard stuff ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 ACCEPT dmz fw udp 53 ACCEPT dmz fw tcp 80 #New webserver DNAT net dmz:192.168.1.1 tcp 80 - 62.49.239.88 DNAT net dmz:192.168.1.1 tcp 443 - 62.49.239.88 DNAT net dmz:192.168.1.1 udp 80 - 62.49.239.88 DNAT loc dmz:192.168.1.1 tcp 80 - 62.49.239.88 DNAT loc dmz:192.168.1.1 tcp 443 - 62.49.239.88 DNAT loc dmz:192.168.1.1 udp 80 - 62.49.239.88 #(SQL between dmz and loc ACCEPT rules omitted for brevity) #Local users access net and do maintenance on DMZ ACCEPT loc net tcp 80 - ACCEPT loc net tcp 443 - ACCEPT loc net udp 53 - ACCEPT loc dmz all - - #SMTP in and out DNAT net loc:192.168.102.6 tcp smtp - 62.49.239.80/28 ACCEPT loc net tcp smtp - #(Specific public IP access ACCEPT rules omitted for brevity) We're using: Linux Firewall 2.4.20 Bering version 1.2 Shorewall Version 1.4.2. Other mandatory info: ::Interfaces:: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:a0:50:69 brd ff:ff:ff:ff:ff:ff inet 62.49.239.93/28 scope global eth0 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:ed:a7:83 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global eth1 5: eth2: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:df:ee:49:49 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2 ::Routes:: 62.49.239.80/28 dev eth0 proto kernel scope link src 62.49.239.93 192.168.102.0/24 dev eth1 proto kernel scope link src 192.168.102.1 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.254 default via 62.49.239.81 dev eth0 Modules: ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc 2880 1 ip_conntrack_ftp 3648 1 ne2k-pci 4684 3 8390 5820 0 [ne2k-pci] Any help would be greatly appreciated. Chris Hall ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html