As newbies to linux and routers we have been trying for to set up a
Shorewall server that can replace the old router and proxy server in the
diagram. We also want to move websites from the old webserver to the new
webserver.
We curently have our new webserver 192.168.1.1 running the website
62.49.239.88 which was originally on the old webserver.
ISP
/
/_
/
/
-------------
| ISDN Router |
-------------
62.49.239.81 |
| 62.49.239.80/28
+----------------------------+---------------------
| |
|
| |62.49.239.87,
|
| |62.49.239.90,
|
eth0| 62.49.239.93 |62.49.239.92
|62.49.239.83
---------------- ----------------
----------------
192.168.1.254 | Shorewall | | Old Webserver | | Old
Router |
---------| Router | | | |
|
| eth2| | | | |
|
| ---------------- ----------------
----------------
|DMZ eth1| 192.168.102.1
| 192.168.102.2
|192.168.1.0/24 |
|
| |
|
| 192.168.1.1 | Internal LAN 192.168.102.0/24
|
----------------
--+-----+----------------+-------------------+----+------------+-
| New Webserver | | | |
|
| | ----------------- ----------------
---------------- ---------------
---------------- |Database servers| | Workstations | | Proxy Server
| |Mail Server |
| | | | | Old router
NATs| |Old router NATs|
| | | | | to
62.49.239.85| |to 62.49.239.84|
---------------- ----------------
---------------- ---------------
Already we can:
Allow LAN workstations tcp, ftp access to external websites etc.
Allow LAN workstations to maintain webservers on the DMZ.
Allow LAN workstations full access to a few specific public IP addresses.
Send SMTP mail to external IP addresses.
What we cannot do is get external users (with addresses outside
62.49.239.80/28) to browse our new webserver, nor receive SMTP mail from our
ISP.
We must be doing something simple incorrectly with eth0. Can anyone see
what we've got wrong?
This is our configuration:
etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 62.49.239.93
masklen 28
gateway 62.49.239.81
auto eth1
iface eth1 inet static
address 192.168.102.1
masklen 24
broadcast 192.168.102.255
auto eth2
iface eth2 inet static
address 192.168.1.254
masklen 24
broadcast 192.168.1.255
etc/shorewall/zones:
net Net Internet
loc Local Local Networks
dmz DMZ Demilitarised Zone
etc/shorewall/interfaces:
net eth0 detect routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
etc/shorewall/policy:
net all DROP ULOG
all all REJECT ULOG
etc/shorewall/masq:
eth2 eth0
eth2 eth1
eth1 eth2
eth0 eth1
eth0 eth2
etc/shorewall/rules:
#Standard stuff
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#(ping ACCEPT rules omitted for brevity)
#Standard stuff
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT dmz fw udp 53
ACCEPT dmz fw tcp 80
#New webserver
DNAT net dmz:192.168.1.1 tcp 80 - 62.49.239.88
DNAT net dmz:192.168.1.1 tcp 443 - 62.49.239.88
DNAT net dmz:192.168.1.1 udp 80 - 62.49.239.88
DNAT loc dmz:192.168.1.1 tcp 80 - 62.49.239.88
DNAT loc dmz:192.168.1.1 tcp 443 - 62.49.239.88
DNAT loc dmz:192.168.1.1 udp 80 - 62.49.239.88
#(SQL between dmz and loc ACCEPT rules omitted for brevity)
#Local users access net and do maintenance on DMZ
ACCEPT loc net tcp 80 -
ACCEPT loc net tcp 443 -
ACCEPT loc net udp 53 -
ACCEPT loc dmz all - -
#SMTP in and out
DNAT net loc:192.168.102.6 tcp smtp - 62.49.239.80/28
ACCEPT loc net tcp smtp -
#(Specific public IP access ACCEPT rules omitted for brevity)
We're using:
Linux Firewall 2.4.20
Bering version 1.2
Shorewall Version 1.4.2.
Other mandatory info:
::Interfaces::
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:df:a0:50:69 brd ff:ff:ff:ff:ff:ff
inet 62.49.239.93/28 scope global eth0
4: eth1: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:df:ed:a7:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.102.1/24 brd 192.168.102.255 scope global eth1
5: eth2: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:df:ee:49:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2
::Routes::
62.49.239.80/28 dev eth0 proto kernel scope link src 62.49.239.93
192.168.102.0/24 dev eth1 proto kernel scope link src 192.168.102.1
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.254
default via 62.49.239.81 dev eth0
Modules:
ip_nat_irc 2176 0 (unused)
ip_nat_ftp 2784 0 (unused)
ip_conntrack_irc 2880 1
ip_conntrack_ftp 3648 1
ne2k-pci 4684 3
8390 5820 0 [ne2k-pci]
Any help would be greatly appreciated.
Chris Hall
-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
