Hello dear shorewall users,
Here is my scenario. I have a firewall with 3 nics, eth0 external, eth1 internal
and eth2 DMZ.
12.213.156.49 ______
WAN=========>eth0 |______| eth1 ===========>LAN(192.168.2.0)
||
eth2== DMZ(192.168.3.0)
Currently there is one web server located in DMZ and from outside it''s
being resolved to mydomainname.com => 12.213.156.49. I''m planning to
setup another web server in DMZ. I do have 5 static IP''s that I can
use. How should I reconfigure the forwarding to port 80 so that the web servers
are able to distinguish the requests?
Thanks in advance.
---------------------------------
Do you Yahoo!?
Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 11:53:19 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> > Hello dear shorewall users, > > Here is my scenario. I have a firewall with 3 nics, eth0 external, eth1 > internal and eth2 DMZ. > > > > > > > > 12.213.156.49 ______ > WAN=========>eth0 |______| eth1 ===========>LAN(192.168.2.0) > > || > > eth2== DMZ(192.168.3.0) > > > > > > Currently there is one web server located in DMZ and from outside it''s > being resolved to mydomainname.com => 12.213.156.49. I''m planning to > setup another web server in DMZ. I do have 5 static IP''s that I can use. > How should I reconfigure the forwarding to port 80 so that the web > servers are able to distinguish the requests? >To set up the server on a separate machine in the DMZ: DNAT net dmz:192.168.3.x tcp 80 - 12.213.156.49 DNAT net dmz:192.168.3.y tcp 80 - 12.213.156.50 You will have to set up 12.213.156.50 as an additional IP address on eth0. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks allot for your promt response. How will I set up 12.213.156.50 as an additional IP address on eth0? do I need to mascarade et0 as 12.213.156.49 and 12.213.156.50? Thanks, Aleksey Tom Eastep <teastep@shorewall.net> wrote: On Thu, 29 May 2003 11:53:19 -0700 (PDT), aleksey zakharov wrote:> > Hello dear shorewall users, > > Here is my scenario. I have a firewall with 3 nics, eth0 external, eth1 > internal and eth2 DMZ. > > > > > > > > 12.213.156.49 ______ > WAN=========>eth0 |______| eth1 ===========>LAN(192.168.2.0) > > || > > eth2== DMZ(192.168.3.0) > > > > > > Currently there is one web server located in DMZ and from outside it''s > being resolved to mydomainname.com => 12.213.156.49. I''m planning to > setup another web server in DMZ. I do have 5 static IP''s that I can use. > How should I reconfigure the forwarding to port 80 so that the web > servers are able to distinguish the requests? >To set up the server on a separate machine in the DMZ: DNAT net dmz:192.168.3.x tcp 80 - 12.213.156.49 DNAT net dmz:192.168.3.y tcp 80 - 12.213.156.50 You will have to set up 12.213.156.50 as an additional IP address on eth0. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 12:24:24 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> Tom, > Thanks allot for your promt response. How will I set up 12.213.156.50 as > an additional IP address on eth0? do I need to mascarade et0 as > 12.213.156.49 and 12.213.156.50?Your distribution should provide a mechanism for adding additional IP addresses to an interface. There is no need for any additional masquerade entries. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I tried, but it didn''t work. My DSL router''s IP is 67.115.131.41 and eth0 on firewall is 67.115.131.42. How does the FW know that 61.115.131.43 belongs to me? I think I need to redefine my external IP address range on eth0. Do I need to edit interfaces file? Thanks, Aleksey Aleksey Tom Eastep <teastep@shorewall.net> wrote: On Thu, 29 May 2003 12:24:24 -0700 (PDT), aleksey zakharov wrote:> Tom, > Thanks allot for your promt response. How will I set up 12.213.156.50 as > an additional IP address on eth0? do I need to mascarade et0 as > 12.213.156.49 and 12.213.156.50?Your distribution should provide a mechanism for adding additional IP addresses to an interface. There is no need for any additional masquerade entries. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 13:24:22 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> I tried, but it didn''t work. My DSL router''s IP is 67.115.131.41 and eth0 > on firewall is 67.115.131.42. How does the FW know that 61.115.131.43 > belongs to me? I think I need to redefine my external IP address range on > eth0. Do I need to edit interfaces file? > Thanks,If your ISP''s router is 67.115.131.41 and your FW is 61.115.131.43, how in $DEITY''s name are you using 12.213.156.49 as an external IP for your web server? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Sorry, I accidently pasted the wron IP. The actual IP for eth0 is 67.115.131.42 Thanks, Aleksey Tom Eastep <teastep@shorewall.net> wrote: On Thu, 29 May 2003 13:24:22 -0700 (PDT), aleksey zakharov wrote:> I tried, but it didn''t work. My DSL router''s IP is 67.115.131.41 and eth0 > on firewall is 67.115.131.42. How does the FW know that 61.115.131.43 > belongs to me? I think I need to redefine my external IP address range on > eth0. Do I need to edit interfaces file? > Thanks,If your ISP''s router is 67.115.131.41 and your FW is 61.115.131.43, how in $DEITY''s name are you using 12.213.156.49 as an external IP for your web server? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 13:39:16 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> Sorry, I accidently pasted the wron IP. The actual IP for eth0 is > 67.115.131.42Ok -- then: a) what new address did you add to eth0? b) what new rule did you add to /etc/shorewall/rules? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
My interfaces file contains the following: #ZONE INTERFACE BROADCAST OPTIONS net eth0 67.115.131.42 noping,norfc1918,routestopped,routefilter loc eth1 detect routestopped dmz eth2 detect routestopped # <<< VPN >>> - ppp+ # <<< IPSEC >>> #- ipsec0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE and my rules file contains the following for port 80: # <<< Jupiter >>> DNAT net dmz:192.168.6.2 tcp 80 - 67.115.131.42 # <<< viking >>> DNAT net dmz:192.168.6.5 tcp 80 - 67.115.131.43 the 67.115.131.42 works but 67.115.131.43 which is a new web server doesnt'' work. Aleksey Tom Eastep <teastep@shorewall.net> wrote: On Thu, 29 May 2003 13:39:16 -0700 (PDT), aleksey zakharov wrote:> Sorry, I accidently pasted the wron IP. The actual IP for eth0 is > 67.115.131.42Ok -- then: a) what new address did you add to eth0? b) what new rule did you add to /etc/shorewall/rules? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 13:56:49 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> My interfaces file contains the following: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 67.115.131.42That CAN''T be the broadcast address!!!! Looks like the interface address...> > > and my rules file contains the following for port 80: > # <<< Jupiter >>> > DNAT net dmz:192.168.6.2 tcp 80 - > 67.115.131.42 > # <<< viking >>> > DNAT net dmz:192.168.6.5 tcp 80 - > 67.115.131.43 > the 67.115.131.42 works but 67.115.131.43 which is a new web server > doesnt'' work. >If one more person tells me something "doesn''t work" without any more information, I''m going to quit answering questions on this list during the day. I''ve simply don''t have time while I''m at work to drag the details out of each and every person... a) What happens when you try to connect to http://67.115.131.43? Timeout?, Connection refused?, client computer explodes? b) Did you try telnetting to 67.115.131.43 80? If so, what response did you get? If not, please try that. c) Can you ping to 67.115.131.43? d) Have you looked at FAQ #1a and #1b -- there are tips there for debugging port forwarding problems? e) What does "ip addr show eth0" give you? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I changed my interface file to: net eth0 detect
a) What happens when you try to connect to http://67.115.131.43? Timeout?,
Connection refused?, client computer explodes?
I getThe page cannot be displayedb) Did you try telnetting to 67.115.131.43 80?
If so, what response did you
get? If not, please try that.
I getC:\>telnet 67.115.131.43 80
Connecting To 67.115.131.43...Could not open a connection to host on port 80 :
Connect failedc) Can you ping to 67.115.131.43?
I get
C:\>ping 67.115.131.43
Pinging 67.115.131.43 with 32 bytes of data:
Request timed out.
d) Have you looked at FAQ #1a and #1b -- there are tips there for debugging
port forwarding problems?
I did look at the FAQ however wasn''t able to resolve it.
e) What does "ip addr show eth0" give you?
I get
[root@everest shorewall]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:93:25:d3 brd ff:ff:ff:ff:ff:ff
inet 67.115.131.42/29 brd 67.115.131.47 scope global eth0
I also did #tail -f /var/log/messages but don''t see any requests or
activity to address 67.115.131.43. From my undersanding I just need to
add/define additional external IP''s to my eth0.
Thanks,
Aleksey
Tom Eastep <teastep@shorewall.net> wrote:
On Thu, 29 May 2003 13:56:49 -0700 (PDT), aleksey zakharov
wrote:
> My interfaces file contains the following:
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth0 67.115.131.42
That CAN''T be the broadcast address!!!! Looks like the interface
address...
>
>
> and my rules file contains the following for port 80:
> # <<< Jupiter >>>
> DNAT net dmz:192.168.6.2 tcp 80 -
> 67.115.131.42
> # <<< viking >>>
> DNAT net dmz:192.168.6.5 tcp 80 -
> 67.115.131.43
> the 67.115.131.42 works but 67.115.131.43 which is a new web server
> doesnt'' work.
>
If one more person tells me something "doesn''t work" without
any more
information, I''m going to quit answering questions on this list during
the
day. I''ve simply don''t have time while I''m at work to
drag the details out
of each and every person...
a) What happens when you try to connect to http://67.115.131.43? Timeout?,
Connection refused?, client computer explodes?
b) Did you try telnetting to 67.115.131.43 80? If so, what response did you
get? If not, please try that.
c) Can you ping to 67.115.131.43?
d) Have you looked at FAQ #1a and #1b -- there are tips there for debugging
port forwarding problems?
e) What does "ip addr show eth0" give you?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net
---------------------------------
Do you Yahoo!?
Free online calendar with sync to Outlook(TM).
On Thu, 29 May 2003 15:20:14 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> > e) What does "ip addr show eth0" give you? > I get > [root@everest shorewall]# ip addr show eth0 > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:04:75:93:25:d3 brd ff:ff:ff:ff:ff:ff > inet 67.115.131.42/29 brd 67.115.131.47 scope global eth0You haven''t added 67.115.131.43 as an address!!!!!!!!!!!!!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 29 May 2003 16:23:20 -0700 (PDT), aleksey zakharov <aleksey_shorewall@yahoo.com> wrote:> The distribution is RedHat 7.3 > > [root@everest shorewall]# uname -a > Linux everest 2.4.19 #1 SMP Sat Aug 31 15:30:37 PDT 2002 i686 unknown > > I usually use linuxconf to configure my network devices. Are you > sugesting that I can set up my eth0 to have both 67.115.131.42 and > 67.115.131.43 and posibly other IP''s?Yes, I am -- unfortunately, I don''t have any systems running 7.3 any more (all of mine run 9.0) but hopefully someone on the list can help (or you can get help on one of the RH lists). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Hi Aleksey, I believe what Tom was asking you to do was to Actually bind your other public ip addresses that you own to eth0''s nic/ethernet card. This would be the first step before atempting to configure Shorewall. Once you get eth0 configured correctly then configure your shorewall rules appropriately. Right now I believe that the only ip address that is bound to eth0''s nic/ethernet card is 67.115.131.42 and this is why this address works and the other/''s won''t forward correctly. I believe the others won''t until you get your ethernet card configured correctly with the other public ip''s that you own, bound to eth0. :) Hope that helps. If I''m off base Tom please correct me. Joshua Banks --- Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 29 May 2003 13:56:49 -0700 (PDT), aleksey > zakharov > <aleksey_shorewall@yahoo.com> wrote: > > > My interfaces file contains the following: > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 67.115.131.42 > > That CAN''T be the broadcast address!!!! Looks like > the interface address... > > > > > > > and my rules file contains the following for port > 80: > > # <<< Jupiter >>> > > DNAT net dmz:192.168.6.2 > tcp 80 - > > 67.115.131.42 > > # <<< viking >>> > > DNAT net dmz:192.168.6.5 > tcp 80 - > > 67.115.131.43 > > the 67.115.131.42 works but 67.115.131.43 which is > a new web server > > doesnt'' work. > > > > If one more person tells me something "doesn''t work" > without any more > information, I''m going to quit answering questions > on this list during the > day. I''ve simply don''t have time while I''m at work > to drag the details out > of each and every person... > > a) What happens when you try to connect to > http://67.115.131.43? Timeout?, > Connection refused?, client computer explodes? > b) Did you try telnetting to 67.115.131.43 80? If > so, what response did you > get? If not, please try that. > c) Can you ping to 67.115.131.43? > d) Have you looked at FAQ #1a and #1b -- there are > tips there for debugging > port forwarding problems? > e) What does "ip addr show eth0" give you? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com