Varga Pavol
2004-Mar-15 16:59 UTC
RE: [Shorewall-newbies] Can''t connect from LAN to port forwardedwebin DMZ. Others connections (like ssh) works fine.
Thanks for advice, but I already read it. Today I move www server from dmz to LAN for easier configuration, but it still don''t work. Probably I do any mistake somewhere. Everyting in documentation and manuals seems so simple and I am really glad, that Shorewall is here! Please may You check my configurations files? /etc/shorewall/interfaces LAN eth0 detect routeback Internet eth2 detect /etc/shorewall/masq eth2 192.168.1.0/24 217.118.104.9 /etc/shorewall/policy #$FW Internet ACCEPT - # ports are set only explicit in rules #LAN Internet ACCEPT - # for disable online games, etc. Internet all DROP info all all REJECT info /etc/shorewall/zones LAN LAN 192.168.1.20 Internet Internet 217.118.104.9 /etc/shorewall/rules ACCEPT Internet $FW udp 53 - # DNS ACCEPT Internet $FW tcp 25,53,80,110,143,389 - # smtp, dns, www, pop, imap, ldap ACCEPT $FW Internet udp 53 - # dns ACCEPT $FW Internet tcp 25,53,80,110,143,389 - # smtp, dns, www, pop, imap, ldap ACCEPT LAN $FW udp 53 - # dns ACCEPT LAN $FW tcp 53,80,110,143,389,8080 - # dns, ???, pop, imap, ldap, proxy ACCEPT LAN Internet tcp 25,53,110,143,389 - # smtp, dns, pop, imap, ldap REDIRECT LAN 8080 tcp 80 - - # http proxy from LAN DNAT Internet LAN:192.168.1.10 tcp 80 - 217.118.104.9 # www DNAT LAN LAN:192.168.1.10 tcp 80 - 217.118.104.9:192.168.1.20 #FAQ2 DNAT Internet LAN:192.168.1.30 tcp 25,110,143,389 - 217.118.104.9 # mail, DNS ACCEPT $FW LAN udp 53 - ACCEPT $FW LAN tcp 53,80,8080 - # -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, March 14, 2004 10:02 PM To: List for New Shorewall Users Subject: Re: [Shorewall-newbies] Can''t connect from LAN to port forwardedweb in DMZ. Others connections (like ssh) works fine. Varga Pavol wrote:> Hi, > I have som trouble with connection to my port forwarded www serverfrom> LAN and from firewall. (from Internet it works) > I use three-interface firewall with masquerading LAN & DMZ and port > forwarding some services. > > lynx from firewall to www.myserver.sk returns: > > Alert!: Unable to connect to remote host. > > lynx from firewall to local IP for the first ask me to allow cookies, > and then returns: > > Looking up 192.168.0.2 first > Looking up 192.168.0.2 > Making HTTP connection to 192.168.0.2 > Sending HTTP request. > HTTP request sent; waiting for response. > HTTP/1.1 302 Object moved > ''A''lways allowing from domain ''192.168.0.2''. > Data transfer complete > HTTP/1.1 302 Object moved > Looking up www.myserver.sk > Making HTTP connection to www.myserver.sk > Alert!: Unable to connect to remote host. > > When I tried www.myserver.sk from LAN, the Squid returns: > > While trying to retrieve the URL: http://www.myserver.sk/ > > The following error was encountered: > > Connection Failed > The system returned: > > (111) Connection refusedThe remote host or network may be down. > Please try the request again. > > And when I tried local IP of myserver, the web browser still resolveit> to www.myserver.sk and then returns the same error like above. > > Plesase, where is the problem? I thnik that rules between each other > zones I set correctly. >See Shorewall faq #2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-newbies mailing list Post: Shorewall-newbies@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-newbies Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-newbies mailing list Post: Shorewall-newbies@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-newbies Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2004-Mar-15 18:28 UTC
Re: RE: [Shorewall-newbies] Can''t connect from LAN to port forwardedwebin DMZ. Others connections (like ssh) works fine.
On Monday 15 March 2004 08:59 am, Varga Pavol wrote:> Thanks for advice, but I already read it. > Today I move www server from dmz to LAN for easier configuration, but it > still don''t work. > Probably I do any mistake somewhere. Everyting in documentation and > manuals seems so simple and I am really glad, that Shorewall is here! > Please may You check my configurations files? > > /etc/shorewall/interfaces > LAN eth0 detect routeback > Internet eth2 detect > > /etc/shorewall/masq > eth2 192.168.1.0/24 217.118.104.9 > > /etc/shorewall/policy > #$FW Internet ACCEPT - # ports are set only > explicit in rules > #LAN Internet ACCEPT - # for disable online > games, etc. > Internet all DROP info > all all REJECT info > > /etc/shorewall/zones > LAN LAN 192.168.1.20 > Internet Internet 217.118.104.9Zone names have a maximum length of five characters.> > /etc/shorewall/rules > ACCEPT Internet $FW udp 53 - # DNS > ACCEPT Internet $FW tcp 25,53,80,110,143,389 - # smtp, > dns, www, pop, imap, ldap > > ACCEPT $FW Internet udp 53 - # dns > ACCEPT $FW Internet tcp 25,53,80,110,143,389 - # smtp, > dns, www, pop, imap, ldap > > ACCEPT LAN $FW udp 53 - # dns > ACCEPT LAN $FW tcp 53,80,110,143,389,8080 - # > dns, ???, pop, imap, ldap, proxy > ACCEPT LAN Internet tcp 25,53,110,143,389 - # > smtp, dns, pop, imap, ldap > > REDIRECT LAN 8080 tcp 80 - - > # http proxy from LAN > > DNAT Internet LAN:192.168.1.10 tcp 80 > - 217.118.104.9 # www > DNAT LAN LAN:192.168.1.10 tcp 80 > - 217.118.104.9:192.168.1.20 #FAQ2I don''t see anything wrong here. a) What results do you see when you try to connect. b) Please follow the instructions at http://www.shorewall.net/support.htm in the paragraph beginning "This is Important!!" in bold font. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net