Shorewall users - Oct 2004 - Problem with Internal accessing internal via web

I am not a member of the mailing list.

Shorewall version 2.0.9

 ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:06:5b:74:b5:f3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::206:5bff:fe74:b5f3/64 scope link
       valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:a8:00:52 brd ff:ff:ff:ff:ff:ff
    inet 129.15.70.48/23 brd 129.15.71.255 scope global eth1
    inet 129.15.70.56/23 brd 129.15.71.255 scope global secondary eth1:1
    inet 129.15.70.24/23 brd 129.15.71.255 scope global secondary eth1:2
    inet 129.15.70.49/23 brd 129.15.71.255 scope global secondary eth1:3
    inet6 fe80::202:b3ff:fea8:52/64 scope link
       valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

ip route show
192.168.1.0/24 dev eth0  scope link
129.15.70.0/23 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 129.15.70.1 dev eth1

My problem is this.

I have two machines setup in the /etc/shorewall/nat file 

One of these machines is a web server running iis 6.0, I have a rule
setup to allow net loc:192.168.1.3 tcp 80 for web traffic. From any
machine I can get to this, this works great. What doesn''t work is when
I
try to get to the web site from the other machine that is behind the
firewall. It is also setup with a one-to-one nat. I can access the web
fine by internal IP but I can''t get to it from the external IP.  Do I
need to setup some kind of route in the routing table or is it a rule
that I am missing somewhere?  

Here is my rules file contents

RATE            USER/
#                                               PORT    PORT(S)    DEST
LIMIT           GROU
ACCEPT fw net all
ACCEPT loc fw all
ACCEPT fw loc all
ACCEPT net loc:192.168.1.3 tcp 80
ACCEPT net loc:192.168.1.56 tcp 1127
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Any help would be appriciated/

Thanks
Jamie

Have you read FAQ #2 ?
http://www.shorewall.net/FAQ.htm#id2438199

[Guilsson]


On Tue, 19 Oct 2004 17:39:09 -0500, Thibodeau, Jamie L.
<jthibodeau@ou.edu> wrote:
> I am not a member of the mailing list.
> 
> Shorewall version 2.0.9
> 
> ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>    inet6 ::1/128 scope host
>       valid_lft forever preferred_lft forever
> 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:06:5b:74:b5:f3 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
>    inet6 fe80::206:5bff:fe74:b5f3/64 scope link
>       valid_lft forever preferred_lft forever
> 5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:02:b3:a8:00:52 brd ff:ff:ff:ff:ff:ff
>    inet 129.15.70.48/23 brd 129.15.71.255 scope global eth1
>    inet 129.15.70.56/23 brd 129.15.71.255 scope global secondary eth1:1
>    inet 129.15.70.24/23 brd 129.15.71.255 scope global secondary eth1:2
>    inet 129.15.70.49/23 brd 129.15.71.255 scope global secondary eth1:3
>    inet6 fe80::202:b3ff:fea8:52/64 scope link
>       valid_lft forever preferred_lft forever
> 6: sit0: <NOARP> mtu 1480 qdisc noop
>    link/sit 0.0.0.0 brd 0.0.0.0
> 
> ip route show
> 192.168.1.0/24 dev eth0  scope link
> 129.15.70.0/23 dev eth1  scope link
> 169.254.0.0/16 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 129.15.70.1 dev eth1
> 
> My problem is this.
> 
> I have two machines setup in the /etc/shorewall/nat file
> 
> One of these machines is a web server running iis 6.0, I have a rule
> setup to allow net loc:192.168.1.3 tcp 80 for web traffic. From any
> machine I can get to this, this works great. What doesn''t work is
when I
> try to get to the web site from the other machine that is behind the
> firewall. It is also setup with a one-to-one nat. I can access the web
> fine by internal IP but I can''t get to it from the external IP. 
Do I
> need to setup some kind of route in the routing table or is it a rule
> that I am missing somewhere?
> 
> Here is my rules file contents
> 
> RATE            USER/
> #                                               PORT    PORT(S)    DEST
> LIMIT           GROU
> ACCEPT fw net all
> ACCEPT loc fw all
> ACCEPT fw loc all
> ACCEPT net loc:192.168.1.3 tcp 80
> ACCEPT net loc:192.168.1.56 tcp 1127
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Any help would be appriciated/
> 
> Thanks
> Jamie
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>