Gerhard Engler
2009-Jan-16 21:52 UTC
webserver in DMZ not accessible from the local network
Hello, I have a web server in my DMZ and I use port forwarding to make that server accessible from the Internet www.myurl.de. That works fine, but when my local users try to connect to www.myurl.de, it doesn?t work. I use Debian with shorewall 3.2.6-2. Internetconnection via DSL. I configured analog the FAQ http://www.shorewall.net/FAQ.htm#faq2b: /etc/shorewall/rules DNAT net dmz:192.168.3.203 tcp 80 DNAT loc dmz:192.168.3.203 tcp 80 - $ETH0_IP /usr/share/shorewall/funktions ETH0_IP=`find_first_interface_address ppp0` With this configuration I get allways a connection from the loc to my own webserver (allways - also whe I try to www.google.de). What is wrong? Tank you! ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy
2009-Jan-16 23:10 UTC
Re: webserver in DMZ not accessible from the local network
Gerhard Engler wrote:> Hello, > > I have a web server in my DMZ and I use port forwarding to make that > server accessible from the Internet www.myurl.de. That works fine, but > when my local users try to connect to www.myurl.de, it doesn?t work. > > I use Debian with shorewall 3.2.6-2. Internetconnection via DSL. > > I configured analog the FAQ http://www.shorewall.net/FAQ.htm#faq2b: > > /etc/shorewall/rules > DNAT net dmz:192.168.3.203 tcp 80 > DNAT loc dmz:192.168.3.203 tcp 80 - $ETH0_IP > > /usr/share/shorewall/funktions > ETH0_IP=`find_first_interface_address ppp0` > > With this configuration I get allways a connection from the loc to my > own webserver (allways - also whe I try to www.google.de). > > What is wrong?Clearly $ETHO_IP isn''t being set. If you actually put the line to set it in /usr/share/shorewall/funktions, that''s the obvious explaination given that the command should be placed in /etc/shorewall/params. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Gerhard Engler
2009-Jan-16 23:42 UTC
Re: webserver in DMZ not accessible from the local network
Shorewall Guy schrieb:> Gerhard Engler wrote: > > Clearly $ETHO_IP isn''t being set. If you actually put the line to set it > in /usr/share/shorewall/funktions, that''s the obvious explaination given > that the command should be placed in /etc/shorewall/params. > >But If I put the line to /etc/shorewall/params I get the error message: micky:/etc/shorewall# /etc/init.d/shorewall restart /etc/shorewall/params: line 27: find_first_interface_address: command not found Restarting "Shorewall firewall": done. gerhard ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy
2009-Jan-17 00:01 UTC
Re: webserver in DMZ not accessible from the local network
Gerhard Engler wrote:> Shorewall Guy schrieb: >> Gerhard Engler wrote: >> >> Clearly $ETHO_IP isn''t being set. If you actually put the line to set it >> in /usr/share/shorewall/funktions, that''s the obvious explaination given >> that the command should be placed in /etc/shorewall/params. >> >> > But If I put the line to /etc/shorewall/params I get the error message: > > micky:/etc/shorewall# /etc/init.d/shorewall restart > /etc/shorewall/params: line 27: find_first_interface_address: command > not found > Restarting "Shorewall firewall": done.This is a known Debian issue -- you can either: a) Ignore the message (it is harmless) b) Add ". /usr/lib/functions" to /etc/shorewall/params before you try to call "find_first_interface_address". c) Hack /etc/init.d/shorewall to make it stop reading /etc/shorewall/params ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy
2009-Jan-17 00:26 UTC
Re: webserver in DMZ not accessible from the local network
Shorewall Guy wrote:> Gerhard Engler wrote: >> Shorewall Guy schrieb: >>> Gerhard Engler wrote: >>> >>> Clearly $ETHO_IP isn''t being set. If you actually put the line to set it >>> in /usr/share/shorewall/funktions, that''s the obvious explaination given >>> that the command should be placed in /etc/shorewall/params. >>> >>> >> But If I put the line to /etc/shorewall/params I get the error message: >> >> micky:/etc/shorewall# /etc/init.d/shorewall restart >> /etc/shorewall/params: line 27: find_first_interface_address: command >> not found >> Restarting "Shorewall firewall": done. > > This is a known Debian issue -- you can either: > > a) Ignore the message (it is harmless) > b) Add ". /usr/lib/functions" to /etc/shorewall/params before you try toMake that ". /usr/share/shorewall/functions" ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Gerhard Engler
2009-Jan-17 07:57 UTC
Re: webserver in DMZ not accessible from the local network
Shorewall Guy schrieb:> Shorewall Guy wrote: > >> Gerhard Engler wrote: >> >>> Shorewall Guy schrieb: >>> >>>> Gerhard Engler wrote: >>>> >>>> >>> But If I put the line to /etc/shorewall/params I get the error message: >>> >>> micky:/etc/shorewall# /etc/init.d/shorewall restart >>> /etc/shorewall/params: line 27: find_first_interface_address: command >>> not found >>> Restarting "Shorewall firewall": done. >>> >> This is a known Debian issue -- you can either: >> >> a) Ignore the message (it is harmless) >> b) Add ". /usr/lib/functions" to /etc/shorewall/params before you try to >> > > Make that ". /usr/share/shorewall/functions" > >Hello Shorwal Gui, thank you for your super hints. I tried alternative b. It´s running, but I got /etc/init.d/shorewall restart /usr/share/shorewall/functions: line 25: find_first_interface_address: command not found Restarting "Shorewall firewall": done. /etc/shorewall/params . /usr/share/shorewall/functions ETH0_IP=`find_first_interface_address ppp0` /usr/share/shorewall/functions ... ETH0_IP=`find_first_interface_address ppp0` ... After that I deletet the line in /usr/share/shorewall/functions it was running without an error-message. I postet that for users who have the same problem. Thank you Shorewall Guy - God bless you! Tony ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword