On Thu, 1 Aug 2002, j0nas wrote:
I'm going to make one last attempt at getting some answers to my problem before I leave this list.
Leaving? No.... :)
My problem is that I can access all resources from the inside using the internal ip-adress of the firewall, ie I can view the web pages when calling http://192.168.0.1/ from any other machine on the internal network. It also works when I try to access the web server from the outside (using the external ip), BUT when I try to access the web server using the external ip (or the domain pointing to my firewall) nothing happens and
This is a "feature"... :) It has been discussed to some extent before on this list I think, so maybe you can find something interesting by reading through the archives at the SuSE web site. Anyway, there are probably a number of ways to solve this. The reason your requests fail is that the external interface is protected from your internal network, so any packages with your external IP as destination coming in through your internal interface will be dropped with a log message similar to the one below. In order to resolve this, you need to explicitly allow traffic from the internal network to your external IP. This can be done by using tailored ipchains commands, either inserted into an appropriate hook in the firewall2-custom.rc.config or executed somewhere else, like in a bootup script. Anyway, I use the brutal method of opening everything from my internal network, but that is because I'm the only one there and I sort of trust myself. iptables -I INPUT 1 -j ACCEPT -p all -i eth1 -d abc.def.ghi.jkl/32 -s 192.168.0.0/24 You might want to use the -A flag instead, and most likely you'd like to use one line for each of your external services and with the additional --dport <whatever> to specify just which services your internal users are supposed to be able to reach. Maybe you'd like to restrict the protocols as well, so look at the -p flag too. You'd also need to change 'eth1' above to 'eth0' in your case. All in all, man iptables is your friend. :-)
i get this logged in /var/log/firewall: Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth0 OUT= MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5 DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID=33688 DF PROTO=TCP SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B4010303000101080A000000000000000001010402)
It's seldom a good idea to send log entries without mangling the external IP address. :) Hope it helps somewhat. /Johan