On 2001.08.27 11:48:14 +0100 Tall0n wrote:
Hi Tall0n
On 2001.08.26 23:45:38 +0100 Tall0n wrote:
Ok...Maybe I'm not getting something. I have a SuSE 7.2 machine with
2
network cards. eth0 is world device (Real Static IP) and eth1
(Private
Static IP) is internal device. Masquerading is happening for
machines on
the
internal network.
<SNIP>
in the /var/log/firewall log saying that it denied a request on eth1
for
DPT=80.
What am I missing? Losing hair...hehehe
One of my systems is virtually identical to this. Can you post a full
log
entry for the failed packets please?
Maf.
To make this happen, I had an internal machine try to access the
webserver on the firewall machine using the external address. If this
same machine access the webserver using the internal address, then
everything works fine.
However, I don't want to be running an internal dns server to fix this.
I want the internal machines to able to access the external device.
Here is a log entry....
Aug 27 06:42:21 Tall0n kernel: SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth1 OUT=
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SRC=192.168.xxx.xx DST=216.27.xxx.xxx LEN=60 TOS=0x08 PREC=0x00 TTL=64
ID=25480 DF PROTO=TCP SPT=32950 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
OPT (020405B40402080A0065A8AC0000000001030300)
--
GregWorld.com
Hi Tall0n,
I had a similar problem a while ago with a similar set-up : apache running
on a firewall box, and the internal hosts couldn't see the external port
80.
I think the problem is that the packets arrive on eth1 and get blocked
somehow going through the loopback interface, and with the added
complication of SNAT "masquerading" it can all become a bit confusing.
I ended up adding a rule to the firewall along the lines of :
iptables -A input -i eth1 -p tcp -s 192.168.xxx.0/24 -d $public_ip --dport
80 -j ACCEPT
where in your case, I guess $public_ip = 216.27.164.230
HTH
Maf.
--
GregWorld.com
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maf. King
Standby Exhibition Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~