I am trying to replace a dying redhat 7.3 box running the firewall for my local network. My setup is as follows. Internet | Linux box (Suse 9.3) eth1 has real ips eth1 24.128.81.1 gateway eth1:2 24.128.81.2 eth1:3 24.128.81.3 eth1:4 24.128.81.4 | eth0 has private ips eth0 192.168.1.1 gateway | Lan I have a couple workstations and a webserver on my lan Anything coming in from the internet works ok. Nat is setup to foward port 80 to my webserver at 24.128.81.3 private ip 192.168.1.3 In my susefirewall2 config I have FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24" FW_FORWARD_MASQ="0/0,192.168.1.3,tcp,80,80,24.128.81.3" rest omited Changed the sysctl file to read IP_FORWARD="yes" Problem is my internal network can no longer access the webserver. It hits the real ip on eth1 and doesn't forward to local network. I am missing some kind of route rule, I think.
On Mon, 2005-07-18 at 09:59 -0400, Doug Currey wrote:
I am trying to replace a dying redhat 7.3 box running the firewall for my local network.
My setup is as follows.
Internet | Linux box (Suse 9.3) eth1 has real ips eth1 24.128.81.1 gateway eth1:2 24.128.81.2 eth1:3 24.128.81.3 eth1:4 24.128.81.4 | eth0 has private ips eth0 192.168.1.1 gateway | Lan
I have a couple workstations and a webserver on my lan
Anything coming in from the internet works ok. Nat is setup to foward port 80 to my webserver at 24.128.81.3 private ip 192.168.1.3
In my susefirewall2 config I have FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24" FW_FORWARD_MASQ="0/0,192.168.1.3,tcp,80,80,24.128.81.3" rest omited
Changed the sysctl file to read IP_FORWARD="yes"
Problem is my internal network can no longer access the webserver. It hits the real ip on eth1 and doesn't forward to local network.
I am missing some kind of route rule, I think.
Are you running an internal DNS server? If so, why not have the internal DNS server point to the internal IP of the web server? This way the internal machines don't have to route through the firewall to get to the internal server. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
On Mon, 18 Jul 2005 10:26:37 -0400, Ken Schneider wrote
On Mon, 2005-07-18 at 09:59 -0400, Doug Currey wrote:
I am trying to replace a dying redhat 7.3 box running the firewall for my local network.
My setup is as follows.
Internet | Linux box (Suse 9.3) eth1 has real ips eth1 24.128.81.1 gateway eth1:2 24.128.81.2 eth1:3 24.128.81.3 eth1:4 24.128.81.4 | eth0 has private ips eth0 192.168.1.1 gateway | Lan
I have a couple workstations and a webserver on my lan
Anything coming in from the internet works ok. Nat is setup to foward port 80 to my webserver at 24.128.81.3 private ip 192.168.1.3
In my susefirewall2 config I have FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24" FW_FORWARD_MASQ="0/0,192.168.1.3,tcp,80,80,24.128.81.3" rest omited
Changed the sysctl file to read IP_FORWARD="yes"
Problem is my internal network can no longer access the webserver. It hits the real ip on eth1 and doesn't forward to local network.
I am missing some kind of route rule, I think.
Are you running an internal DNS server? If so, why not have the internal DNS server point to the internal IP of the web server? This way the internal machines don't have to route through the firewall to get to the internal server.
-- Ken Schneider
I have considered this but would like to use this a the last option. Doug
participants (2)
-
Doug Currey
-
Ken Schneider