Henry Standing wrote:

1. What is your DMZ setup?

Is it 3-homed: __________ / \ | Internet | \__________/ | ____|_____ __________ | | | | | Firewall |--------| DMZ | |__________| |__________|

--> In the same server and rest of services, http,smtp,..

| | _____|________ | | | Internal LAN | |______________|

2. Where are your internal DNS server(s) located?

in DMZ

3. How are your Subnets set up?

three pc with linux client ( 192.168.0.10 - 192.168.0.10.11 192.168.0.10.12) route to 192.168.0.1

On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:

...

I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.

But it does not stop to connect to me with other services, outside my network

Any idea ?

Thank's in advance Raul

------------------------------------------------------------------------------

This it is my scheme of network:

ADSL-----------DMZ-----------------SWITCH --- LAN 192.168.1.1 ETH1=192.168.1.2 192.168.0.0/24 ETH0=192.168.0.1 Services: smtp, http...

Log when attempt to connect me to a virtual domain in my DMZ: -------- /var/log/messages --------------------- SFW2-INext-DROP-ICMP IN=eth1 OUT=MAC=00:50:fc:27:26:bd:00:73:03:08:df:ec:08:00 SRC=[nnn.nnn.nnn.nnn] DST=192.168.1.2 LEN=56 TOS=0x08 PREC=0x00 TTL=64 ID=31558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.2 DST=[nnn.nnn.nnn.nnn] LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=33634 DF PROTO=TCP INCOMPLETE [8bytes] ] ------------------------------------------------

route: ------------------------------------------------ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 ------------------------------------------------

SuSEfirewall2: ----------------- /etc/sysconfig/SuSEfirewall2 ---------------------

# 1.) # Should the Firewall run in quickmode? FW_QUICKMODE="no"

# 2.) FW_DEV_EXT="eth-id-00:50:fc:27:26:bd"

# 3.) FW_DEV_INT="eth-id-00:e0:7d:9d:e3:59"

# 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="eth1"

# 5.) # Should routing between the internet, dmz and internal network be activated? FW_ROUTE="yes"

# 6.) FW_MASQUERADE="yes"

## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT"

FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"

# 7.) FW_PROTECT_FROM_INTERNAL="yes"

# 8.) FW_AUTOPROTECT_SERVICES="yes"

# 9.) FW_SERVICES_EXT_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC=""

FW_SERVICES_DMZ_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC=""

FW_SERVICES_INT_TCP="smtp domain http https 110 143 53" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC=""

# 9a.) FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP=""

# 10.) FW_TRUSTED_NETS="192.168.0.0/24"

# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"

# 13.) FW_FORWARD="192.168.0.0/24,192.168.1.2"

# 14.) FW_FORWARD_MASQ=""

# 15.) FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp,25,3128 192.168.0.0/24,0/0,tcp,110,3128 192.168.0.0/24,0/0,tcp,143,3128"

# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"

# 17.) FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes"

# 18.) FW_STOP_KEEP_ROUTING_STATE="no"

# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no"

# 20.) FW_ALLOW_FW_TRACEROUTE="yes"

# 21.) FW_ALLOW_FW_SOURCEQUENCH="yes"

# 22.) FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="yes"

# 23.) FW_ALLOW_CLASS_ROUTING="no"

# 25.) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

# 26.) FW_REJECT="yes"

# 27.) FW_HTB_TUNE_DEV=""

# 28.) FW_IPv6=""

# 28a.) FW_IPv6_REJECT_OUTGOING="yes"

# 29.) FW_IPSEC_TRUST="no"

# 29a.) FW_IPSEC_MARK="" FW_LOG=""

--------------------------------------------------------------------

My router is a modem with nat, and address is 192.168.1.1 , and the public IP is assigned in automatic form without DHCP. Best wishes Raul Jeffrey Laramie wrote:

...

...

On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:

...

I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.

But it does not stop to connect to me with other services, outside my network

Any idea ?

This is most likely a routing issue.

...

...

...

# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

You describe having a tri-homed configuration but you only have 2 NICs configured. You need to have one facing the internet, one facing the dmz, and one facing the lan. When you're finished you should end up with something like this:

NS2:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.95.xx.xx * 255.255.255.248 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 66.95.xx.xx 0.0.0.0 UG 0 0 0 eth0

Best wishes, Jeff

Thanks Jeff, Jeffrey Laramie wrote:

On Thursday 14 October 2004 11:32, Raul H. Lapitzondo wrote:

...

My router is a modem with nat, and address is 192.168.1.1 , and the public IP is assigned in automatic form without DHCP.

OK. I reviewed your ascii art and I think I have the picture now. Your labeling and your response to Henry confused me (I'm easily confused).

me too with the new configuration :). (I changed of ISP)

What you describe as the DMZ is really just a combined firewall/server box with a NIC facing the internet and another NIC facing the lan.

Can you ping the internet from the firewall/server box?

Yes, no problem

Are you having any problems reaching the firewall/server from the LAN?

to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail) Best regards. Raul

Best wishes, Jeff

Thanks again Jeffrey Laramie wrote:

...

...

Are you having any problems reaching the firewall/server from the LAN?

to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail)

OK, so you have a good hardware connection. I don't use SuSEfirewall but the forwarding rule does look suspicious. (Anyone else who does can feel free to jump in anytime :-) Post the printout from:

iptables -L -t nat

# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:smtp redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:pop3 redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:imap redir ports 3128

iptables -L -t filter

the out is too large, allthought i don't know if is secure sending this here. If you want send me your email address. Raul

Jeff

* Jeffrey Laramie [10-14-04 15:03]:

Here you are redirecting all the traffic coming from the LAN on ports 80, 110, 25 , ect. to port 3128 on the host machine. Are you running a proxy on port 3128? If so, only the internal LAN (192.168.0.0/24) is using the proxy port. Also you have all the services redirected to the same port. This seems odd to me.

3128 is the default http port for squid .... -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos

Hi, Jeff. I made changes in the rules firewall and now i can connect from internal lan to server mail :-) . But i can't connect to vhost in apache server from internal lan. printout from : # iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:https redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Best regards Raul Jeffrey Laramie wrote:

You don't have any REDIRECT rules for traffic coming in on 192.168.1.0/24 so the internet traffic is still going to the standard ports (assuming your filter rules don't block it). If the services work from the internet you may want to change or remove the REDIRECT rules from the LAN IPs and see if that helps.

Jeff

Jeffrey Laramie wrote:

On Friday 15 October 2004 09:56, Raul H. Lapitzondo wrote:

...

Hi, Jeff. I made changes in the rules firewall and now i can connect from internal lan to server mail :-) .

Good, progress at last...

thank's for your help. ;-)

Are you running a proxy such as squid, or are you simply running apache with virtual hosts? Also what version of SuSE and apache are you running?

Jeff

yep ... squid-2.5 and apache2-2.0 Raul