I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network. But it does not stop to connect to me with other services, outside my network Any idea ? Thank's in advance Raul ------------------------------------------------------------------------------ This it is my scheme of network: ADSL-----------DMZ-----------------SWITCH --- LAN 192.168.1.1 ETH1=192.168.1.2 192.168.0.0/24 ETH0=192.168.0.1 Services: smtp, http... Log when attempt to connect me to a virtual domain in my DMZ: -------- /var/log/messages --------------------- SFW2-INext-DROP-ICMP IN=eth1 OUT=MAC=00:50:fc:27:26:bd:00:73:03:08:df:ec:08:00 SRC=[nnn.nnn.nnn.nnn] DST=192.168.1.2 LEN=56 TOS=0x08 PREC=0x00 TTL=64 ID=31558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.2 DST=[nnn.nnn.nnn.nnn] LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=33634 DF PROTO=TCP INCOMPLETE [8bytes] ] ------------------------------------------------ route: ------------------------------------------------ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 ------------------------------------------------ SuSEfirewall2: ----------------- /etc/sysconfig/SuSEfirewall2 --------------------- # 1.) # Should the Firewall run in quickmode? FW_QUICKMODE="no" # 2.) FW_DEV_EXT="eth-id-00:50:fc:27:26:bd" # 3.) FW_DEV_INT="eth-id-00:e0:7d:9d:e3:59" # 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="eth1" # 5.) # Should routing between the internet, dmz and internal network be activated? FW_ROUTE="yes" # 6.) FW_MASQUERADE="yes" ## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" # 7.) FW_PROTECT_FROM_INTERNAL="yes" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="smtp domain http https 110 143 53" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" # 9a.) FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" # 10.) FW_TRUSTED_NETS="192.168.0.0/24" # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="192.168.0.0/24,192.168.1.2" # 14.) FW_FORWARD_MASQ="" # 15.) FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp,25,3128 192.168.0.0/24,0/0,tcp,110,3128 192.168.0.0/24,0/0,tcp,143,3128" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" # 17.) FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no" # 20.) FW_ALLOW_FW_TRACEROUTE="yes" # 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" # 22.) FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="yes" # 23.) FW_ALLOW_CLASS_ROUTING="no" # 25.) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" # 26.) FW_REJECT="yes" # 27.) FW_HTB_TUNE_DEV="" # 28.) FW_IPv6="" # 28a.) FW_IPv6_REJECT_OUTGOING="yes" # 29.) FW_IPSEC_TRUST="no" # 29a.) FW_IPSEC_MARK="" FW_LOG="" --------------------------------------------------------------------
1. What is your DMZ setup? Is it 3-homed: __________ / \ | Internet | \__________/ | ____|_____ __________ | | | | | Firewall |--------| DMZ | |__________| |__________| | | _____|________ | | | Internal LAN | |______________| ...or back to back: __________ / \ | Internet | \__________/ | ____|_____ | | | Firewall | |__________| | ____|_____ | | | DMZ | |__________| | ____|_____ | | | Firewall | |__________| | _____|________ | | | Internal LAN | |______________| 2. Where are your internal DNS server(s) located? 3. How are your Subnets set up? On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:
I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.
But it does not stop to connect to me with other services, outside my network
Any idea ?
Thank's in advance Raul
------------------------------------------------------------------------------
This it is my scheme of network:
ADSL-----------DMZ-----------------SWITCH --- LAN 192.168.1.1 ETH1=192.168.1.2 192.168.0.0/24 ETH0=192.168.0.1 Services: smtp, http...
Log when attempt to connect me to a virtual domain in my DMZ: -------- /var/log/messages --------------------- SFW2-INext-DROP-ICMP IN=eth1 OUT=MAC=00:50:fc:27:26:bd:00:73:03:08:df:ec:08:00 SRC=[nnn.nnn.nnn.nnn] DST=192.168.1.2 LEN=56 TOS=0x08 PREC=0x00 TTL=64 ID=31558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.2 DST=[nnn.nnn.nnn.nnn] LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=33634 DF PROTO=TCP INCOMPLETE [8bytes] ] ------------------------------------------------
route: ------------------------------------------------ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 ------------------------------------------------
SuSEfirewall2: ----------------- /etc/sysconfig/SuSEfirewall2 ---------------------
# 1.) # Should the Firewall run in quickmode? FW_QUICKMODE="no"
# 2.) FW_DEV_EXT="eth-id-00:50:fc:27:26:bd"
# 3.) FW_DEV_INT="eth-id-00:e0:7d:9d:e3:59"
# 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="eth1"
# 5.) # Should routing between the internet, dmz and internal network be activated? FW_ROUTE="yes"
# 6.) FW_MASQUERADE="yes"
## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="smtp domain http https 110 143 53" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC=""
# 9a.) FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP=""
# 10.) FW_TRUSTED_NETS="192.168.0.0/24"
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="192.168.0.0/24,192.168.1.2"
# 14.) FW_FORWARD_MASQ=""
# 15.) FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp,25,3128 192.168.0.0/24,0/0,tcp,110,3128 192.168.0.0/24,0/0,tcp,143,3128"
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
# 17.) FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no"
# 20.) FW_ALLOW_FW_TRACEROUTE="yes"
# 21.) FW_ALLOW_FW_SOURCEQUENCH="yes"
# 22.) FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="yes"
# 23.) FW_ALLOW_CLASS_ROUTING="no"
# 25.) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
# 26.) FW_REJECT="yes"
# 27.) FW_HTB_TUNE_DEV=""
# 28.) FW_IPv6=""
# 28a.) FW_IPv6_REJECT_OUTGOING="yes"
# 29.) FW_IPSEC_TRUST="no"
# 29a.) FW_IPSEC_MARK="" FW_LOG=""
--------------------------------------------------------------------
Henry Standing wrote:
1. What is your DMZ setup?
Is it 3-homed: __________ / \ | Internet | \__________/ | ____|_____ __________ | | | | | Firewall |--------| DMZ | |__________| |__________|
--> In the same server and rest of services, http,smtp,..
| | _____|________ | | | Internal LAN | |______________|
2. Where are your internal DNS server(s) located?
in DMZ
3. How are your Subnets set up?
three pc with linux client ( 192.168.0.10 - 192.168.0.10.11 192.168.0.10.12) route to 192.168.0.1
On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:
I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.
But it does not stop to connect to me with other services, outside my network
Any idea ?
Thank's in advance Raul
------------------------------------------------------------------------------
This it is my scheme of network:
ADSL-----------DMZ-----------------SWITCH --- LAN 192.168.1.1 ETH1=192.168.1.2 192.168.0.0/24 ETH0=192.168.0.1 Services: smtp, http...
Log when attempt to connect me to a virtual domain in my DMZ: -------- /var/log/messages --------------------- SFW2-INext-DROP-ICMP IN=eth1 OUT=MAC=00:50:fc:27:26:bd:00:73:03:08:df:ec:08:00 SRC=[nnn.nnn.nnn.nnn] DST=192.168.1.2 LEN=56 TOS=0x08 PREC=0x00 TTL=64 ID=31558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.2 DST=[nnn.nnn.nnn.nnn] LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=33634 DF PROTO=TCP INCOMPLETE [8bytes] ] ------------------------------------------------
route: ------------------------------------------------ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 ------------------------------------------------
SuSEfirewall2: ----------------- /etc/sysconfig/SuSEfirewall2 ---------------------
# 1.) # Should the Firewall run in quickmode? FW_QUICKMODE="no"
# 2.) FW_DEV_EXT="eth-id-00:50:fc:27:26:bd"
# 3.) FW_DEV_INT="eth-id-00:e0:7d:9d:e3:59"
# 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="eth1"
# 5.) # Should routing between the internet, dmz and internal network be activated? FW_ROUTE="yes"
# 6.) FW_MASQUERADE="yes"
## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="smtp domain http https 110 143 53" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC=""
# 9a.) FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP=""
# 10.) FW_TRUSTED_NETS="192.168.0.0/24"
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="192.168.0.0/24,192.168.1.2"
# 14.) FW_FORWARD_MASQ=""
# 15.) FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp,25,3128 192.168.0.0/24,0/0,tcp,110,3128 192.168.0.0/24,0/0,tcp,143,3128"
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
# 17.) FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no"
# 20.) FW_ALLOW_FW_TRACEROUTE="yes"
# 21.) FW_ALLOW_FW_SOURCEQUENCH="yes"
# 22.) FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="yes"
# 23.) FW_ALLOW_CLASS_ROUTING="no"
# 25.) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
# 26.) FW_REJECT="yes"
# 27.) FW_HTB_TUNE_DEV=""
# 28.) FW_IPv6=""
# 28a.) FW_IPv6_REJECT_OUTGOING="yes"
# 29.) FW_IPSEC_TRUST="no"
# 29a.) FW_IPSEC_MARK="" FW_LOG=""
--------------------------------------------------------------------
On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:
I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.
But it does not stop to connect to me with other services, outside my network
Any idea ?
This is most likely a routing issue.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
You describe having a tri-homed configuration but you only have 2 NICs configured. You need to have one facing the internet, one facing the dmz, and one facing the lan. When you're finished you should end up with something like this: NS2:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.95.xx.xx * 255.255.255.248 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 66.95.xx.xx 0.0.0.0 UG 0 0 0 eth0 Best wishes, Jeff
My router is a modem with nat, and address is 192.168.1.1 , and the public IP is assigned in automatic form without DHCP. Best wishes Raul Jeffrey Laramie wrote:
On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:
I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.
But it does not stop to connect to me with other services, outside my network
Any idea ?
This is most likely a routing issue.
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
You describe having a tri-homed configuration but you only have 2 NICs configured. You need to have one facing the internet, one facing the dmz, and one facing the lan. When you're finished you should end up with something like this:
NS2:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.95.xx.xx * 255.255.255.248 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 66.95.xx.xx 0.0.0.0 UG 0 0 0 eth0
Best wishes, Jeff
On Thursday 14 October 2004 11:32, Raul H. Lapitzondo wrote:
My router is a modem with nat, and address is 192.168.1.1 , and the public IP is assigned in automatic form without DHCP.
OK. I reviewed your ascii art and I think I have the picture now. Your labeling and your response to Henry confused me (I'm easily confused). What you describe as the DMZ is really just a combined firewall/server box with a NIC facing the internet and another NIC facing the lan. Can you ping the internet from the firewall/server box? Are you having any problems reaching the firewall/server from the LAN? Best wishes, Jeff
Thanks Jeff, Jeffrey Laramie wrote:
On Thursday 14 October 2004 11:32, Raul H. Lapitzondo wrote:
My router is a modem with nat, and address is 192.168.1.1 , and the public IP is assigned in automatic form without DHCP.
OK. I reviewed your ascii art and I think I have the picture now. Your labeling and your response to Henry confused me (I'm easily confused).
me too with the new configuration :). (I changed of ISP)
What you describe as the DMZ is really just a combined firewall/server box with a NIC facing the internet and another NIC facing the lan.
Can you ping the internet from the firewall/server box?
Yes, no problem
Are you having any problems reaching the firewall/server from the LAN?
to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail) Best regards. Raul
Best wishes, Jeff
Are you having any problems reaching the firewall/server from the LAN?
to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail)
OK, so you have a good hardware connection. I don't use SuSEfirewall but the forwarding rule does look suspicious. (Anyone else who does can feel free to jump in anytime :-) Post the printout from: iptables -L -t nat iptables -L -t filter Jeff
Thanks again Jeffrey Laramie wrote:
Are you having any problems reaching the firewall/server from the LAN?
to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail)
OK, so you have a good hardware connection. I don't use SuSEfirewall but the forwarding rule does look suspicious. (Anyone else who does can feel free to jump in anytime :-) Post the printout from:
iptables -L -t nat
# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:smtp redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:pop3 redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:imap redir ports 3128
iptables -L -t filter
the out is too large, allthought i don't know if is secure sending this here. If you want send me your email address. Raul
Jeff
On Thursday 14 October 2004 13:48, Raul H. Lapitzondo wrote:
Thanks again
Jeffrey Laramie wrote:
Are you having any problems reaching the firewall/server from the LAN?
to internet: no problem, but i have problem to connect with any vhost (some virtual domain running in the server) or for send email through my email server, using internal pc lan. if I try to connect from outside (cybercafe) i don't have any kind of problems (i can check my email and i can relay through my server ) Thats why i think the problem start whith the forward rules define at the firewall. (you can check this at the bottom of the original mail)
OK, so you have a good hardware connection. I don't use SuSEfirewall but the forwarding rule does look suspicious. (Anyone else who does can feel free to jump in anytime :-) Post the printout from:
iptables -L -t nat
# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:smtp redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:pop3 redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:imap redir ports 3128
Here you are redirecting all the traffic coming from the LAN on ports 80, 110, 25 , ect. to port 3128 on the host machine. Are you running a proxy on port 3128? If so, only the internal LAN (192.168.0.0/24) is using the proxy port. Also you have all the services redirected to the same port. This seems odd to me. You don't have any REDIRECT rules for traffic coming in on 192.168.1.0/24 so the internet traffic is still going to the standard ports (assuming your filter rules don't block it). If the services work from the internet you may want to change or remove the REDIRECT rules from the LAN IPs and see if that helps. Jeff
* Jeffrey Laramie
Here you are redirecting all the traffic coming from the LAN on ports 80, 110, 25 , ect. to port 3128 on the host machine. Are you running a proxy on port 3128? If so, only the internal LAN (192.168.0.0/24) is using the proxy port. Also you have all the services redirected to the same port. This seems odd to me.
3128 is the default http port for squid .... -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
On Thursday 14 October 2004 17:02, Patrick Shanahan wrote:
* Jeffrey Laramie
[10-14-04 15:03]: Here you are redirecting all the traffic coming from the LAN on ports 80, 110, 25 , ect. to port 3128 on the host machine. Are you running a proxy on port 3128? If so, only the internal LAN (192.168.0.0/24) is using the proxy port. Also you have all the services redirected to the same port. This seems odd to me.
3128 is the default http port for squid ....
Yeah, but does squid handle smtp and pop3? (Even if it does, is there any point when mail servers are so capable?) I suspect his proxy server has no idea what to do with the smtp and pop3 packets, particularly since his mail works from the IP that isn't redirected. Best wishes, Jeff
Hi, Jeff. I made changes in the rules firewall and now i can connect from internal lan to server mail :-) . But i can't connect to vhost in apache server from internal lan. printout from : # iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:https redir ports 3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Best regards Raul Jeffrey Laramie wrote:
You don't have any REDIRECT rules for traffic coming in on 192.168.1.0/24 so the internet traffic is still going to the standard ports (assuming your filter rules don't block it). If the services work from the internet you may want to change or remove the REDIRECT rules from the LAN IPs and see if that helps.
Jeff
On Friday 15 October 2004 09:56, Raul H. Lapitzondo wrote:
Hi, Jeff. I made changes in the rules firewall and now i can connect from internal lan to server mail :-) .
Good, progress at last...
But i can't connect to vhost in apache server from internal lan. printout from : # iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:http redir ports 3128 REDIRECT tcp -- 192.168.0.0/24 anywhere tcp dpt:https redir ports 3128
Are you running a proxy such as squid, or are you simply running apache with virtual hosts? Also what version of SuSE and apache are you running? Jeff
Jeffrey Laramie wrote:
On Friday 15 October 2004 09:56, Raul H. Lapitzondo wrote:
Hi, Jeff. I made changes in the rules firewall and now i can connect from internal lan to server mail :-) .
Good, progress at last...
thank's for your help. ;-)
Are you running a proxy such as squid, or are you simply running apache with virtual hosts? Also what version of SuSE and apache are you running?
Jeff
yep ... squid-2.5 and apache2-2.0 Raul
On Friday 15 October 2004 11:32, Raul H. Lapitzondo wrote:
Jeffrey Laramie wrote:
On Friday 15 October 2004 09:56, Raul H. Lapitzondo wrote:
Good, progress at last...
thank's for your help. ;-)
Your welcome.
Are you running a proxy such as squid, or are you simply running apache with virtual hosts? Also what version of SuSE and apache are you running?
Jeff
yep ... squid-2.5 and apache2-2.0
One last thing to look at from a firewall perspective. Since you are redirecting to the proxy port in your PREROUTING table, the firewall/server is seeing the http traffic coming in on port 3128 instead of 80 or 443. This means you need to have a rule to open this port in your INPUT table (or in a chain called by that table). I didn't see any rules in your original post that opened up this port. If you aren't sure, run "iptables -vnL -t filter" and look at the rules under "INPUT". Jeff
participants (4)
-
Henry Standing
-
Jeffrey Laramie
-
Patrick Shanahan
-
Raul H. Lapitzondo