'[leaf-user] Can't connect to DMZ'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       leaf-user
Subject:    [leaf-user] Can't connect to DMZ
From:       Kory Krofft <kkrofft () woh ! rr ! com>
Date:       2003-11-28 18:42:29
[Download RAW message or body]

I have been trying to set up a webserver in a DMZ using the Shorewall 
3 interfaces examples. I have a test machine with a dialup account 
that I can use to test access to the webserver. On the test machine, 
when I try to view the sample web page I get a "page cannot be 
displayed error. Coincident with the attempt I get a series of:

 Nov 28 13:31:54 markii Shorewall:all2all:REJECT: IN=eth2 OUT= 
MAC=00:60:97:df:a7:7e:00:50:ba:af:a6:25:08:00 SRC=192.168.10.1 
DST=192.168.10.254 LEN=70 TOS=00 PREC=0x00 TTL=64 ID=42777 DF 
PROTO=UDP SPT=1024 DPT=53 LEN=50

in the shorewall log. I have the DNAT rule set up to translate 
incoming requests on port 5000 to port 80 on the DMZ host in case my 
ISP blocks port 80.
The DMZ host is at ip 192.168.10.1. Eth2 is ip 192.168.10.254

My rules are:
DROP            net             fw              tcp     67,68
DROP            net             fw              tcp     4662
DROP            net             fw              udp     4662
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
#
#       Accept SSH connections from the local network for 
administration
#
ACCEPT          loc             fw              tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              dmz             icmp    8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT          loc             fw              udp     53
ACCEPT          loc             fw              tcp     80
#
#Enable Samba ports
ACCEPT          loc             fw              udp     137,138
ACCEPT          loc             fw              tcp     139
#
#Open http and mail ports on dmz
DNAT            net             dmz:192.168.10.1:80 tcp 5000
DNAT            net             dmz:192.168.10.1 tcp    25
DNAT            net             dmz:192.168.10.1 udp    25

Any ideas?

Thank you,

Kory Krofft




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic