Guest Roen51 Posted December 18, 2002 Report Share Posted December 18, 2002 Hi List, Before i begin, i am new to linux, so please excuse me if my questions are subpar. i am trying to use MNF to host several website. i have my webserver (IIS5) connected to the DMZ. i use my ISP's DNS. my NICs are set up as follows: eth0 wan 67.x.x.125 255.255.255.248 yes static eth1 dmz 10.0.0.1 255.255.255.0 yes static admin eth2 lan 192.168.1.7 255.255.255.0 yes static i have added the following FW rules: result client zone server protocol ports forward DNAT wan:67.x.x.125:80 dmz tcp+udp http 10.0.0.3 ACCEPT dmz wan tcp+udp http 10.0.0.3 is the IP of the web server, and i want requests coming in on 67.x.x.125 to forwards to 10.0.0.3 in the future i would like to be able to host sites on 10.0.0.4 10.0.0.5 and 10.0.0.6 ideally i would like to use external IP's inside my DMZ, but i dont know how to do this, so, from what i understand, port forwarding to internal IP's is fine. otherwise i have not changed any configurations. what am i doing wrong, and details if possible. Thanks in advance Roen Quote Link to comment Share on other sites More sharing options...
paul Posted December 18, 2002 Report Share Posted December 18, 2002 for http forwarding I did ACCEPT wan dmz:10.0.0.2 http and it worked fine. if you want to have public IP addresses in your DMZ its quite easy. put an entry in the proxyarp table, then change all your DNAT rules to ACCEPT rules. warning however, you may have to wait some time (in my case 2 days) for the ISP's arp table to update Quote Link to comment Share on other sites More sharing options...
Guest Roen51 Posted December 18, 2002 Report Share Posted December 18, 2002 >for http forwarding I did >ACCEPT wan dmz:10.0.0.2 http tried that, got the following message upon restarting shorewall: error: an ADDRESS (10.0.0.3) is only allowed in DNAT or REDIRECT: "ACCEPT info wan dmz tcp http - 10.0.0.3" >if you want to have public IP addresses in your DMZ its quite easy. >put an entry in the proxyarp table, then change all your DNAT rules to >ACCEPT rules. >warning however, you may have to wait some time (in my case 2 days) >for the ISP's arp table to update doing the above would allow me to have my DNS A records point directly to web server i believe. (correct me if im wrong) thanks again Roen Quote Link to comment Share on other sites More sharing options...
paul Posted December 18, 2002 Report Share Posted December 18, 2002 correct ... I have 2 public IP's 202.x.x.1 and 202.x.x.2 firewall ip 202.x.x.1 DNAT tcp+udp wan:202.x.x.1 dmz:202.x.x.2 dns ACCEPT tcp+udp wan dmz:202.x.x.2 dns which mean my primary AND secondary DNS records can be on one machine :-) cheating I know (some bodies gonna give me the lecture about DNS records being on different subnets :-( ) have a read thru the docs at http://www.shorewall.net Quote Link to comment Share on other sites More sharing options...
Guest Roen51 Posted December 18, 2002 Report Share Posted December 18, 2002 me and the shorewall help files have the best of friends lately, the problem being that info in laymans terms are easier to comprehend. >firewall ip 202.x.x.1 >DNAT tcp+udp wan:202.x.x.1 dmz:202.x.x.2 dns >ACCEPT tcp+udp wan dmz:202.x.x.2 dns you are running your own DNS servers , correct? therfore if i am not running my own DNS servers the following should be ok: proxyarp 67.x.x.127 eth1 eth0 no (67.x.x.127 being webServer IP) rules ACCEPT wan dmz tcp+udp http 67.69.40.126 i think thanks again for the replies, perhaps i will be able to help someone out eventually Roen Quote Link to comment Share on other sites More sharing options...
paul Posted December 18, 2002 Report Share Posted December 18, 2002 yep ... but for security reasons I would do proxyarp 67.x.x.127 eth1 eth0 no (67.x.x.127 being webServer IP) rules ACCEPT wan dmz tcp http 67.69.40.126 don't forward UDP (big security hole) http only needs tcp port 80 (and 443 for https) if all you want is a webserver then then: rules ACCEPT wan dmz tcp http 67.69.40.126 ACCEPT wan dmz tcp https 67.69.40.126 I think ... you may have to specify then dmz ip address (try it without first) example: ACCEPT wan dmz:67.x.x.127 tcp http 67.69.40.126 ACCEPT wan dmz:67.x.x.127 tcp https 67.69.40.126 cool? Quote Link to comment Share on other sites More sharing options...
Guest Roen51 Posted December 18, 2002 Report Share Posted December 18, 2002 very cool, ill post the results. thanks for the help paul, youre the man roen Quote Link to comment Share on other sites More sharing options...
Guest Roen51 Posted December 19, 2002 Report Share Posted December 19, 2002 paul let me reiterate how you are the man. your advice worked perfectly, i did have to specify the DMZ server as mentioned below >I think ... you may have to specify then dmz ip address (try it without >first) >example: >ACCEPT wan dmz:67.x.x.127 tcp http 67.69.40.126 >ACCEPT wan dmz:67.x.x.127 tcp https 67.69.40.126 cheers roen Quote Link to comment Share on other sites More sharing options...
paul Posted December 19, 2002 Report Share Posted December 19, 2002 good news !!! :-) I'm trying to sell MNF's to clients with different setups .. .so hearing reports like this is great!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.