| View previous topic :: View next topic |
| Author |
Message |
NotExcessive
Apprentice
Joined: 10 May 2005
Posts: 235
|
 Posted: Tue May 06, 2008 12:28 pm Post subject: Getting domain-based services to show to the outside world |
 |
|
I'm running my own servers, and the traffic control was done by a firewall machine that was running shorewall and rp-pppoe to get an ADSL connection from my ISP (modem running as a bridge, of course). Problem is, I've had to drop the pppoe stuff as the firewall won't work properly using pppoe any more (something broke it) and as a temporary measure I've set the modem up in routed mode, having it do the ppp/authentication thing, and presenting a vanilla connection to the firewall instead.
These are the changes that I've made to the firewall machine's configuration:
/etc/shorewall/interfaces went from
| Code: | #ZONE INTERFACE BROADCAST OPTIONS
Net ppp0 detect norfc1918
DMZ eth1 192.168.1.255
LAN eth2 192.168.2.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
to
| Code: | #ZONE INTERFACE BROADCAST OPTIONS
Net eth0 192.168.0.255
DMZ eth1 192.168.1.255
LAN eth2 192.168.2.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
/etc/shorewall/masq went from
| Code: | #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp0 eth2
ppp0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE |
to
| Code: | #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth2
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE |
and /etc/conf.d/net went from
| Code: | config_ppp0=( "ppp" )
link_ppp0="eth0"
plugins_ppp0=( "pppoe" )
username_ppp0='user'
password_ppp0='password'
pppd_ppp0=( "defaultroute" "usepeerdns" )
config_eth0=( "null" )
config_eth1=( "192.168.1.1/24 broadcast 192.168.1.255" )
config_eth2=( "192.168.2.1/24 broadcast 192.168.2.255" )
|
to
| Code: | config_eth0=( "192.168.0.1/24 broadcast 192.168.0.255" )
routes_eth0=( "default via 192.168.0.2" )
config_eth1=( "192.168.1.1/24 broadcast 192.168.1.255" )
config_eth2=( "192.168.2.1/24 broadcast 192.168.2.255" )
|
After restarting the system, the LAN machines can now surf the web again... BUT... domain-based services are now invisible since the original setup gave interface ppp0 an address of 123.456.789.10 and now that bit's been replaced with eth0 on 192.168.0.1 and the original /etc/shorewall/rules file had these entries in it, to make the DMZ & mail machines show up to the outside world:
| Code: | #Redirect for web server
DNAT all DMZ:192.168.1.2 tcp 80 - 123.456.789.10
#Redirect for ftp server
DNAT all DMZ:192.168.1.2 tcp 21 - 123.456.789.10
#Redirect for DNS server
DNAT all DMZ:192.168.1.2 tcp 119 - 123.456.789.10
DNAT all DMZ:192.168.1.2 tcp 53 - 123.456.789.10
DNAT all DMZ:192.168.1.2 udp 53 - 123.456.789.10
#Redirect for transparent SQUID proxy
DNAT LAN DMZ:192.168.1.2:3128 tcp 80
#Redirect for mail server
DNAT all LAN:192.168.2.2 tcp 25 - 123.456.789.10
DNAT all LAN:192.168.2.2 tcp 465 - 123.456.789.10
DNAT all LAN:192.168.2.2 tcp 110 - 123.456.789.10
DNAT all LAN:192.168.2.2 tcp 143 - 123.456.789.10
DNAT all LAN:192.168.2.2 tcp 993 - 123.456.789.10
#Redirect for Squirrelmail server
DNAT all LAN:192.168.2.2 tcp 443 - 123.456.789.10
|
Now, the question I have is, what do I need to do to fix the issue of domains not being accessible? I know it's probably a dumb question, but I'm so tired after farting around with the demented firewall's broken pppoe issue for so long, it's a bit of wood for the trees.
The domains are registered at 123.456.789.10. Formerly, traffic would come in and get DNAT'ed properly. Now, traffic comes in to the modem at that address, but arrive at the firewall via eth0 on 192.168.0.1 instead of via ppp0 at 123.456.789.10. I've changed the entries in /etc/shorewall/rules from 123.456.789.10 to 192.168.0.1 but that doesn't seem to work (probably because the packet headers still have the destination address of 123.456.789.10 in them?)
So is there something simple I'm missing here, or does the firewall machine really need to have an input IP of 123.456.789.10 for DNAT stuff to work? |
|
| Back to top |
|
 |
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.
|
| Posted: Sun May 11, 2008 8:05 am Post subject: |
|
|
Maybe you should ask in the shorewall list if you haven't.
http://lists.shorewall.net/
But it looks to me at a quick glance as though you might need to change the "Original Destination Address" in each of those DNAT and Redirect rules. The way you have them written, they are going to apply to packets which have a destination address of 123.45.6789, but didn't you say that address is no longer in use? If so, have you tried replacing "123.45.6789" with the address that has replaced it?
I would think in that mode, your modem would be re-writing the destination address to what you are now using as the address for your external interface (eth0). So my guess is that you should be replacing those "123.45.6789" entries with "192.168.0.2". If that doesn't work, you might try the list. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
