DMZ and iptables breaks my head!!! Avanced Help please!!!!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I add to that, to give you that answer, I stopped squid (/etc/init.d/squid stop) and I commented (#PREROUTING -s 192.168.111.0/24 -d 190.xxx.xxx.89/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128) the rule of port 3128, with which I went to the internet without proxy, but still did not work.
You want to say that you can not connect to your web server from outside (for example from home)? Right?
Have you tried to connect to IP and not to URL from outside world?
You want to say that you can not connect to your web server from outside (for example from home)? Right?
Have you tried to connect to IP and not to URL from outside world?
Yes, I cannot connect neither through IP public neither the URL fron outside world
I do not need to know it.
I just want to understand address translation, because if you connect to outside world through ADSL router, this router has to have port forward from its external IP:80 to some internal IP:80. And you have to be able to ping it external IP.
I just want to make sure.
I do not need to know it.
I just want to understand address translation, because if you connect to outside world through ADSL router, this router has to have port forward from its external IP:80 to some internal IP:80. And you have to be able to ping it external IP.
I just want to make sure.
Is a router Debian Lenny (Squid-firewall), not adsl but cablemodem.
And you can see on iptables output that is able portforwading IP:80 to DMZ:80
External public IP is assigned to your cable modem, not to your Squid-firewall, right?
Can you ping cable modem from outside?
Does cable modem forward 80 port to inside network?
External public IP is assigned to your cable modem, not to your Squid-firewall, right?
Can you ping cable modem from outside?
Does cable modem forward 80 port to inside network?
Yes, it's clear. I told you that IP dynamic public from cablemodem is redirected through Zoneedit. With that configuration webserver (Apache2) worked fine mounted on server 190.xxx.xxx.89, UNTIL I passed the webserver to the DMZ and on DMZ we applied portforwading to an subnet 192.168.222.0...
Because when set the IP DMZ on same LAN range 192.168.111.0 (for example 192.168.111.20) too worked fine...
I mean that the outgoing trafic works well, but there is troubles when I change the IP of DMZ to a range different of the LAN...
I'm going to sleep, I let this comment about the DMZ implementation with iptables/NAT etc... The text is extract from the Oskar Andreasson page, he's autor of the iptables script that I use on the server (maybe you know him)...
I'm thinking about some of this, and what that is the trouble... and the solution...
--------paste----------------
"The De-Militarized Zone is in this case 1-to-1 NATed and requires you to do some IP aliasing on your firewall, i.e., you must make the box recognize packets for more than one IP. There are several ways to get this to work, one is to set 1-to-1 NAT, another one if you have a whole subnet is to create a subnetwork, giving the firewall one IP both internally and externally. You could then set the IP's to the DMZed boxes as you wish. Do note that this will "steal" two IP's for you, one for the broadcast address and one for the network address. This is pretty much up to you to decide and to implement."
Ok, if you are sure that your cable modem forward 80 port to local network, lets go farther.
So request reaches eth0=190.xxx.xxx.89:80, and according to your PREROUTER rule:
PREROUTING -d 190.xxx.xxx.89/32 -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22
But to what port? How knows where this packet will be sent to? Check me, please.
I suggest to change that rule to:
PREROUTING -i eth0 -d 190.xxx.xxx.89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80
And packet goes to FORWARD chain to 192.168.222.22 = eth2
Forward chain was made only for forward rules - and not for filter them.
So, assuming that from ALL incoming traffic to eth0 ONLY port 80 will be redirected to eth2, you need:
-A FORWARD -i eth0 -o eth2 -j ACCEPT
This rule should the first in the forward rules chain
And packet now should enter OUTPUT chain. As long as your default rule
:OUTPUT DROP - nothing pass that chain. You need a rule that will allow packets go out to 192.168.222.22:80=eth2.
-A OUTPUT -s 190.xxx.xxx.89/32 -j ACCEPT or -A OUTPUT --dst 192.168.222.22 -p tcp --dport 80 -j ACCEPT
VERY IMPORTANT - that rule should be FIRST in OUTPUT chain. That is why I asked you to post "iptables-save", because you can see the sequence of rules.
nimnull22, I'm sorry... I did all the changes, but neither works...
In text O.Andreasson pasted above this, he talks about NAT 1:1...
How to do it? Think you that something like this can it works?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.