LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-22-2013, 10:26 PM   #1
fuel451
LQ Newbie
 
Registered: Sep 2013
Posts: 14

Rep: Reputation: Disabled
RHEL 6.3 DMZ Configuration.


New to Intermediate RHEL user. Trying to setup a RHEL web server in a DMZ that will need to communication with a RHEL server on an internal network. Server has Nic 1 setup for an internal address and Nic 2 for a DMZ address. Users inside the network will not need to access the URL on the external web server. Below is the basic config.

External Static Range: 65.x.x.2 to 65.x.x.6
Firewall Interface: 65.x.x.2
External Firewall Gateway: 65.x.x.1
External NAT: 65.x.x.3 to 10.2.x.2

DMZ Interface 10.2.x.1
DMZ Web Server Nic 2 IP: 10.2.x.2
Subnet: 255.255.0.0

Internal Nic 1: 10.0.x.2
Subnet: 255.255.0.0

Issue: The firewall log shows the traffic being allowed on the necessary ports coming from the external ip to the NAT'd DMZ IP, but then there is no response from the RHEL server. It's my understanding that this issue is on the RHEL server and not the firewall, possibly a configuration to route traffic from the DMZ nic to the internal nic.

Could someone provide some insight, documentation, or a link that might help resolve this?

Thank you.
 
Old 09-23-2013, 07:00 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
It just sounds like there is no default route from the server outbound towards the net based on what you've said. if you tcpdump on the box, do you see a SYN ACK packet leave the box for somewhere? Have you set two default gateways or somethign else unusual / illogical?

Why does your "DMZ" server have an internal NIC? Classically unless you have another firewall below the DMZ server as well, that box would only have the DMZ NIC to reach it. Otherwise, if someone compromises the DMZ box, then they're off and away using the internal NIC, which totally undermines the logic of the DMZ in the first place.
 
Old 09-23-2013, 07:48 AM   #3
fuel451
LQ Newbie
 
Registered: Sep 2013
Posts: 14

Original Poster
Rep: Reputation: Disabled
Unfortunately, the developers needed to get started immediately, and the DMZ configuration wasn't ready. The server was setup with an internal nic so they could have access to the internal database and the external nic (dmz) was added afterward. Running a tcpdump nets no SYN ACK. Nic 1 points to the gateway of the internal network, the primary internet connection. Nic 2 points to the gateway of a secondary internet connection.

I agree with the classic DMZ config. Since the server has to communicate with the internal network, in a single nic config, you'd still have to route the dmz nic so it could communicate internally, right?

Running a traceroute shows the server to be using the gateway from Nic 1 (internal). I suspect this is the problem.
 
Old 09-23-2013, 08:58 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
So you have TWO default gateways? that won't work. NIC's don't get routed anywhere, the entire system is. the internal NIC should only be used to reach 10.0.0.0/8 or whatever your internal network range is. Before it's removed of course, as right now you do NOT have a DMZ.
 
Old 09-23-2013, 10:24 AM   #5
fuel451
LQ Newbie
 
Registered: Sep 2013
Posts: 14

Original Poster
Rep: Reputation: Disabled
Ok, makes sense. We cannot remove the internal nic because the development is tied to that nic and ip address. We can remove the gateway configured to the internal nic and set the etc/sysconfig/network gateway to the dmz gateway. Also, our firewall is doing a 1-to-1 NAT to the DMZ ip and we only have specific ports open. Is it possible to create a route or ip forwarding between two nics?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
home network configuration with DMZ and VLAN bruce.wayne Linux - Networking 7 12-24-2011 02:58 AM
The router with the function of DMZ ? What is DMZ? wertum Linux - Networking 3 08-10-2010 04:05 AM
iptables configuration on debian dmz host MHJCuijpers Linux - Networking 3 07-07-2010 08:05 AM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 04:01 PM
Need help with DMZ configuration on 3com firewall ScreeminChikin Linux - Networking 2 12-18-2002 08:57 PM


All times are GMT -5. The time now is 08:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration