-   Linux - Networking (
-   -   shorewall routing issue: "no route to host" from dmz (

spargonaut 06-07-2007 10:09 AM

shorewall routing issue: "no route to host" from dmz
hey folks,
i've been messing with this issue for the past couple of days and have realized that i need help.

heres my network layout:
www is connected to a DSL modem
DSL modem is connected to 1 computer running debian etch and shorewall
shorewall machine has three NICs:
- eth0 connected to DSL modem pulling a dhcp address -
- eth1 connected to a local (wired, trusted) network, handing out dhcp address -
there is a printer, and a file server on this network receiving static IPs based on
HW addresses.
- eth2 connected to a wireless router, but still handing out dhcp addresses -
the fact that eth2 is ( will be ) connected to a wireless router is ( somewhat )
irrelevant ( i believe ).
all the testing i'm doing is from another machine connected directly to eth2.
yes, i'm using a crossover cable. sometimes, its the easy stuff you overlook. :D

- the *.1.0 NW is referred to as 'net'
- the *.2.0 NW is referred to as 'loc'
- the *.3.0 NW is referred to as 'dmz'

whats happening:
ok, so, it seems that dhcp is working just fine on all needed interfaces. It pulls an address on eth0, and it dishes em out on eth1 and 2, keeping track of the ones that need static addresses.

traffic originating on the *.2.0 NW seems to do fine. It can get to the internet, and ssh to the machines on the *.3.0 NW, as well as ssh into the firewall ( which i haven't decided if thats a good thing yet or not ).

traffic originating on the *.3.0 NW however, seems to be running into a problem. It can pull an IP address, but whenever i attempt to ping google, the firewall or anything on the *.2.0 NW i get the response: "ping: unknown host" or "Destination Host Unreachable."

in addition, i can't get to the internet from the dmz (*.3.0), which is the main issue.
i am refraining from posting my config files at the moment in order to keep this post brief and not fill it up with unneeded copy, as well as to keep from giving away all of my ACLs.
I DO understand that you folks will need to see them in order to lend me a hand, so upon request, i will be happy to post any file you need, or provide any further information.

much thanks,

All times are GMT -5. The time now is 10:30 AM.