Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
New to Intermediate RHEL user. Trying to setup a RHEL web server in a DMZ that will need to communication with a RHEL server on an internal network. Server has Nic 1 setup for an internal address and Nic 2 for a DMZ address. Users inside the network will not need to access the URL on the external web server. Below is the basic config.
External Static Range: 65.x.x.2 to 65.x.x.6
Firewall Interface: 65.x.x.2
External Firewall Gateway: 65.x.x.1
External NAT: 65.x.x.3 to 10.2.x.2
DMZ Interface 10.2.x.1
DMZ Web Server Nic 2 IP: 10.2.x.2
Subnet: 255.255.0.0
Internal Nic 1: 10.0.x.2
Subnet: 255.255.0.0
Issue: The firewall log shows the traffic being allowed on the necessary ports coming from the external ip to the NAT'd DMZ IP, but then there is no response from the RHEL server. It's my understanding that this issue is on the RHEL server and not the firewall, possibly a configuration to route traffic from the DMZ nic to the internal nic.
Could someone provide some insight, documentation, or a link that might help resolve this?
It just sounds like there is no default route from the server outbound towards the net based on what you've said. if you tcpdump on the box, do you see a SYN ACK packet leave the box for somewhere? Have you set two default gateways or somethign else unusual / illogical?
Why does your "DMZ" server have an internal NIC? Classically unless you have another firewall below the DMZ server as well, that box would only have the DMZ NIC to reach it. Otherwise, if someone compromises the DMZ box, then they're off and away using the internal NIC, which totally undermines the logic of the DMZ in the first place.
Unfortunately, the developers needed to get started immediately, and the DMZ configuration wasn't ready. The server was setup with an internal nic so they could have access to the internal database and the external nic (dmz) was added afterward. Running a tcpdump nets no SYN ACK. Nic 1 points to the gateway of the internal network, the primary internet connection. Nic 2 points to the gateway of a secondary internet connection.
I agree with the classic DMZ config. Since the server has to communicate with the internal network, in a single nic config, you'd still have to route the dmz nic so it could communicate internally, right?
Running a traceroute shows the server to be using the gateway from Nic 1 (internal). I suspect this is the problem.
So you have TWO default gateways? that won't work. NIC's don't get routed anywhere, the entire system is. the internal NIC should only be used to reach 10.0.0.0/8 or whatever your internal network range is. Before it's removed of course, as right now you do NOT have a DMZ.
Ok, makes sense. We cannot remove the internal nic because the development is tied to that nic and ip address. We can remove the gateway configured to the internal nic and set the etc/sysconfig/network gateway to the dmz gateway. Also, our firewall is doing a 1-to-1 NAT to the DMZ ip and we only have specific ports open. Is it possible to create a route or ip forwarding between two nics?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.