Greetings, folks!
It’s about a month i’m having a great sex with inherited server, based on openSUSE 10.3
No, no, don’t envy, just join!
Here is the story:
Internet
|
|
Firewall(here it is!) — mail,www server (192.168.2.15)
|
|
LAN (192.168.1.0/24)
So, i’m having a server (gateway, proxy, firewall, call it whatever you like), three network interfaces in it, connected to Internet (fixed IP), DMZ (mail and web server there), and internal Local Area Network.
The problem is following:
I can’t get access to the mail and web from internal network! Requests from Internet are perfectly redirecting to DMZ, but from LAN i can reach mail or web only by specifying internal IP-address of DMZ-server!
After three weeks of probing different ways, now i have no idea, what can be wrong with firewall settings. Please help me, if you can, and show me the right way!
FW_DEV_EXT=“any eth1”
FW_DEV_INT=“eth0”
FW_DEV_DMZ=“eth2”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
giving LAN access to Internet mail
FW_MASQ_NETS=“192.168.1.0/24,0/0,udp,domain 192.168.1.0/24,0/0,tcp,domain 192.168.1.0/24,0/0,tcp,pop3 192.168.1.0/24,0/0,tcp,smtp 192.168.1.0/24,0/0,icmp 192.168.2.15,0/0,udp,domain 192.168.2.15,0/0,tcp,domain 192.168.2.15,0/0,icmp”
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=“no”
FW_SERVICES_EXT_TCP=“ssh”
FW_SERVICES_DMZ_TCP=“domain”
FW_SERVICES_DMZ_UDP=“domain”
FW_SERVICES_INT_TCP=“3128 domain ssh”
FW_SERVICES_INT_UDP=“domain”
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT=“0/0,tcp,113”
FW_SERVICES_ACCEPT_EXT=“0/0,tcp,ssh”
LAN access to DNS and proxy on gateway
FW_TRUSTED_NETS=“192.168.1.0/24,udp,domain 192.168.1.0/24,tcp,domain 192.168.1.0/24,tcp,ssh 192.168.1.0/24,tcp,3128”
FW_ALLOW_INCOMING_HIGHPORTS_TCP=“no”
FW_ALLOW_INCOMING_HIGHPORTS_UDP=“no”
here is the problem! forwarding isn’t working!
FW_FORWARD=“192.168.1.0/24,192.168.2.15,tcp,993 192.168.1.0/24,192.168.2.15,tcp,80 192.168.1.0/24,192.168.2.15,tcp,443 $EXT_IP,192.168.2.15,tcp,993”
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
External requests from Internet are working great (first four rules)
FW_FORWARD_MASQ=“0/0,192.168.2.15,tcp,993 0/0,192.168.2.15,tcp,25 0/0,192.168.2.15,tcp,80 0/0,192.168.2.15,tcp,443 192.168.1.0/24,192.168.2.15,tcp,993 192.168.1.0/24,192.168.2.15,tcp,80 192.168.1.0/24,192.168.2.15,tcp,443 $EXT_IP,192.168.2.15,tcp,993”
FW_REDIRECT=""
According to tcpdump, it looks like requests from 192.168.1.0/24 are addressed to $EXT_IP, and Gateway-server are trying to serve’em. But there is no web or mail daemons running on it! So… “Connection refused”!