[Shorewall-newbies] Can't connect from LAN to port forwardedweb in DMZ. Others connections (like ssh) works fine.

Varga Pavol pavol.varga at dashofer.sk
Mon Mar 15 06:30:38 PST 2004


Thanks for advice, but I already read it.
Today I move www server from dmz to lan for easier configuration, but it
still don't work.
Probably I do any mistake somewhere. Everyting in documentation and
manuals seems so simple and I am really glad, that Shorewall is here!
Please may You check my configurations files?
(DMZ is now isabled)

/etc/shorewall/interfaces
LAN             eth0            detect  routeback
Internet        eth2            detect

/etc/shorewall/masq
eth2    192.168.1.0/24                  217.118.104.9

/etc/shorewall/policy
#$FW             Internet        ACCEPT          - # ports are set only
explicit in rules
#LAN             Internet        ACCEPT          - # for disable online
games, etc.
Internet        all             DROP            info
all             all             REJECT          info

/etc/shorewall/zones
LAN		LAN			192.168.1.20
Internet	Internet		217.118.104.9

/etc/shorewall/rules
ACCEPT  Internet  $FW     udp     53    - # DNS
ACCEPT  Internet  $FW     tcp     25,53,80,110,143,389      - # smtp,
dns, www, pop, imap, ldap

ACCEPT  $FW     Internet        udp     53      - # dns
ACCEPT  $FW     Internet        tcp     25,53,80,110,143,389  - # smtp,
dns, www, pop, imap, ldap

ACCEPT  LAN     $FW     udp     53      - # dns
ACCEPT  LAN     $FW     tcp     53,80,110,143,389,8080        -       #
dns, ???, pop, imap, ldap, proxy
ACCEPT  LAN     Internet        tcp     25,53,110,143,389     -       #
smtp, dns, pop, imap, ldap

REDIRECT        LAN     8080    tcp     80      -       -
# http proxy from LAN

DNAT    Internet        LAN:192.168.1.10        tcp     80
-       217.118.104.9   # www
DNAT    LAN             LAN:192.168.1.10        tcp     80
-       217.118.104.9:192.168.1.20 #FAQ2
DNAT    Internet        LAN:192.168.1.30        tcp     25,110,143,389
-       217.118.104.9   # mail, DNS

ACCEPT  $FW             LAN     udp     53      -
ACCEPT  $FW             LAN     tcp     53,80,8080   - # 


-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net] 
Sent: Sunday, March 14, 2004 10:02 PM
To: List for New Shorewall Users
Subject: Re: [Shorewall-newbies] Can't connect from LAN to port
forwardedweb in DMZ. Others connections (like ssh) works fine.


Varga Pavol wrote:

> Hi,
> I have som trouble with connection to my port forwarded www server
from
> LAN and from firewall. (from Internet it works)
> I use three-interface firewall with masquerading LAN & DMZ and port
> forwarding some services.
> 
> lynx from firewall to www.myserver.sk returns:
> 
> Alert!: Unable to connect to remote host.
> 
> lynx from firewall to local IP for the first ask me to allow cookies,
> and then returns:
> 
> Looking up 192.168.0.2 first
> Looking up 192.168.0.2
> Making HTTP connection to 192.168.0.2
> Sending HTTP request.
> HTTP request sent; waiting for response.
> HTTP/1.1 302 Object moved
> 'A'lways allowing from domain '192.168.0.2'.
> Data transfer complete
> HTTP/1.1 302 Object moved
> Looking up www.myserver.sk
> Making HTTP connection to www.myserver.sk
> Alert!: Unable to connect to remote host.
> 
> When I tried www.myserver.sk from LAN, the Squid returns:
> 
> While trying to retrieve the URL: http://www.myserver.sk/ 
> 
> The following error was encountered: 
> 
> Connection Failed 
> The system returned: 
> 
>     (111) Connection refusedThe remote host or network may be down.
> Please try the request again.
> 
> And when I tried local IP of myserver, the web browser still resolve
it
> to www.myserver.sk and then returns the same error like above.
> 
> Plesase, where is the problem? I thnik that rules between each other
> zones I set correctly.
> 

See Shorewall faq #2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


_______________________________________________
Shorewall-newbies mailing list
Post: Shorewall-newbies at lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-newbies
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


More information about the Shorewall-newbies mailing list