This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about DMZ

Hi!

I recently managed to setup a DMZ with help from this forum. I have a ftpserver running on the DMZ. The FTP is working as a charm from external and from the lan.

I only have one external ip from ISP.

The problem now is that i don't know how to set the correct rules to let the server access HTTP etc.

eth0: 192.168.0.X (LAN)
eth1: 217.XXX.XXX.XXX (ISP)
eth2: 192.168.4.X (DMZ)

I don't know if the lan-settings are correct on the server.
IP: 192.168.4.1
Gateway: 192.168.0.254 (ASTARO)

This thread was automatically locked due to age.

Parents

0 AJo over 21 years ago

Gateway on your server should be the ASL DMZ NIC address (if the server is located on that subnet as I assume)

DNS should be the DNS server you use, either the ASL DMZ NIC address if DNS proxy is enabled or the ISP provided address. If you provide your own DNS service then point the server to that address.
Cancel
Vote Up 0 Vote Down

Cancel
0 lejzer over 21 years ago in reply to AJo

Thank you!

That seems to be correct settings, but i still can't get the server to access anything on the outside?
Cancel
Vote Up 0 Vote Down

Cancel
0 AJo over 21 years ago in reply to lejzer

1. Are you MASQ or SNAT all traffic from the server? Or do you just SNAT specific services (ie. ports)
2. Check you filter rules. Do you allow the server to http and dns?
3. Check the filter log to analyze the traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 lejzer over 21 years ago in reply to AJo

Actually i didn't MASQ or SNAT anything. I've just added rules for letting the server access different services.

Maybe that's the problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 AJo over 21 years ago in reply to lejzer

yup... since no other host outside your ASL protected environment will find the route to the server using a private address.
Cancel
Vote Up 0 Vote Down

Cancel
0 lejzer over 21 years ago in reply to AJo

I see,

Can you point me in the right direction how the NAT/MASQ should look like?
Cancel
Vote Up 0 Vote Down

Cancel
0 AJo over 21 years ago in reply to lejzer

Choose either to MASQ or SNAT. Check the provided link below and read either the MASQ for clients part or the FTP SNAT part.

portfw
Cancel
Vote Up 0 Vote Down

Cancel
0 lejzer over 21 years ago in reply to AJo

Thanks,

I've read that article for setting up the MASQ/NAT for inbound access to the FTPServer on the DMZ, and that works, but now the problem is the other way around. Letting traffic from the server on the DMZ out.

Or am i misunderstanding your point? [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 AJo over 21 years ago in reply to lejzer

yes you are misunderstanding, there is no use of letting traffic in (inbound) unless you let the internal destination to respond(ie. outbound). So both parts are described there.

1. MASQ webserver ==> ASL_external_interface

or

2. SNAT webserver ===> ASL_external_interface

some other useful links:
Initial_Setup.pdf

A_NAT_Primer.pdf
Cancel
Vote Up 0 Vote Down

Cancel
0 VelvetFog over 21 years ago in reply to lejzer

You will need a SNAT rule like this:

FTP Any -> External_Interface__ / FTP DMZ_Interface__ ftpserver.whatever.com

I have this configured on my ASL box, and it works.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 VelvetFog over 21 years ago in reply to lejzer

You will need a SNAT rule like this:

FTP Any -> External_Interface__ / FTP DMZ_Interface__ ftpserver.whatever.com

I have this configured on my ASL box, and it works.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 VelvetFog over 21 years ago in reply to VelvetFog

Correcting my previous post, as it had an error in the SNAT line.

You will need a SNAT rule like this:

FTP Any -> External_Interface__ / FTP None ftpserver.whatever.com

The logic is this:

Any address entering the external interface,
FTP protocol only (ports 20 & 21),
No source address translation (original address is preserved),
forward to internal FTP server on local LAN.

I have this configured on my ASL box, and it works.

The FTP server must point to the ASL box as its default gateway
Cancel
Vote Up 0 Vote Down

Cancel