Re: [LRP] ipchains/routing gurus, pl help
> I have a 486 with linuxrouter materhorn with charles extended scripts
> 1.0 installed, with 3 ethernet cards as shown in the following figure,
> in my university computer lab.
> External Network (BAD)
> |220.127.116.11| Server
> | |eth2
> | |---------------------
> | |18.104.22.168 |
> | | |
> |192.168.100.254| |
> ---------------- ---------
> | eth1 | WEB |
> | ----------
> | 22.214.171.124
> Internal Network (GOOD)
> One card is terminated with the external leased line(eth0). One card
> is connected to my hub which caters to the private lan(eth1). The last
> card takes care of my dmzone (eth2).
> I designate external network by the word BAD, internal network by the
> word GOOD and the web server by the word DMZ, and this terms are used
> in creating my ipchains. Needless to say my
> configuration is a copy of the example given at the end of
> 1. I am able to ping from the web server to all three cards of my
> 2. I am able to ping from router to the web server
> 3. From any machine in the internal network I am able to ping all
> cards of router
> 4. From the internal lan, I can browse and do everything to external
> MY PROBLEMS.
> 1. My web server in the dmz cannot ping anyone other than the router
> 2. My internal lan cannot ping my web server in the dmz
> 3. The router log files *DOES NOT SHOW* any log entries reg. dmz-bad chain.
> (ipchain rules are given at the end)
> Therefore I cannot use my web server at all.
My extended scripts do not support the network structure you put in place
(public IP addresses on the DMZ). My extended scripts V1.0 support a private
IP address DMZ network, and use port forwarding to provide external access to
the DMZ machines, and IP aliases on the external LRP interface.
The standard Eiger scripts support a public IP address DMZ network, but
require you have a seperate network specification for the DMZ network, and
your upstream router needs to route packets for the DMZ to your LRP box.
Given your current IP addressing above, it does not look like you can run this
way, but I don't know what sort of flexibility you have in specifying your
IP's, and you don't list what's upstream of you.
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)