Hello there, 2 days ago, my gateway died, so I get a new one, same model (HP ML350 G10), now with two processors and double ram .
I the mean time, i Expose my other ClearOS servers directly, using my public IPs,.
the set up was easy, just put everything in the same places.
my firts wan works fine, the second one was lost, so I configure another port, delete de firewall rules 1:1 and replace whit new ones.
firewall time!
I had to configure new IPS behind my firewall (lan), the previous ips did not work whit 1:1. port redirections.
I have some issues with the last two servers: (DNS) and webserver.
I can´t reach them behind the gateway, despite the 1:1 port forward (53 TCP/UDP, for the DNS, and 80/443 for the webserver old and new IPS)
I can see them in the lan but not from the internet. I saw the rules in the log, even using the iptables -nvL, but not working., I just saw the index.html for the gateway.
Any Ideas?
I the mean time, i Expose my other ClearOS servers directly, using my public IPs,.
the set up was easy, just put everything in the same places.
my firts wan works fine, the second one was lost, so I configure another port, delete de firewall rules 1:1 and replace whit new ones.
firewall time!
I had to configure new IPS behind my firewall (lan), the previous ips did not work whit 1:1. port redirections.
I have some issues with the last two servers: (DNS) and webserver.
I can´t reach them behind the gateway, despite the 1:1 port forward (53 TCP/UDP, for the DNS, and 80/443 for the webserver old and new IPS)
I can see them in the lan but not from the internet. I saw the rules in the log, even using the iptables -nvL, but not working., I just saw the index.html for the gateway.
Any Ideas?
In Firewall
Share this post:
Responses (5)
-
Accepted Answer
What is the output of:
And what is the 1-to-1 LAN and WAN IP address having the problems? I have a feeling you'll have all sorts of difficulties if you have a block all, allow by exception egress policy.iptables -vnL
iptables -nvL -t NAT
A firewall start goes in the system log, but in debug mode it is on screen and more verbose. -
Accepted Answer
thank you Nick, I have to clarify, the firewall is NOT in panic mode, my others 1:1 rules are working as expected, there is only a problem with the last two servers,(this two 1:1 poit to my gateway LIKE if was in panic mode) actually, yesterday I tried again, but something that I did not notice previosly : my gateway uses egrees rules, to block: except ports; custom rules to allow ports por specific IPs, proxy bypass for some ips (servers included), but when I fully configure this two servers, the traffic to internet is blocked: no matter what ip I set, I can not even ping google.(this is working for my other servers)
I will start the firewall in debug mode, Cant find anything in the logs...... -
Accepted Answer
If the firewall is in panic, you may have some bad 1-to-1 NAT rules from your old box. They don't port well (so don't work well in a config backup and restore) as the interfaces often change names between the boxes. Have a look at /etc/clearos/firewall.conf for any lines with a dodgy interface name which does not exist on your current server and delete the line. Saving the file should restart the firewall.
If that does not help, start the firewall in debug mode with a "firewall-start -d" to see where it is failing. -
Accepted Answer
yes, they are autoritative/public DNS under Heavily attack. (this is why they are behind COS)
the index is showed like if the firewall was in panic mode: every way lead to rome(index.html)
I did not have access to 80/443 those ports are blocked in my gateway. 1:1 firewall to another server in my lan (actually working).
runnig /29 in both ISPs, Several servers behind my lan, runing round robin / load balancing. -
Accepted Answer
You should not need to port forward/i:1 NAT UDP at all. That would only be for if you were running a public DNS server.
If you see index.htm from the gateway then close the gateway Incoming ports 80 and 443. You can port forward or open ports and but not both.
Then I am a bit confused. Are you running 1:1 NAT or port forwarding? 1:1 NAT is for when you have a block of public IP's and you want to use any of them internally except for the IP assigned to your WAN NIC. Port Forwarding is for forwarding ports from your WAN Interface IP to your LAN.
Lastly there is one further option with the ProxyPass app. With this you can run multiple web servers on your LAN all using the same WAN IP, but different domains or subdomains.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »