RHEL 5 & RV016 DMZ setup

What have you done up to this point? have you connected the server to the DMZ port? Have you assigned the public IP to the server. A little more info will help

Al I have done is connect the cable to the DMZ port on the router.  I do not know how to assign a static IP on Linux.  I do not know how to configure the DMZ port/host.  Nothing that I have tried has been successful, so I pretty much need to start from scratch.

To change your ip go to /etc/sysconfig/network-scripts. you will see several files called ifcfg-eth0 and ifcfg-eth1 (if you have a two nics). Open the file for the nic you are connecting to the switch and configure with the following information of course adjusting for your ip, mask, and gateway

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=x.x.x.x
NETMASK=255.x.x.x
GATEWAY=x.x.x.x
HWADDR=00:0c:29:52:ac:a6 <--- leave this the same as you already have.

You will also need to update your information in /etc/sysconfig/network with the new gateway and i believe IP.

You may also want to update your /etc/hosts file

Here is a link from Red Hat that might help

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-networkscripts-interfaces.html


Save and restart the network service

IF the switch port is already set up in the DMZ then you should be good to go.

I was able to put the IP address into the server, gateway, netmask, etc.  The thing that has confused me is that the DMZ setup on the RV016 router asks for a Private IP for the DMZ machine (see attachment).  I do not understand what is supposed to go there as I have assigned a public IP to the server.
dmz.jpg

What it is doing is allowing one of your LAN servers to be accessible from the internet. So assign the server a private address and place that in the section you mentioned. Under the network settings section there is a field for the DMZ IP. This is were you put your public IP for the web server.

I thought I assigned my server a public address??

For the RV016 when using the DMZ port you assign the server a private Ip so it can still access local resources. Then you assign the DMZ port your public IP. When someone tries to access the web site the router knows to send any traffic destined for that IP to the private ip placed in the DMZ host section. here is the admin guild which walks you through it.


RV016.pdf

Thanks.  I got all that data in.  However when I try to ping an IP (yahoo.com) I get no response.  It seems like something is wrong with my DNS settings?  The Primary and Secondary DNS are set the same way as the Winows PCs on the LAN.

Any ideas?

The gateway is set to the LAN IP of the router.  The sub-net mask is set to the sub-net mask on the router and LAN PCs.

Since the server is in a DMZ it might not have access to your local DNS servers or lan for that matter. Check your access rules in the router to see if anything is restricted between the DMZ and lan. you can also try setting your DNS settings to
Primary 4.2.2.2
secondary 4.2.2.3

or use your ISP's DNS servers for name resolution.

This does not make any sense.  I set the primary and secondary DNS on the server to the ISP DNS addresses.  Now when I try to ping something I get: "Connect: network is unreachable".

Which settings on the server should be LAN and which should be WAN?

Thanks...

Ok so by default your router denies all traffic from your lan to any computer set in the DMZ. So unless you specifically allowed this traffic on the router you will not be able to use the DNS settings of your LAN. That is why you need to set the DNS IP addresses to either your ISP or another known good DNS server such as the ones I listed before.

So you said you have your DNS settings set to your ISP's DNS servers but you are unable to ping them. Can you ping the router? Do you have your gateway set to the routers IP? if not then it needs to be set to the router IP.

The only things I can ping are localhost and the host itself (private IP).  I have the gateway set to the WAN IP of the router.  The DNS servers are set for the ISP DNS servers.

Am I overlooking something else?

With the settings as we have discussed I get nothing but "connect: network is unreachable".  I do not see anywhere in the router settings where I block DMZ traffic, the DMZ port is enabled.  I have upgraded the firmware also.

Do I need to add a route(s)?

Thanks.  That seemed to get the server on the network insofar as I can surf the web.  The problem now is that I cannot ping anything from the server.  I can go to http://www.yahoo.com in the browser, but I cannot ping it.  Also, I cannot see the server from the LAN, I tried to SSH into the server from a Windows box and the IP does not resolve.

Do you know of some setting or rule that is disallowing this kind of traffic?

The default firewall rules on the router should allow all traffic from the lan to the dmz. Double check to make sure this is true. Also if you have iptables or SE linux enabled on the server you might not be able to ping or SSH to the server. IF you can access a web site there should be no reason you cant ping  it unless you are blocking outgoing ICMP somewhere.

The Router has the following Default Rules:
" All traffic from the LAN to the WAN is allowed.
" All traffic from the WAN to the LAN is denied.
" All traffic from the LAN to the DMZ is allowed.
" All traffic from the DMZ to the LAN is denied.
" All traffic from the WAN to the DMZ is allowed.
" All traffic from the DMZ to the WAN is allowed.

This happens even with the firewall off.  I was able to SSH into the server when it was running on a normal port with DHCP.

So then if you could ssh to it when it was connected to a lan port we now know there is nothing wrong with the server. It has to be something on the router blocking the ssh traffic. Check for firewall rules or access rules to make sure this traffic is being allowed. Can you ping the server from a public IP?

I can ping the server from a public IP, oddly while I can ping I cannot wget the root of the website.

Here are my firewall access rules:

The last 7 rules are default and cannot be removed, but I thought the custom rules override them.

Action  	Service  	Source Interface  	Source  			Destination  			Time
Allow 	All Traffic [1] 	DMZ 			[Internal IP Range]	 	Any 				Always 	
Allow 	All Traffic [1] 	LAN 			Any 				Any 				Always 	
Allow 	All Traffic [1] 	DMZ 			Any 				[Internal IP Range]	 	Always 	
Allow 	All Traffic [1] 	DMZ 			Any 				Any 				Always 	
Allow 	HTTP [80] 		WAN1 			Any 				Any 				Always
Allow 	All Traffic [1] 	LAN 			Any 				Any 				Always 	
Allow 	All Traffic [1] 	WAN1 			Any 				[Public IP Range]		Always 		  	 
Deny 	All Traffic [1] 	WAN1 			Any 				Any 				Always 		  	 
Allow 	All Traffic [1] 	WAN2 			Any 				[Public IP Range]		Always 		  	 
Deny 	All Traffic [1] 	WAN2 			Any 				Any 				Always 		  	
Deny 	All Traffic [1] 	DMZ 			Any 				[Internal IP Range]		Always 		  	 
Allow 	All Traffic [1] 	DMZ 			Any 				Any 				Always

Select allOpen in new window

Try adding a rule to the top of the list:
allow all traffiic
source interface: LAN
Source: Any
Destination: DMZ

Also change the allow http[80] to :
source Interface: wan1
source: any
Destination: DMZ (you have ANY which is allowing anyone on the net to access your lan interface.)

See if that helps

Also do you have SElinux running on the server? you can check by going to /etc/selinux/config. SElinux could be stopping some of your traffic

I added the rules you mentioned and no change.  SELinux and the firewall on the server are disabled.

Can servers on the lan ping the web server with either internal or external IP?: Can they access the web page being hosted on this server?

You might also try adding a route from the lan to the DMZ as you suggested before