Zeroshell 2.0 RC1 Virtual Server Issue

Home Page Forums Network Management ZeroShell Zeroshell 2.0 RC1 Virtual Server Issue

This topic contains 1 reply, has 0 voices, and was last updated by  byruda 6 years, 9 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #43428

    byruda
    Member

    I am testing Zeroshell 2.0 RC1 and have run into a problem that has me stumped.

    To keep things simple, I’ve started with 3 NICS with an internal net (192.168.1.0/24) on ETH00, a 10/10 fiber with a /29 external network on ETH01, and another internal net (192.168.2.0/24) on ETH02.

    For testing the virtual server, I attached two external IP addresses to ETH01: xxx.yyy.zzz.101 (first IP) and xxx.yyy.zzz.100 (2nd IP).

    I followed the example given in the Zeroshell document “1:1 NAT in Zeroshell.” The NAT/Virtual Server script running is as follows:

    #
    # Translate incoming connections to the private server addresses
    iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.100 -i ETH01 -j DNAT –to-destination 192.168.2.201
    #
    # Translate outgoing connections from the private server addresses
    #
    iptables -t nat -I POSTROUTING 1 -s 192.168.2.201 -o ETH01 -j SNAT –to-source xxx.yyy.zzz.100

    I have a post-boot script:

    # Post-Boot Script
    rm -f /etc/ssh/sshd_config
    cp /Database/scripts/sshd_config /etc/ssh/sshd_config
    /etc/init.d/sshd restart

    the purpose of which is to allow the ssh daemon to bind to a non-standard port.

    I have Many:1 NAT translation set up on ETH01.

    The Firewall Input rules are simple:

    1 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0
    2 ETH03 * ACCEPT all opt — in ETH03 out * 0.0.0.0/0 -> 0.0.0.0/0
    3 * * ACCEPT icmp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 no
    4 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
    Default Policy is “DROP”

    The Firewall Forwarding rules are:

    1 ETH00 * ACCEPT all opt — in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0
    2 ETH03 * ACCEPT all opt — in ETH03 out * 0.0.0.0/0 -> 0.0.0.0/0
    3 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
    4 ETH01 * ACCEPT tcp opt — in ETH01 out * 0.0.0.0/0 -> 192.168.2.201 tcp dpt:443
    5 ETH01 * ACCEPT tcp opt — in ETH01 out * 0.0.0.0/0 -> 192.168.2.201 tcp dpt:22
    6 * * ACCEPT tcp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:262
    7 * * ACCEPT icmp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
    Default Policy is “DROP”

    Immediately after a re-boot, I used Firefox on a remote system to connect successfully to to the internal server at 192.168.2.201 on port 443. I few minutes later I tried again and this time the connection timed out. In working the problem I saw the following lines in the Scripts Log:

    22:20:17 [NAT and Virtual Servers]: Running …
    22:20:17 [NAT and Virtual Servers]: SUCCESS
    22:20:19 [QoS]: Disabled
    22:20:38 [Post Boot]: Running …
    22:20:38 Stopping sshd daemon…
    22:20:39 ^[[A^[[70G[ ^[[1;32mOK^[[0;39m ]
    22:20:40 Starting sshd daemon…
    22:20:40 ^[[A^[[70G[ ^[[1;32mOK^[[0;39m ]
    22:20:40 [Post Boot]: SUCCESS
    22:22:03 [Firewall Chain]: Disabled

    If the Firewall Forward Chain is disabled that explains why I cannot contact the internal server from a remote machine.
    The question is: why is the chain being disabled?

    I also see in the log that QoS is disabled. However, I look at the QoS statistics, it seems to be correctly tabulating the amount of traffic in the various classes I assigned.

    I would appreciate any comments the community might have about what is going on.

    Thank you

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.