Friday, 26 August 2011

Check machine firewall if you are configuring network firewall

I have wasted 2 days of my time trying to figure out what is really happening with my firewall config. The story is like this. I tried to configure a 3 NIC firewall machine for my office using Shorewall. For the DMZ zone, I put a test machine with Apache HTTPD installed to test if I can connect to it. With example from this site: http://www.shorewall.net/three-interface.htm . I can have my laptop in the local area to surf the Internet by configuring NAT/MASQ. I can SSH to the test web server, I can ping the server, but what really bugging me is that I cannot access the test web page hosted on the server.

When I tried to connect from firewall to the web server in DMZ by using links/elinks, the application returned error "No route to host". Weird. I tried to check my routing table, and search the Internet for clue. Tried to play around with default gateway for the DMZ, but in the end, I still cannot connect to the web server.

I even scrapped the whole thing and start again from scratch by following the example from this website: http://wiki.debian.org/HowTo/shorewall . Still cannot access.

Then, while searching for solution on the Internet again, I found a forum that ask a poster whether the firewall on the machine itself is turned on. That struck me like lightning. I straight away SSH to the web server in the DMZ and issue the command "service iptables stop".

Going back to my laptop and hit refresh in the web browser, voila!! The page is there!!

I slapped my forehead 3 times for this silly mistake :D

So, moral of the story, if you are configuring firewall for your network, make sure you turn off firewall on the machine so that you are not being fooled into thinking that your firewall configuration is problematic.

2 day wasted, but really priceless experienced learned :)

By the way, Shorewall really rocks :)