Re: Lan to Wan reprise
From: Claude Jones (claude_jones_at_levitjames.com)
Date: 03/14/05
- Previous message: Jonathan Berry: "Re: Fedora core 3 / XP dual boot"
- In reply to: Jeff Vian: "Re: Lan to Wan reprise"
- Next in thread: Claude Jones: "Re: Lan to Wan reprise - Solved"
- Reply: Claude Jones: "Re: Lan to Wan reprise - Solved"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 14 Mar 2005 01:30:53 -0500 To: For users of Fedora Core releases <fedora-list@redhat.com>
Jeff Vian wrote:
>On Sun, 2005-03-13 at 23:05 -0500, Claude Jones wrote:
>
>
>>Another elaboration of the investigation:
>>Below are 3 lines from a tcpdump monitoring the external nic as I
>>attempted to access the web from a lan machine. It looks to me like the
>>requests are making it to the external nic, because DNS lookups are
>>being attempted, no?
>>22:49:22.142576 IP (tos 0x0, ttl 127, id 924, offset 0, flags [none],
>>proto 17, length: 64) 192.168.2.253.1031 > ns1.nlayer.net.domain:
>>62240+ A? www.levitjames.com. (36)
>>22:49:22.603798 arp who-has 10.0.0.1 tell 10.0.4.62
>>22:49:22.735672 IP (tos 0x0, ttl 127, id 925, offset 0, flags [none],
>>proto 17, length: 61) 192.168.2.253.1025 >
>>ns2.rec.servercentral.net.domain: 7458+ A? www.directv.com. (33)
>>22:49:22.735936 IP (tos 0x0, ttl 127, id 926, offset 0, flags [none],
>>proto 17, length: 61) 192.168.2.253.1025 > ns1.nlayer.net.domain: 7458+
>>A? www.directv.com. (33)
>>
>>
>>
>
>I have not used tcpdump in some time, but that does not look correct for
>the external interface.
>
>192.168.2.253 and 10.0.4.62 are both private addresses. You may have
>forwarding on but not masquerading. If that is true the it goes out but
>never gets back.....
>
>You don't say what the address of the external interface is so I can
>only assume it is valid and reachable from the internet. (It has to be
>either a valid internet address or masqueraded thru another
>router/firewall that is providing NAT for you)
>
>In either case, requests going out on the WAN port must originate from
>the address of that NIC so they can be replied to properly.
>
>What does a similar tcpdump look like when doing the same request from
>the firewall box?
>Is the firewall connected directly to the internet? or just inside
>another larger private LAN?
>
>
>
>
The above tcpdump was run on the firewall, on the outside (wan) interface. The traffic was initiated by trying to access a website, for the first line above, www.levitjames.com, from a pc on the lan. So the originating address was 192.168.2.253, which is the lan pc. I'm not sure where the 10. addresses are coming from since there are no such on my lan. The named dns servers are the ones I've entered into my configuration for my network in the network administratioon gui. It looks to me like my inside pc placed a DNS request for www.levitjames.com which request made it to the outside nic on the firewall. Then, no response gets back to the lan pc. Below is the nat/masquerade section of my firewall script:
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
#higher up in the script NAT is set to the outside IP address,
#not left blank
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to 66.225.207.87
fi
-- Claude Jones Bluemont, VA, USA -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Jonathan Berry: "Re: Fedora core 3 / XP dual boot"
- In reply to: Jeff Vian: "Re: Lan to Wan reprise"
- Next in thread: Claude Jones: "Re: Lan to Wan reprise - Solved"
- Reply: Claude Jones: "Re: Lan to Wan reprise - Solved"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
