Re: monit – can't connect from browser
- From: Burkhard Ott <news@xxxxxxxxx>
- Date: Tue, 2 Dec 2008 22:57:51 +0100
Am Tue, 02 Dec 2008 10:16:33 -0800 schrieb Vwaju:
Guten Tag, Burkhard
Hi Vwaju, you're alos learning German? :-)
Is "jupiter->(internet)->router->192.168.2.0/24" a DNAT rule? How do
you translate it?
Nope, I was wondering about your route (tracroute) and would make sure
where the webserver is located because I thought it is outside your LAN,
but htis is no problem either.
I have a static IP address (207.237.37.110) from RCN (my ISP) and 4
computers on my LAN. My Dell Truemobile 2300 Broadband Router does
NAT as follows:
192.168.2.1 (the router itself )
192.168.2.2 (jupiter.obliqueuniverse.org, running Debian 3.1)
192.168.2.3 Windows XP machine
192.168.2.4 Windows XP machine
192.168.2.5 (ganymede.obliqueuniverse.org, running Slackware 12.0)
Ok, that clear the situation.
I shortly explain which way packets to the webserver flows.
If you reach the webserver via 192.168.2.2 then the packets goes via your
nic directly to your webserver, there is no hop between because you are in
the same subnet.
Your routing table looks like that:
192.168.2.0 0.0.0.0 255.255.255.0 eth0
0.0.0.0 192.168.2.1 eth0
That means you will reach IP's from 192.168.2.1-254 directly in your
subnet.
If you would have the network 10.10.10.0/24 connectrd to your router, then
the packets would send every packet for the IP 10.0.0.1.254 to your router
because it's your default gateway and this network is not directly
connected to your 192.168.2.0/24.
That is exactely what happend if you sent your packets to the webserver
to 207.237.37.110.
Your packet goes straight to your router and the router forward it to your
webserver.
Usually the router will send an redirect to your computer that you can
access the webserver directly via 192.168.2.2, but it depends on the
router software config.
So if I try to reach your webserver I come from outside the lan, pass some
internet routers and will be routed to your router and if the router has a
forward entry for port 2812. he will forward this packet to your webserver.
On the webserver comes now an IP from outside (an IP in germany), on the
webserver the default gateway is used to send the answer and that is your
router, he also has to route it to his default gateway because he has my
ip not on a local port, the answer passes now some internetrouter and will
reach my router, computer etc.
That means you only need a port forward on your router to port 2812.
You don't need a iptable rule on your webserver.
btw with iptables it could look like this:
iptables -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 2812 -j dnat
--to-destination 192.168.2.2
The rule say every packet which is for port 2812 on my external interface
with destination port 2812, replace the destination IP with 192.168.2.2.
(with -d 207.237.37.110 you could specify the external address)
You obviously did it correct with port 80 because I see your yellow page
with all the names. I also can reach port 2812 there comes a htaccess and
ask me for usernam and password via ssl.
I assume that you want jupiter to route your packets for port 2812 to your
router and masquerade the src ip, right.
Packets incoming from the Internet, addressed to
jupiter.obliqueuniverse.org:2812 (207.237.37.110:2812) should be
routed to jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812). I
believe that the port-forwarding table on the router takes care of
this. Am I right?
yep, and it works either.
Packets from jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812)
should go to the router (192.168.2.1 on my LAN) and would appear to
the Internet to come from 207.237.37.110:2812. Am I right that *this*
is where you need the DNAT rule in iptables?
Yes because your external IP 207.237.37.110 is terminated locally on your
router and if there is 2812 open then the device sends usually port
icmp not reachable.
With DNAT it takes care of the ip for the answer packet but replaces it
192.168.2.2 and send it into your LAN. On the way back he does the same
but replaces 192.168.2.2 again.
I guess you forward today every port to 192.168.2.2, because I can also
reach ssh and your dns.
Similarly ports 20,21,22,80, and 81
Port 20 and 21 are a little special because ftp works a little different.
Given the network infrastructure described above: Does this rule route
from 192.168.2.2:2812 to 192.168.2.1 (the router) and translate it to
207.237.37.110:2812?
Nope, it doesn't and you don't nedd that in case of DNAT.
Yes! I have now published my Oblique Universe home page.
Yes I already watched it :-).
From inside my LAN, I can access it with http://192.168.2.2:80
Can you access is with http://207.237.37.110:80 ?
Yep.
However, when I try http://obliqueuniverse.org from inside my LAN, I
get an error screen that says:
"Duplicate Administrator
This device is managed by 192.168.2.2 currently!!"
I have never seen such a stupid message but I think it's the icmp redirect
I described above.
I also have a hint for you install on your computer tcpdump or better
wireshark and sniff the connection while you try to access the external
IP.
You will see an icmp redirect packet (should be the second or third).
Where have you seen the "Duplicate Administrator" error message, I bet on
the router itself then it would be a weird translation for an icmp
redirect but anyway.
Everything seems to be working so far, now you need to make it secure :-).
cheers
.
- Follow-Ups:
- Re: monit – can't connect from browser
- From: Vwaju
- Re: monit – can't connect from browser
- References:
- Re: monit – can't connect from browser
- From: Vwaju
- Re: monit – can't connect from browser
- From: Burkhard Ott
- Re: monit – can't connect from browser
- From: Vwaju
- Re: monit – can't connect from browser
- Prev by Date: Re: Editing newsgroup posts
- Next by Date: Re: monit – can't connect from browser
- Previous by thread: Re: monit – can't connect from browser
- Next by thread: Re: monit – can't connect from browser
- Index(es):
Relevant Pages
|
Loading
