[Leaf-user] multi ip port forwarding (to:bela)
hi all, hi Bela I've tried your advice but there's still some problems. 1. secondary legal_IP of eth0 wasn't recognized by the outside world. the ping retruned request timed out but I could ping it from my internal network. 2. from my internal network I could open the web page of both the legal_ip1 and legal_ip2. but not from the outside. 3. from both legal_ip1 and legal_ip2 I could send email to the outside world (eg. yahoo.com), but when I tried to reply, the mail didn't get delivered to the inbox, instead it bounched with comment sorry, I couldn't find host mail.uajy.ac.id and inf.uajy.ac.id 4. I couldn't send email from legal_ip1 to legal_ip2 nor from legal_ip2 legal_ip1. by the way, am i the only one in this whole universe who ever want to do this *multi ip port forwarding* thing? and nobody else ever done this before? any suggestion will be very appreciated. I'm so desperate. this is harder than installing qmail. regards, Gregor +Gregor Gede W. +CENTER FOR INFORMATION SYSTEM +ATMA JAYA YOGYAKARTA UNIVERSITY [EMAIL PROTECTED] +62 81 2271 0583 +62 81 7467 518 WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA http://senvar.virtue.nu or http://senvar.uajy.web.id ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multi ip port forwarding (to:bela)
Gregor -- First, which address is which. Using the FQDNs you mention below, I find they both resolve, as follows: inf.uajy.ac.id = 202.149.81.61 mail.uajy.ac.id = 202.149.81.55 Replies to your specific questions assume these are the right FQDNs and I am resolving them to the right addresses. If I am not ... then that is where you need to look for the problem. So, the first thing is to confirm that the two addresses are resolving correctly, externally. Second, I cannot do a reverse lookup on either of these addresses. The results: collier:/usr/src/linux# host 202.149.81.61 202.149.81.61 does not exist, try again collier:/usr/src/linux# host 202.149.81.55 202.149.81.55 does not exist, try again This is a DNS problem that should be fixed. It might be causing some of your failures (see below). At 03:12 AM 1/21/02 GMT, GREGOR wrote: hi all, hi Bela I've tried your advice but there's still some problems. 1. secondary legal_IP of eth0 wasn't recognized by the outside world. the ping retruned request timed out but I could ping it from my internal network. inf=61 *is* ping'able from here, but mail=55 is *not (times out) 2. from my internal network I could open the web page of both the legal_ip1 and legal_ip2. but not from the outside. My browser returns home pages of both addresses: http://202.149.81.61/ = Teknik Informatika http://202.149.81.55/ = UAJYWebmail The text of neither home page is in English, so I can't really tell you more than that about them. The second one at least seems right, given the match to the uajy in the FQDNs. And the first says it is the Website of www.inf.uajy.ac.id, so it too is probably right (your domain, if not your actual host). 3. from both legal_ip1 and legal_ip2 I could send email to the outside world (eg. yahoo.com), but when I tried to reply, the mail didn't get delivered to the inbox, instead it bounched with comment sorry, I couldn't find host mail.uajy.ac.id and inf.uajy.ac.id The DNS problem (no reverse lookups) could be the cause of your mail failures. 4. I couldn't send email from legal_ip1 to legal_ip2 nor from legal_ip2 legal_ip1. How do these local mail sends fail? Can you telnet to port 25 on both addresses? If I try, I get different results: collier:/usr/src/linux# telnet 202.149.81.61 25 Trying 202.149.81.61... Connected to 202.149.81.61. Escape character is '^]'. 220 inf.uajy.ac.id ESMTP service ready [1] using MDaemon v3.0.4 R ò collier:/usr/src/linux# telnet 202.149.81.55 25 Trying 202.149.81.55... Connected to 202.149.81.55. Escape character is '^]'. [long wait] 220 mail.uajy.ac.id ESMTP 502 unimplemented (#5.5.1) 250 mail.uajy.ac.id HELO comarre.com 250 mail.uajy.ac.id RCPT From: [EMAIL PROTECTED] 503 MAIL first (#5.5.1) This says to me that (again, assuming I have the addresses right) there is something wrong with your MTA, since it (or something) is *listening* on 202.149.81.55:25 but not responding properly. by the way, am i the only one in this whole universe who ever want to do this *multi ip port forwarding* thing? and nobody else ever done this before? any suggestion will be very appreciated. I'm so desperate. this is harder than installing qmail. Given the differences between my results and yours, I can only suggest that you report the conditions of your tests more completely. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multi ip port forwarding (continued)
I have a dahstein cd box with 3 ethernet cards (eth0,eth1,eth2) in it. for now as I'm still doing experiment, eth0 will only be bound with 2 legal ip#, but if I succeed, I expect to bound many more ip# in eth0. right now each legal ip# in eth0 is open only for 3 services which are 25,80 and 110. I want to do port forwarding for those services to my servers in DMZ network (eth2). eth1 will be used as gateway by my internal network to communicate with the outside world. the folling is my network.conf file, please correct me if i'm doing wrong with it. and thank you in advance. Comments inline... snip eth2_IPADDR=192.168.15.5 eth2_MASKLEN=24 eth2_BROADCAST=+ #eth2_ROUTES= #eth2_IP_SPOOF=YES #eth2_IP_KRNL_LOGMARTIANS=YES #eth2_IP_SHARED_MEDIA=NO #eth2_BRIDGE=NO #eth2_PROXY_ARP= #eth2_FAIRQ=NO Everything to here looks OK ### # NAT 'virtual' interface (optional: required only for static-NAT DMZ systems) ### # Configured as an interface to allow flexible handling of bringing the # routing rules up/down in conjunction with the physical interfaces # interface spec is an indexed list of IP address pairs and a base priority # number for ip rule creation nat0_BASE_PRI=100 # Unique base value for ip rules # Indexed list: public IP private DMZ IP nat0_PAIR0=202.149.81.61 192.168.15.16 nat0_PAIR1=202.149.81.61 192.168.15.25 nat0_PAIR2=202.149.81.55 192.168.15.200 You don't need these set unless you're running a static-NAT DMZ (Not what you indicated you wanted to setup). The nat0* settings are not hurting anything (they have no affect unless you list nat0 in IF_AUTO or manually bring up the virtual nat0 interface with net ifup nat0, but the fact that they're uncommented could be confusing later... snip ### # IP Filter setup - can pull in settings from above ### snip Down to here looks OK. # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=202.149.81.55/28_25 202.149.81.55/28_www 202.149.81.55/28_110 202.149.81.61/28_25 202.149.81.61/28_www 202.149.81.61/28_110 This is where you control what services make it through the firewall scripts...you've got the right idea, but you're mixing individual IP's with a network mask (the /28 part). So, what you've done with the above is enabled smtp, www, and pop ports for your WHOLE IP RANGE *TWICE*. You should probably just drop the /28's, so the entries will default to single host specifications (or explicitly call out a /32, if you want). snip ### # Port Forwarding ### # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port INTERN_SERVERS=tcp_202.149.81.61_80_192.168.15.25_80 tcp_202.149.81.61_smtp_192.168.15.16_smtp tcp_202.149.81.61_110_192.168.15.16_110 tcp_202.149.81.55_80_192.168.15.200_80 tcp_202.149.81.55_smtp_192.168.15.200_smtp tcp_202.149.81.55_110_192.168.15.200_110 These variables, while they *CAN* port-forward services to the DMZ, are really intended to port-forward services to your internal network. Regardless, the fact that you define the same services to be forwarded both here *and* in the DMZ section is an error (you can only forward a particular port once). I suggest commenting these, and using the DMZ settings (which will allow your internal systems to access DMZ servers using the public IP address). # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.15.200 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.15.200 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.15.200 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: ipmasqadm portfw options #INTERN_SERVER0=-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] #INTERN_SERVER1= # Indexed list: ipmasqadm autofw options #INTERN_AUTOFW0=-A -r tcp 2 20050 -h 192.168.1.1
Re: [Leaf-user] multi ip port forwarding
Hi Gregor, I know that I had some issues with this. I had 2 alias address bound to my external interface. I was able to receive traffic on them and portfw them correctly. But then I tried FTP and I found that all other outbound traffic gets masq'd on the primary IP, not the alias. From what I read at the time, that is just how it is, and you cannot masq out with the alias IP. That also gave me a problem with my Dynamic DNS, as it would register the primary, and not the alias address. This might give you a problem with SMTP, but I wouldn't think that it should affect the Web, and Pop components. I hope that helps a bit. Cheers - Original Message - From: GREGOR [EMAIL PROTECTED] To: linux-router [EMAIL PROTECTED] Sent: Tuesday, January 15, 2002 1:18 AM Subject: [Leaf-user] multi ip port forwarding I've been trying to install dachstein-cd-v1.0.2 but it doesn't seems to work. I wonder if any of you could help me to configure *network.conf* file to fit my needs. Here's my situation : |internet (eth0) | ip_legal1 + ip_legal2 + ip_legal3 - | | | dachstein cd | | | DMZ (eth2) | | - | | internal network (eth1) ip_legal1,ip_legal2,ip_legal3 are running services on port 25,80,110 and will be forwarded to the DMZ. like this: ip_legal1 (port 25,80,110) port forwarded to 192.168.15.200 ip_legal2 (port 25,80,110) port forwarded to 192.168.15.201 ip_legal3 (port 25,80,110) port forwarded to 192.168.15.202 All clients will use *internal network (eth1)* as their gateway to browse the internet. please help and thanks in advance. regards, Gregor +Gregor Gede W. +CENTER FOR INFORMATION SYSTEM +ATMA JAYA YOGYAKARTA UNIVERSITY [EMAIL PROTECTED] +62 81 2271 0583 +62 81 7467 518 WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA http://senvar.virtue.nu or http://senvar.uajy.web.id ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multi ip port forwarding
It's also possible to use static-NAT, or proxy-arp in this environment. While only two of the 3 IP's can be used directly on DMZ machines, you can still port-forward services from the router's public IP to machines on the DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) - Original Message - From: Ed Tetz [EMAIL PROTECTED] To: GREGOR [EMAIL PROTECTED]; linux-router [EMAIL PROTECTED] Sent: Tuesday, January 15, 2002 6:47 AM Subject: Re: [Leaf-user] multi ip port forwarding Hi Gregor, I know that I had some issues with this. I had 2 alias address bound to my external interface. I was able to receive traffic on them and portfw them correctly. But then I tried FTP and I found that all other outbound traffic gets masq'd on the primary IP, not the alias. From what I read at the time, that is just how it is, and you cannot masq out with the alias IP. That also gave me a problem with my Dynamic DNS, as it would register the primary, and not the alias address. This might give you a problem with SMTP, but I wouldn't think that it should affect the Web, and Pop components. I hope that helps a bit. Cheers - Original Message - From: GREGOR [EMAIL PROTECTED] To: linux-router [EMAIL PROTECTED] Sent: Tuesday, January 15, 2002 1:18 AM Subject: [Leaf-user] multi ip port forwarding I've been trying to install dachstein-cd-v1.0.2 but it doesn't seems to work. I wonder if any of you could help me to configure *network.conf* file to fit my needs. Here's my situation : |internet (eth0) | ip_legal1 + ip_legal2 + ip_legal3 - | | | dachstein cd | | | DMZ (eth2) | | - | | internal network (eth1) ip_legal1,ip_legal2,ip_legal3 are running services on port 25,80,110 and will be forwarded to the DMZ. like this: ip_legal1 (port 25,80,110) port forwarded to 192.168.15.200 ip_legal2 (port 25,80,110) port forwarded to 192.168.15.201 ip_legal3 (port 25,80,110) port forwarded to 192.168.15.202 All clients will use *internal network (eth1)* as their gateway to browse the internet. please help and thanks in advance. regards, Gregor +Gregor Gede W. +CENTER FOR INFORMATION SYSTEM +ATMA JAYA YOGYAKARTA UNIVERSITY [EMAIL PROTECTED] +62 81 2271 0583 +62 81 7467 518 WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA http://senvar.virtue.nu or http://senvar.uajy.web.id ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] multi ip port forwarding
I've been trying to install dachstein-cd-v1.0.2 but it doesn't seems to work. I wonder if any of you could help me to configure *network.conf* file to fit my needs. Here's my situation : |internet (eth0) | ip_legal1 + ip_legal2 + ip_legal3 - | | | dachstein cd | | | DMZ (eth2) | | - | | internal network (eth1) ip_legal1,ip_legal2,ip_legal3 are running services on port 25,80,110 and will be forwarded to the DMZ. like this: ip_legal1 (port 25,80,110) port forwarded to 192.168.15.200 ip_legal2 (port 25,80,110) port forwarded to 192.168.15.201 ip_legal3 (port 25,80,110) port forwarded to 192.168.15.202 All clients will use *internal network (eth1)* as their gateway to browse the internet. please help and thanks in advance. regards, Gregor +Gregor Gede W. +CENTER FOR INFORMATION SYSTEM +ATMA JAYA YOGYAKARTA UNIVERSITY [EMAIL PROTECTED] +62 81 2271 0583 +62 81 7467 518 WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA http://senvar.virtue.nu or http://senvar.uajy.web.id ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user