Re: [Shorewall-users] Problem accesing from outside

Mon, 30 Oct 2017 08:01:26 -0700



El oct. 30, 2017 6:51 AM, Simon Hobson <li...@thehobsons.co.uk> escribiĆ³:

Rommel Rodriguez Toirac <romme...@nauta.cu> wrote:

>> Your DNS server is returning *private* (RFC1918) addresses to systems in
>> the Municipal Network. To those systems, it must return the public IP
>> address of your firewall. This is addressed by using split DNS -- let
>> your DMZ server handle local clients and let your DMZ server handle
>> external clients.


>  This mean that I must change the registers of my external view to something in 172.16.120.0/24 range?

NO !

I think there is some basic knowledge missing here.
Addresses in the 172.16.0.0/12 range (which includes your 172.16.120.0/24) are NOT accessible from anywhere on the internet - and the same for 192.168.0.0/16 and 10.0.0.0/8. These ranges are expressly set aside for PRIVATE use and all internet routers should be configured to drop all packets using these addresses.

So, taking for example your device gtmem.gtm.onat.gob.cu, your external view resolves this to 172.16.120.4 - this is NOT accessible from anywhere on the internet.
What you will need to do is use Masq/NAT/Port forwarding to forward packets to a PUBLIC Ip address to 172.16.120.4 and then put the public address in your external DNS view.

Lets say your ISP gives you a.b.c.32/29 - is a.b.c.33 to a.b.c.38 usable, one of them might be used for your router. You might forward a.b.c.34 to 172.16.120.4, and then you'd need to make gtmem.gtm.onat.gob.cu resolve to a.b.c.34.

If you are hosting your own DNS, then you would set the nameservers for gtm.onat.gob.cu to be at a.b.c.<something> and Masq/NAT/Port forward port 53 (TCP and UDP) to your actual DNS servers in the 172.16.120.0/24 range.


 Hello all;
thank Simon for answer me.
 First, I live in Cuba and here the access to Internet is a little different that in the rest of the world. Let say just different.
 My ISP (in my case the national network level) give the ranges 172.16.120.0/24 to my network and from 172.16.121.0/29 to the rest of my 10 municipal networks.
 The IP given to my router is 172.16.120.254 and all other routeres in my municipal networks are in 172.16.#.# range too.
 OK 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 are PRIVATE network address but I don not have any PUBLIC address.
 Our network work like this way, just in PRIVATE network address and our routers are configured to use this.
 Why I can make possible the communication using just IP address and why not using PCs names or alias?
 See the test maded from a municipal server.
 When I try to connect to FTP server on my network using IP number the connection are success, but when I use the alias ftp.gtm.onat.gob.cu never connect.

C:\Windows\system32>ftp
ftp> open 172.16.120.1
Conectado a 172.16.120.1.
220 ONAT Guantanamo, FTP.
Usuario (172.16.120.1:(none)): anonymous
331 Please specify the password.
ContraseƱa:
230 Login successful.
ftp>

C:\Windows\system32>ftp
ftp> open ftp.gtm.onat.gob.cu
ftp>

 I try a nslookup and (I guess) the answer are good.

C:\Windows\system32>nslookup ftp.gtm.onat.gob.cu
Servidor:  gtm08.cai.gtm.onat.gob.cu
Address:  172.16.123.11

Respuesta no autoritativa:
Nombre:  gtmft.gtm.onat.gob.cu
Address:  172.16.120.7
Aliases:  ftp.gtm.onat.gob.cu


C:\Windows\system32>nslookup 172.16.120.7
Servidor:  gtm08.cai.gtm.onat.gob.cu
Address:  172.16.123.11

Nombre:  gtmft.gtm.onat.gob.cu
Address:  172.16.120.7

 Some idea? Some test that help me clear my problems?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to