problem with NAT / ip forwarding
Hello, I have a problem related to NAT and IP forwarding: My SuSE server has two network interfaces. One is conneted to a LinkSys DSL router (which is conntected to the internet), the other is conncted to my LAN. The problem is that I am not able to access my SuSE server from inside the network with my external IP. Maybe I am missing some routing entry? Here's how my network is setup: SuSE server has 2 interfaces: eth0 (192.168.2.2) connected to LAN eth1 (192.168.1.2) connected to an Linksys router (192.168.1.1) which is doing NAT. On the Linksys router I forwarded port 80 to my SuSE server. Clients from outside (internet) can connect to my SuSE server via the external IP. The SuSE server itself can connect to itself via the external IP. An internal client of the 192.168.2.0 network is not able to connect to the SuSE server using the external IP. The client end's up on the Linksys router. What is the problem? THANKS IN ADVANCE, Wojtek Here's a simple diagram of my network: +-----------------+ | Linksys router | | doing NAT | | | | if0: external IP| | if1: 192.168.1.1| | | | if0 if1 | +--+-------+------+ +------------------+ +----------+ | | | SuSE server | | LAN/ | | | | eth0 192.168.2.2 +----------------+ SWITCH | /--+----\ +------------+ eth1 192.168.1.2 | | | | inter | | | +----+-----+ | net | +------------------+ | \-------/ +--------------+ | hal9000 | | 192.168.2.120| +--------------+ -- Wojtek mailto:ml@lunetta.de
In message <1605542409.20020817133841@lunetta.de>, Wojtek
Hello,
I have a problem related to NAT and IP forwarding:
My SuSE server has two network interfaces. One is conneted to a LinkSys DSL router (which is conntected to the internet), the other is conncted to my LAN.
The problem is that I am not able to access my SuSE server from inside the network with my external IP. Maybe I am missing some routing entry?
Here's how my network is setup:
SuSE server has 2 interfaces: eth0 (192.168.2.2) connected to LAN eth1 (192.168.1.2) connected to an Linksys router (192.168.1.1) which is doing NAT.
On the Linksys router I forwarded port 80 to my SuSE server.
Clients from outside (internet) can connect to my SuSE server via the external IP.
The SuSE server itself can connect to itself via the external IP.
An internal client of the 192.168.2.0 network is not able to connect to the SuSE server using the external IP. The client end's up on the Linksys router.
What is the problem?
THANKS IN ADVANCE, Wojtek
Here's a simple diagram of my network:
+-----------------+ | Linksys router | | doing NAT | | | | if0: external IP| | if1: 192.168.1.1| | | | if0 if1 | +--+-------+------+ +------------------+ +----------+ | | | SuSE server | | LAN/ | | | | eth0 192.168.2.2 +----------------+ SWITCH | /--+----\ +------------+ eth1 192.168.1.2 | | | | inter | | | +----+-----+ | net | +------------------+ | \-------/ +--------------+ | hal9000 | | 192.168.2.120|
+--------------+
-- Wojtek mailto:ml@lunetta.de
Hi Wojtek, Can you connect from the LAN to the webserver on 192.168.2.2? I don't know whether apache is supposed to bind to all available interfaces, but I can do this on mine with IP forwarding turned on. Your question comes down to what the linksys router is supposed to do with packets sent through it with the source address of your (presumably single) external IP and the same destination address. I would not think this would work, I would think the linksys router would dump them using some sort of anti-spoofing rule. What I can't understand is why the SuSE server can do it. I also would be very interested in an answer from an expert on this. -- Roger Hayter
On Saturday 17 August 2002 13.59, Roger Hayter wrote:
What I can't understand is why the SuSE server can do it. I also would be very interested in an answer from an expert on this.
I'm not exactly an expert, but here goes SuSEfirewall2 has a rule SuSE-FW-NO_ACCESS_INT->FWEXT, controlled by the following in /sbin/SuSEfirewall2 ############################################################### # Anti Spoofing/Cirumvention protection - interface dependent # ############################################################### for DEV in $FW_DEV_INT; do for IP in $DEV_EXT; do $IPTABLES -A INPUT -j LOG ${LOG}"-NO_ACCESS_INT->FWEXT " -i $DEV -d $IP $IPTABLES -A INPUT -i $DEV -d $IP -j "$DROP" done done As far as I can see it's not controlled by any variable in /etc/sysconfig. If you want to bypass it you'd either have to comment out the above, or -I INPUT a rule that accepted the packets. regards Anders -- 'Deserves [death]. I daresay he does. Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. For even the very wise cannot see all ends.' --Tolkien, The Lord of the Rings
Did you do to configure the ip forward on router linksys ??? -----Mensaje original----- De: Anders Johansson [mailto:andjoh@cicada.linux-site.net] Enviado el: Sábado, 17 de Agosto de 2002 06:10 a.m. Para: suse-security@suse.com Asunto: Re: [suse-security] problem with NAT / ip forwarding On Saturday 17 August 2002 13.59, Roger Hayter wrote:
What I can't understand is why the SuSE server can do it. I also would be very interested in an answer from an expert on
this.
I'm not exactly an expert, but here goes SuSEfirewall2 has a rule SuSE-FW-NO_ACCESS_INT->FWEXT, controlled by the following in /sbin/SuSEfirewall2 ############################################################### # Anti Spoofing/Cirumvention protection - interface dependent # ############################################################### for DEV in $FW_DEV_INT; do for IP in $DEV_EXT; do $IPTABLES -A INPUT -j LOG ${LOG}"-NO_ACCESS_INT->FWEXT " -i $DEV -d $IP $IPTABLES -A INPUT -i $DEV -d $IP -j "$DROP" done done As far as I can see it's not controlled by any variable in /etc/sysconfig. If you want to bypass it you'd either have to comment out the above, or -I INPUT a rule that accepted the packets. regards Anders -- 'Deserves [death]. I daresay he does. Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. For even the very wise cannot see all ends.' --Tolkien, The Lord of the Rings -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
The best (most secure, I would think) way to allow access to whatever service you're running on the outside IP would be to have that service bind itself to the inner IP as well. Older Suse installations would allow inside people access to services running on external IPs, but more recent versions do not. To me, it make sense on some level that you want to eliminate all thru-firewall traffic that you possibly can, on the grounds of security. Just bind your service (whether it be apache, sendmail, or a counter-strike server :) to both internal AND external IP. -Matt On Saturday 17 August 2002 07:38, Wojtek wrote:
Hello,
I have a problem related to NAT and IP forwarding:
My SuSE server has two network interfaces. One is conneted to a LinkSys DSL router (which is conntected to the internet), the other is conncted to my LAN.
The problem is that I am not able to access my SuSE server from inside the network with my external IP. Maybe I am missing some routing entry?
Here's how my network is setup:
SuSE server has 2 interfaces: eth0 (192.168.2.2) connected to LAN eth1 (192.168.1.2) connected to an Linksys router (192.168.1.1) which is doing NAT.
On the Linksys router I forwarded port 80 to my SuSE server.
Clients from outside (internet) can connect to my SuSE server via the external IP.
The SuSE server itself can connect to itself via the external IP.
An internal client of the 192.168.2.0 network is not able to connect to the SuSE server using the external IP. The client end's up on the Linksys router.
What is the problem?
THANKS IN ADVANCE, Wojtek
Here's a simple diagram of my network:
+-----------------+
| Linksys router | | doing NAT | | | if0: external IP| | if1: 192.168.1.1| | | if0 if1 |
+--+-------+------+ +------------------+ +----------+
| | | SuSE server | | LAN/ | | | | eth0 192.168.2.2 +----------------+ | | | SWITCH |
/--+----\ +------------+ eth1 192.168.1.2 | | |
| inter | | | | +----+-----+ net | +------------------+ | |
\-------/ +--------------+
| hal9000 | | 192.168.2.120|
+--------------+
participants (5)
-
Anders Johansson -
Matt McClendon -
Pacifico Chavez -
Roger Hayter -
Wojtek