Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] problem with NAT / ip forwarding
  • From: Roger Hayter <roger@xxxxxxxxxx>
  • Date: Sat, 17 Aug 2002 12:59:04 +0100
  • Message-id: <WoZxNmBIqjX9EA0W@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
In message <1605542409.20020817133841@xxxxxxxxxx>, Wojtek <ml@xxxxxxxxxx> writes
Hello,

I have a problem related to NAT and IP forwarding:

My SuSE server has two network interfaces. One is conneted to a
LinkSys DSL router (which is conntected to the internet), the other is
conncted to my LAN.

The problem is that I am not able to access my SuSE server from inside
the network with my external IP. Maybe I am missing some routing
entry?

Here's how my network is setup:

SuSE server has 2 interfaces:
eth0 (192.168.2.2) connected to LAN
eth1 (192.168.1.2) connected to an Linksys router (192.168.1.1) which
is doing NAT.

On the Linksys router I forwarded port 80 to my SuSE server.

Clients from outside (internet) can connect to my SuSE server via the
external IP.

The SuSE server itself can connect to itself via the external IP.

An internal client of the 192.168.2.0 network is not able to connect
to the SuSE server using the external IP. The client end's up on the
Linksys router.

What is the problem?


THANKS IN ADVANCE,
Wojtek


Here's a simple diagram of my network:

+-----------------+
| Linksys router |
| doing NAT |
| |
| if0: external IP|
| if1: 192.168.1.1|
| |
| if0 if1 |
+--+-------+------+ +------------------+ +----------+
| | | SuSE server | | LAN/ |
| | | eth0 192.168.2.2 +----------------+ SWITCH |
/--+----\ +------------+ eth1 192.168.1.2 | | |
| inter | | | +----+-----+
| net | +------------------+ |
\-------/ +--------------+
| hal9000 |
| 192.168.2.120|

+--------------+

--
Wojtek mailto:ml@xxxxxxxxxx


Hi Wojtek,

Can you connect from the LAN to the webserver on 192.168.2.2? I don't know whether apache is supposed to bind to all available interfaces, but I can do this on mine with IP forwarding turned on. Your question comes down to what the linksys router is supposed to do with packets sent through it with the source address of your (presumably single) external IP and the same destination address. I would not think this would work, I would think the linksys router would dump them using some sort of anti-spoofing rule. What I can't understand is why the SuSE server can do it. I also would be very interested in an answer from an expert on this.
--
Roger Hayter

< Previous Next >
Follow Ups
References