LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Connection to external hostname from outside ok but rejected from inside network (http://www.linuxquestions.org/questions/linux-networking-3/connection-to-external-hostname-from-outside-ok-but-rejected-from-inside-network-300562/)

Dalvinio 03-11-2005 06:51 PM

Connection to external hostname from outside ok but rejected from inside network
 
First of all: the host- and domainnames used here aren't the actual names I used but are used to make it a bit more convenient to discuss the problem I've been facing for the past few days.

My setup:
- Private network (IP's 192.168.1.x, subnet 255.255.255.0)

- 1 router; internal hostname router.domain.lan; internal IP 192.168.1.250; external hostname is mail.domain.nl; the router is running DNS forwarding and a DHCP service; the reverse DNS is set to something else (I've been trying to get that changed, but my provider keeps me waiting)

- 4 desktop PC; 1 running Linux; 3 running Windows XP SP2; IP's 192.168.1.101~104 assigned by DHCP from the router

- 1 Linux system (Fedora 2) acting as a file/print/mail server; IP 192.168.1.1, hostname aqua.domain.lan; for the 'outside' world it runs ssh, imap, pop3 and smtp services on the regular ports and those ports are being forwarded by the router; additionally it runs samba and cups for the internal network.

I've been using this setup for about 6 months, without any problems. When accessing the server (aqua.domain.lan) from the private network, I use it's 'internal' hostname and when accessing it from elsewhere (outside my private network) I use the mail.domain.nl hostname. This all works fine.

So much for backgroundinformation. Here comes the problemdescription: I'm the proud owner of a laptop for about 4 days now. It's IP on my private network is 192.168.1.105 and is assigned by DHCP from the router. I want to use this latop to access my server (aqua.domain.lan) through imap from the private network as well as from everywhere else. I thought I'd just use the external hostname (mail.domain.nl) so I don't have to change hostnames when I'm at home or at the office for example.

The problem is that when I use the EXTERNAL hostname (mail.domain.nl) for the server (aqua.domain.lan) when I'm on the PRIVATE network I can't get a connection. When I use it's internal hostname the things works like a charm. This situation is the same on ALL my desktops and the laptop. At first I thought it was a problem with Microsofts implementation of the TCP/IP stack, but even the Linux desktop has this problem. Also, the problem rises with every service I try to use in this way (ssh, imap, pop3, smtp).

This is the set of firewall rules on the server:

========Firewall Rules==============================
*** [ root @ aqua ] 01:01
~ > iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
================================================

I included the tcpdump output for a session where I tried to connect through pop3 (with hostnames replaced by the ones used in my problem description of course). The command I issued from the system using the IP 192.168.1.105 was "telnet mail.domain.nl 110".

========TCPDump Output============================
*** [ root @ aqua ] 00:59
~ > tcpdump host 192.168.1.105 and port 110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
00:59:26.752664 IP 192.168.1.105.32771 > external.host.name.dsl.provider.nl.pop3: S 1614669079:1614669079(0) win 5840 <mss 1460,sackOK,timestamp 27062 0,nop,wscale 0>
00:59:26.753762 IP 192.168.1.105.32771 > aqua.domain.lan.pop3: S 1614669079:1614669079(0) win 5840 <mss 1460,sackOK,timestamp 27062 0,nop,wscale 0>
00:59:26.753840 IP aqua.domain.lan.pop3 > 192.168.1.105.32771: S 1131741603:1131741603(0) ack 1614669080 win 5792 <mss 1460,sackOK,timestamp 960306615 27062,nop,wscale 0>
00:59:26.753895 IP 192.168.1.105.32771 > aqua.domain.lan.pop3: R 1614669080:1614669080(0) win 0
================================================

As you can see in the last line, the host at 192.168.1.105 issues the connection reset. That's another thing I really can't explain.

The server has a set of hostnames configured that it is supposed to react to. Here are the contents of the /etc/hosts file:

========/etc/hosts=================================
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 aqua.domain.lan aqua mail.domain.lan mail home.domain.lan home mail.domain.nl smtp.domain.nl home.domain.nl localhost.localdomain localhost
================================================

The /etc/hosts.allow and /etc/hosts.deny files are blank (well, apart from some comments). I don't have any specific firewall settings on the router. All internal network traffic is routed fine. There are no other problems when using the services and, once again, when connecting from outside my private network, I don't have this problem.

Can anyone shed some light on this situation? Any hints, tips, solutions?


All times are GMT -5. The time now is 09:41 AM.