LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-19-2003, 09:49 PM   #1
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Rep: Reputation: 0
Question Internal Routing


Hello,

I have a server that looks something like this

|
|
eth0
|
|
eth1
|
Hub
|\
| \
| 192.168.0.3 (webServer W2K)
|
192.168.0.20 (ftp server/personal W2k)

at this point everything is running fine and people can get in and I can get out... it is routing and being a firewall the way it is suppose to be doing......

I am using RH 7.2 with IP tables and NAT.

However, From the personal computer were the FTP server is I can not contact the Webserver and I wondered why. I can log onto it using terminal service and the two communicate just fine, but when I try to type into the web browser my website (personal.buriedarchives.homeip.net) I get that it can't find the destination from the msn search engine?????? I wondered if there was a way to fix this so that when the packet came back to the server it would simply route it back to the webserver???


I have tried adding that host name to the Hosts file in my W2K computer, but without success...

Help...

Saris
 
Old 06-20-2003, 11:41 AM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,568

Rep: Reputation: 164Reputation: 164
How does your routing table look like?
You can see your routing table when you type (as root): 'route'.
Plus: where's the RH machine? The drawing looks incomplete.
 
Old 06-20-2003, 01:42 PM   #3
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Mara - I think the RH box is between eth0 and eth1.

I don't see how this is a linux problem though as you are having problems on your internal network.

Things I would check:
1) Is the webserver running (can you serve a page from the server istelf)
2) When you added it to the hosts file - which one did you add it to?
3) Do you have any firewalling on the webserver?
 
Old 06-20-2003, 11:48 PM   #4
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Original Poster
Rep: Reputation: 0
My Webserver is hosting, People can connect to it from the outside as I have the RH box routing packets using NAT and IP Tables.
The hosts file I added the name to is called just that in W2K Hosts no extention and I do not have any firewall on my webserver as I was not concerned about it due to RH doing it's job ...

I can get to the webserver and the hosted websites if I go to it a round about way, by entering the name of the site using the computers name and not the DNS name.... the problem only occurs when I attempt to enter the website after leaving the RH box to find the DNS (personal.buriedarchives.homeip.net) buriedarchives.homeip.net being the base and personal being a hosted web site on my server...

that is why I think that it is a RH problem, like it would be dropping the packets becuase they are unrelated or something....... I could post my firewall script if you wish..
 
Old 06-21-2003, 08:24 AM   #5
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Ah - I see where you are goin with this (I think)

You have:
Code:
          {INTERNET}
              |
            (eth0)
           [RH 7.2]
            (eth1)
               |
             [HUB]
             /   \
            /     \
         [PC]   [Server]
(192.168.0.20)   (192.168.0.3)
By using the computer name you are going to the server directly using the 192.168.0.3 - this works - If you use the Public IP address then it doesn't work from the inside. Look at your iptables rules - there is probably a line that forwards packets from eth0 on port 80 to the webserver. Just create a new one for eth1 as well.

Last edited by david_ross; 06-21-2003 at 08:26 AM.
 
Old 06-21-2003, 10:36 PM   #6
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Ok that is exactly what I have..... and I do have a line that forwards packets from eth0 on port 80 to the server.... however if I do that for eth1 then it forwards everything, even packets that are ment to exit the PH box and go to my ISP's server and off to the net, which is no good because then going to the DNS to find out that buriedarchives.homeip.net is mine wouldn't even work??? doesn't that make sense? or am I totally off in left field as it were.???
 
Old 06-22-2003, 04:04 AM   #7
camelrider
Member
 
Registered: Apr 2003
Location: Juneau, Alaska
Posts: 247

Rep: Reputation: 31
Are you running a DNS server on your Linux box?
 
Old 06-22-2003, 07:10 AM   #8
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Quote:
Originally posted by Saris
Ok that is exactly what I have..... and I do have a line that forwards packets from eth0 on port 80 to the server.... however if I do that for eth1 then it forwards everything, even packets that are ment to exit the PH box and go to my ISP's server and off to the net, which is no good because then going to the DNS to find out that buriedarchives.homeip.net is mine wouldn't even work??? doesn't that make sense? or am I totally off in left field as it were.???
The easiest way would be to add an entry to the hosts file on your pc:
192.168.0.3 buriedarchives.homeip.net
 
Old 06-22-2003, 10:21 AM   #9
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Ok, I have tried that and it doesn't work. I think that I mentioned that before, don't know why it doesn't work but I tried once again without sucess. This packet simply exits the RH box and gets lost and it comes up with the msn search page...

I am not running a DNS, I have no reason to nore do I have the want.
 
Old 06-22-2003, 10:28 AM   #10
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
What are you typing into the browser?
http://personal.buriedarchives.homeip.net/
or
http://buriedarchives.homeip.net/
If it is the latter first then you will need to add personal.buriedarchives.homeip.net to your hosts file instead of buriedarchives.homeip.net - that was my fault.

If not:
What happens when you vist http://192.168.0.3/
What are the routing tables like on the pc and the server?
 
Old 06-23-2003, 02:24 AM   #11
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Alright... I have tried both, and it will not work..... the Webserver is a W2K server box and there is a web site called personal which is linked to the Buriedarchives.homeip.net DNS which is provided by homeip.net linked with dnstogo.com.... which allows wildcards in there names allowing me to put as many pages on the same box as I want, and still use the buriedarchives.homeip.net name... though I have a few with them as I am host a bunch of sites.

However there is no default site on the server so putting in the IP itself does nothing but the common 404 error that is to be expected.

on the pc I do not have any routing tables, simply the hosts file which has the default127.0.0.1 in at this point.

on the server the firewall looks like this as such.

# Generated by iptables-save v1.2.3 on Fri Jan 25 20:52:17 2002
*filter
:INPUT DROP [275:13945]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [166:9831]
:POSTROUTING - [0:0]

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

#allow all telnet/etc. access to server from local network
-A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT

#allows all loopback (required)
-A INPUT -i lo -s 127.0.0.0/255.0.0.0 -j ACCEPT

#allows only the ICMP reply packets in from the outside (some DOS attacks repelled)
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

#explicitly drops any new packets from outside
-A INPUT -i eth1 -m state --state NEW -j DROP

#allows any already established connections from the outside, so if you telnet/ftp out from the server, it will still work
-A INPUT -i eth1 -p ! icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

#puts a log into /var/messages if anyone sends a port scan/etc.
-A INPUT -p tcp -j LOG -m limit --limit 20/minute --limit-burst 20 --log-prefix "PORT SCAN:"

#DHCP access for clients on local network
-A INPUT -i eth0 -s 0.0.0.0/255.255.255.255 -j ACCEPT

#required for forwarding, this accepts any packets on their way out
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [345:55824]
:POSTROUTING ACCEPT [1:243]
:OUTPUT ACCEPT [1:243]

#This allows people to connect to the Ftp server.
-A PREROUTING -p tcp -m tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.5:21

#Webserver Routing
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.3:81

#SourceOffSite None Encrypted
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 81 -i eth1 -j DNAT --to 192.168.0.3:8891

#Unreal Tournament 2003
-A PREROUTING -p tcp -m tcp --dport 7777:7787 -i eth1 -j DNAT --to 192.168.0.5:7777

#Messenger to work
-A PREROUTING -p tcp -m tcp --dport 6891 -i eth1 -j DNAT --to 192.168.0.2:6891

#this does all the NAT work
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

COMMIT

# Completed on Fri Jan 25 20:52:17 2002
# Updated on Tues Oct 8 00:16 2002

I hope that helps.
 
Old 06-23-2003, 02:07 PM   #12
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
When I said put it in the hosts file you do realise I was talking about the windows PC hosts file don't you?


Also why are you forwarding to port 81?
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.3:81

Last edited by david_ross; 06-23-2003 at 02:09 PM.
 
Old 06-25-2003, 12:30 AM   #13
Saris
LQ Newbie
 
Registered: Jun 2003
Posts: 10

Original Poster
Rep: Reputation: 0
yes I did put it in the PC W2K host file... don't worry ....

I am forwarding to port 81 for the fun of it..... .. don't know... was one of those brain wave ideas that I thought one day if someone gets into the router they will have trouble finding the webserver.... then I realized that it is stupid.. and I was already setup so I just left it.....

Which makes sense why it wouldn't work.....

OK..... I have just switched all the websites over to port 80... and things are working.. but I am still having the same trouble of not being able to connect locally using the dns name......

I now get the message
Cannot find server or DNS Error

instead of the msn serach site. which is an improvement..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing on my internal network. Milkman00 Linux - Networking 11 09-02-2005 03:30 PM
Routing between internal subnets teamchachi Linux - Networking 2 05-11-2005 08:21 AM
Internal routing of traffic within LAN jme Linux - Networking 1 04-23-2005 03:29 PM
Internal Routing eth1 to eth0 Dataforce Linux - Networking 3 04-02-2004 10:41 AM
SuSEFirewall and Internal Port Routing activematrix Linux - Security 2 10-09-2003 07:59 PM


All times are GMT -5. The time now is 08:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration