Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have some trouble in my network setup, but I have very limited knowledge of networking.
I recently purchased an ADSL modem (Thomson SpeedTouch 510), which also has a built-in router, DHCP and other stuff (as I discovered later). I already had a server/firewall/router that took care of IP masquerading, but I managed to put everything together ok except for one thing: I can not access my server with the external IP from inside my LAN (no problems from outside).
This is my setup:
Internet
|
|
98.81.118.53 (ppp)
(Modem which forwards every connection to the server)
10.0.0.138 (eth0)
|
|
10.0.0.39 (eth0)
(Server provides IP Masq for LAN)
192.168.0.1 (eth1)
|
|
192.168.0.2
(Internal Masq'ed PC)
So if I try to surf from an internal PC or the server itself to 98.81.118.53 I get nothing, but access from outside works perfectly. If I try 10.0.0.39 it works fine.
I figured it had something to do with my firewall, so I checked the server logs, where every attempt brings up this:
Aug 31 21:11:48 localhost kernel: martian source 10.0.0.39 from 10.0.0.39, on dev eth0
Aug 31 21:11:48 localhost kernel: ll header: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
I know nothing about routing, but could it be something is wrong there?
Thank you!
I messed about with this for quite awhile... and I'd sure like to be able to do it too. The glitch is somewhere in the thought that the LAN becomes vulnerable IF you can go thru the firewall directly from your DMZ to the LAN. It not an "error" so much as the way life is... I have asked this ? several times here and have not received a good way to go yet. Meanwhile, everytime I change my site I gotta go use my wifes dial-up to "see" if it is ok? RATS!
Take heart someone will eventually take pity on us and share this little tidbit of knoweldge on HOW to do it.
My guess... Apparently this ADSL modem+router box bounces your connection to 98.81.118.53 back to your server's (10.0.0.39) but it doesn't change the source IP to 98.81.118.53 as it does with other connections to the internet.
Now since your connection originates from 10.0.0.39 (because of the NAT your server does) your server sees an incoming connection on eth0 from 10.0.0.39 which is impossible because that's its own IP address
That's what in linux lingo is called "martian source" -- an impossible source IP address which indicates some problem, so it gets logged (usually).
So I guess it's the ADSL router that is a bit sloppy when it sees an outgoing connection to its own outside address...
To be sure, you'd have to do some analysis with e.g. ethereal
Originally posted by nukkel My guess... Apparently this ADSL modem+router box bounces your connection to 98.81.118.53 back to your server's (10.0.0.39) but it doesn't change the source IP to 98.81.118.53 as it does with other connections to the internet.
If I understand your explanation, shouldn't the ADSL modem change the source IP to 192.168.0.2 (internal pc) then? Isn't there a simple way to configure this in it's NAT or routing?
It can't: the ADSL modem doesn't even know about the existance of 192.168.0.2, because the server NATs this to 10.0.0.39. The modem only "sees" one computer with IP 10.0.0.39...
But -- if the ADSL modem forwards every connection from 98.81.118.53 to 10.0.0.39, then what's the point in trying to connect to 98.81.118.53 from the inside LAN, when you can just connect to 10.0.0.39 instead?
If the ADSL modem can be configured, there may be a way to make it work after all... By telling it to change the source IP of anything coming from 10.0.0.39 going to 98.81.118.53, into some other address, like 10.0.0.111.
Anyway it should be possible to "see" your own server from the inside by using 10.0.0.39 as destination address. Piratebiter: have you ever tried it this way?
Originally posted by nukkel It can't: the ADSL modem doesn't even know about the existance of 192.168.0.2, because the server NATs this to 10.0.0.39. The modem only "sees" one computer with IP 10.0.0.39...
But -- if the ADSL modem forwards every connection from 98.81.118.53 to 10.0.0.39, then what's the point in trying to connect to 98.81.118.53 from the inside LAN, when you can just connect to 10.0.0.39 instead?
If the ADSL modem can be configured, there may be a way to make it work after all... By telling it to change the source IP of anything coming from 10.0.0.39 going to 98.81.118.53, into some other address, like 10.0.0.111.
Anyway it should be possible to "see" your own server from the inside by using 10.0.0.39 as destination address. Piratebiter: have you ever tried it this way?
Yes indeed that works. I already mentioned it, but maybe I wasn't clear.
Still, if i'm on the server itself, I want to access my different virtual websites (that resolve to the same IP in DNS) so I have to use the external IP. Is that impossible too (let's leave the problem for internal PC's for later)? If the modem can NAT it back to 10.0.0.39, wouldn't it solve the problem?
I have a suggestion that may not solve the problem as such but may work to view your virtual sites anyway: if you tell your browser to use a proxy, which is somewhere on the internet, the site will in effect be retrieved by that proxy -- in other words, from the outside, just as a visitor to your sites would view it.
A google (or other) search for "public proxy list" should give plenty of proxies that can be used -- some may be quite slow though
To really solve the problem, might be worth trying to get the adsl box to really nat it back to 10.0.0.39, however I don't know if it can be configured that specifically...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Your packets should not be traveling from the inside of the firewall to the outside and come back in. If that was allowed, then spoofing attacks could allow outside traffic to pretend to be from your internal network.
The solution to your problem is not to break the firewall and make it insecure. The solution is to use "split horizen" DNS zones. You need to tell your internal hosts to use a set of DNS that reflects your internal IPs, while the external world needs to see your external IP addresses.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.