LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-18-2014, 04:08 PM   #1
sdblanchet
LQ Newbie
 
Registered: Nov 2014
Location: Montreal, Qc, CA
Distribution: CentOs 6, 7
Posts: 8

Rep: Reputation: Disabled
Local users cannot access my web server using public address


Hi everyone

I have a private network setup at home with a web server, ftp server and more. Some of it is accessible from the internet (like my web server) others not. Since my service provider is Videotron, I cannot use the regular http port 80 to listen for web request (it is blocked by the provider). I also have a somewhat dynamic ip address (it change about every 3 month) and because of the changing IP, I have setup a redirection to port 8080 using DynDNS services and it works great.

Recently, in order to add more services to my network and make maintenance easier, I needed to change the architecture of the network.

Since this change my many users (haha my family) cannot access the web server when they use the public web server address. It is annoying because I want to install my owncloud and I don't want to configure 2 different accesses for local or external access.

Click on this image to see the new architecture http://www.sdbl.webhop.net/dpr/Network.png

So I'm providing here as much information as possible, hoping someone with strong networking knowledge could help me.

Basically the users get a "Connection refused".

I have tried many different routing approaches but cannot find what's wrong.

My setup is a CentOS 6.6 KVM host with 2 nics (local network access, external internet access) and 3 CentOS 6.6 vms (web, ...). I can ping anyone in and out without problem. the vms have internet access to allow updates and the users have access to internet throught the gateway (host local network). The vms are setup through a bridge interface

From the browsers: I get Unable to display the page... Connection failed
From wget: I get all information of the process and then after the redirection I get Connection Refused

You can see the result of the wget at the end of this message

ifconfig
========
br0 Link encap:Ethernet HWaddr 60:A4:4C:CA:E1:8D
inet addr:192.168.1.234 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::62a4:4cff:feca:e18d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1341997 errors:0 dropped:0 overruns:0 frame:0
TX packets:1669145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:135651602 (129.3 MiB) TX bytes:1427436797 (1.3 GiB)

br2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:66.131.xxx.xx Bcast:255.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::6666:b3ff:fe02:d0b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1208417 errors:0 dropped:0 overruns:0 frame:0
TX packets:855362 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1120224160 (1.0 GiB) TX bytes:91030976 (86.8 MiB)

eth0 Link encap:Ethernet HWaddr 60:A4:4C:CA:E1:8D
inet6 addr: fe80::62a4:4cff:feca:e18d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1590264 errors:0 dropped:0 overruns:0 frame:0
TX packets:1918406 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:262397156 (250.2 MiB) TX bytes:1490283381 (1.3 GiB)

eth2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: fe80::6666:b3ff:fe02:d0b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1717392 errors:0 dropped:0 overruns:0 frame:0
TX packets:1253623 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1442747616 (1.3 GiB) TX bytes:137622023 (131.2 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:189654 errors:0 dropped:0 overruns:0 frame:0
TX packets:189654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2102410335 (1.9 GiB) TX bytes:2102410335 (1.9 GiB)

virbr0 Link encap:Ethernet HWaddr 52:54:00:12:F2:FD
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vnet0 Link encap:Ethernet HWaddr FE:54:00:2D:45:99
inet6 addr: fe80::fc54:ff:fe2d:4599/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279078 errors:0 dropped:0 overruns:0 frame:0
TX packets:367913 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:80516995 (76.7 MiB) TX bytes:141808886 (135.2 MiB)

vnet1 Link encap:Ethernet HWaddr FE:54:00:7E:9F:5B
inet6 addr: fe80::fc54:ff:fe7e:9f5b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:40260 errors:0 dropped:0 overruns:0 frame:0
TX packets:125396 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:9561809 (9.1 MiB) TX bytes:32631744 (31.1 MiB)

vnet2 Link encap:Ethernet HWaddr FE:54:00:02:F0:9F
inet6 addr: fe80::fc54:ff:fe02:f09f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25401 errors:0 dropped:0 overruns:0 frame:0
TX packets:106547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:3671903 (3.5 MiB) TX bytes:25300655 (24.1 MiB)

route -N
========
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
66.131.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 br2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
0.0.0.0 66.131.xxx.1 0.0.0.0 UG 0 0 0 br2

iptables -L -v -n
=================
Chain INPUT (policy ACCEPT 12 packets, 1120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
47 3946 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 multiport dports 135:139
0 0 DROP udp -- br2 * 0.0.0.0/0 0.0.0.0/0 multiport dports 135:139
0 0 DROP all -- br2 * 192.168.1.0/24 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 204 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
2 80 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24
0 0 ACCEPT all -- * * 192.168.122.0/24 0.0.0.0/0
156 13374 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
180 29512 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
36 6047 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

iptables -L -v -n -t nat
========================
Chain PREROUTING (policy ACCEPT 45 packets, 4187 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.247:80
0 0 DNAT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.1.247:80
0 0 DNAT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.247:443
0 0 DNAT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.1.247:443

Chain POSTROUTING (policy ACCEPT 8 packets, 999 bytes)
pkts bytes target prot opt in out source destination
9 1456 MASQUERADE all -- * * 192.168.1.0/24 !192.168.1.0/24

Chain OUTPUT (policy ACCEPT 3 packets, 224 bytes)
pkts bytes target prot opt in out source destination

iptables -L -v -n -t mangle
===========================
Chain PREROUTING (policy ACCEPT 460 packets, 39201 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 81 packets, 6412 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 471 packets, 53866 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 56 packets, 6883 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 527 packets, 60749 bytes)
pkts bytes target prot opt in out source destination

brctl show
==========
bridge name bridge id STP enabled interfaces
br0 8000.60a44ccae18d no eth0
vnet0
vnet1
vnet2
br2 8000.6466b302d0b4 no eth2
virbr0 8000.52540012f2fd yes virbr0-nic

wget
====
wget http://www.sdbl.webhop.net/index.php
--2014-11-17 12:11:27-- http://www.sdbl.webhop.net/index.php
Resolving www.sdbl.webhop.net... 216.146.38.125
Connecting to www.sdbl.webhop.net|216.146.38.125|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.sdbl.homelinux.net:8080/index.php [following]
--2014-11-17 12:11:27-- http://www.sdbl.homelinux.net:8080/index.php
Resolving www.sdbl.homelinux.net... 66.131.xxx.xx
Connecting to www.sdbl.homelinux.net|66.131.xxx.xx|:8080... failed: Connection refused.


Hoping someone will be kind enough to read all this and maybe figure out what's wrong

thanks (for reading anyway)

Sylvain
 
Old 11-21-2014, 08:42 PM   #2
sdblanchet
LQ Newbie
 
Registered: Nov 2014
Location: Montreal, Qc, CA
Distribution: CentOs 6, 7
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi everyone, thanks for reading

I found a solution... First some explanation so people would understand (well as much as I can ;-)). The problem is a kind of spoofing detection by the firewall. Detecting an internal user trying to come back using the external address. Because of the architecture I used, user had to go out the firewall, loop at the ISP and come back through the firewall as if nothing wrong. But the source address indicates internal address, so the firewall doesn't like it.

I found some explanation here http://www.alliedtelesis.com/media/f...evB.pdfhttp://.

What they say is that there is 3 possible solutions. 2 requiring extra public ips and nic the last one was the one I choose because it was way simpler and did not require any hardware or extra ip. Your milleage may vary depending on your architecture and security requirements.

It is called split DNS which is a way to have your DNS supply different information to internal and external caller. In short the local user requesting the IP of the public address receives the actual local ip of the server. Doing so, their request never go out of the internal network. That way router only requires internal forwarding of the packets which I already had.

In my case, since my DNS is more or less a placebo, I reconfigured it to respond as explained before leaving the external part to my ISP.

I was using the "localnet" domain. named.conf now needs to match the domain you use, in my case it is webhop.net, so all host static address are now attached to this new domain. All data in the zone files also must point to this new domain (for me). so now I have entries like this

Here are some config
====================

Two other files must also match the new information. dhcpd.conf and hosts (in all the vm or hosts)

named.1.268.192 file
====================
...
247 PTR www.sdbl.webhop.net.
234 PTR vm-hosting.webhop.net.
...

named.webhop.net file
=====================
...
vm-hosting IN A 192.168.1.234
www.sdbl IN A 192.168.1.247
...

named.conf
==========
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl lnet {
192.168.1.0/24;
127.0.0.0/8;
};

options {
listen-on port 53 { 192.168.1.234; 127.0.0.1; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

view "internal" {
match-clients { lnet; };
recursion yes;

zone "." IN {
type hint;
file "named.ca";
};

zone "webhop.net" IN {
type master;
file "named.webhop.net";
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "named.1.168.192";
};

include "/etc/named.rfc1912.zones";
};

view "internet" {
match-clients { any; };
recursion no;
};

include "/etc/named.root.key";

Last edited by sdblanchet; 11-21-2014 at 08:47 PM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Local users cannot access my web server using public address sdblanchet Linux - Networking 0 11-18-2014 07:45 PM
Web server with public IP address not reachable via domain name in the web browser floorripper Linux - Server 11 08-09-2013 09:55 PM
Cannot access own public web and mail server from LAN addresses lannyr Linux - Networking 14 08-06-2009 09:09 AM
How to access local web server? Libertes Linux - Server 2 04-15-2008 07:11 AM
Fake Web Address on Local Server Rundi Linux - Networking 9 06-28-2005 05:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration