Hello,

I have a server that looks something like this

|
|
eth0
|
|
eth1
|
Hub
|\
| \
| 192.168.0.3 (webServer W2K)
|
192.168.0.20 (ftp server/personal W2k)

at this point everything is running fine and people can get in and I can get out... it is routing and being a firewall the way it is suppose to be doing......

I am using RH 7.2 with IP tables and NAT.

However, From the personal computer were the FTP server is I can not contact the Webserver and I wondered why. I can log onto it using terminal service and the two communicate just fine, but when I try to type into the web browser my website (personal.buriedarchives.homeip.net) I get that it can't find the destination from the msn search engine?????? I wondered if there was a way to fix this so that when the packet came back to the server it would simply route it back to the webserver???


I have tried adding that host name to the Hosts file in my W2K computer, but without success...

Help...

Saris

How does your routing table look like?
You can see your routing table when you type (as root): 'route'.
Plus: where's the RH machine? The drawing looks incomplete.

Mara - I think the RH box is between eth0 and eth1.

I don't see how this is a linux problem though as you are having problems on your internal network.

Things I would check:
1) Is the webserver running (can you serve a page from the server istelf)
2) When you added it to the hosts file - which one did you add it to?
3) Do you have any firewalling on the webserver?

My Webserver is hosting, People can connect to it from the outside as I have the RH box routing packets using NAT and IP Tables.
The hosts file I added the name to is called just that in W2K Hosts no extention and I do not have any firewall on my webserver as I was not concerned about it due to RH doing it's job ...

I can get to the webserver and the hosted websites if I go to it a round about way, by entering the name of the site using the computers name and not the DNS name.... the problem only occurs when I attempt to enter the website after leaving the RH box to find the DNS (personal.buriedarchives.homeip.net) buriedarchives.homeip.net being the base and personal being a hosted web site on my server...

that is why I think that it is a RH problem, like it would be dropping the packets becuase they are unrelated or something....... I could post my firewall script if you wish..

Ah - I see where you are goin with this (I think)

You have:By using the computer name you are going to the server directly using the 192.168.0.3 - this works - If you use the Public IP address then it doesn't work from the inside. Look at your iptables rules - there is probably a line that forwards packets from eth0 on port 80 to the webserver. Just create a new one for eth1 as well.

Ok that is exactly what I have..... and I do have a line that forwards packets from eth0 on port 80 to the server.... however if I do that for eth1 then it forwards everything, even packets that are ment to exit the PH box and go to my ISP's server and off to the net, which is no good because then going to the DNS to find out that buriedarchives.homeip.net is mine wouldn't even work??? doesn't that make sense? or am I totally off in left field as it were.???

Are you running a DNS server on your Linux box?

The easiest way would be to add an entry to the hosts file on your pc:
192.168.0.3 buriedarchives.homeip.net

Ok, I have tried that and it doesn't work. I think that I mentioned that before, don't know why it doesn't work but I tried once again without sucess. This packet simply exits the RH box and gets lost and it comes up with the msn search page...

I am not running a DNS, I have no reason to nore do I have the want.

What are you typing into the browser?
http://personal.buriedarchives.homeip.net/
or
http://buriedarchives.homeip.net/
If it is the latter first then you will need to add personal.buriedarchives.homeip.net to your hosts file instead of buriedarchives.homeip.net - that was my fault.

If not:
What happens when you vist http://192.168.0.3/
What are the routing tables like on the pc and the server?

Alright... I have tried both, and it will not work..... the Webserver is a W2K server box and there is a web site called personal which is linked to the Buriedarchives.homeip.net DNS which is provided by homeip.net linked with dnstogo.com.... which allows wildcards in there names allowing me to put as many pages on the same box as I want, and still use the buriedarchives.homeip.net name... though I have a few with them as I am host a bunch of sites.

However there is no default site on the server so putting in the IP itself does nothing but the common 404 error that is to be expected.

on the pc I do not have any routing tables, simply the hosts file which has the default127.0.0.1 in at this point.

on the server the firewall looks like this as such.

# Generated by iptables-save v1.2.3 on Fri Jan 25 20:52:17 2002
*filter
:INPUT DROP [275:13945]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [166:9831]
:POSTROUTING - [0:0]

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

#allow all telnet/etc. access to server from local network
-A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT

#allows all loopback (required)
-A INPUT -i lo -s 127.0.0.0/255.0.0.0 -j ACCEPT

#allows only the ICMP reply packets in from the outside (some DOS attacks repelled)
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

#explicitly drops any new packets from outside
-A INPUT -i eth1 -m state --state NEW -j DROP

#allows any already established connections from the outside, so if you telnet/ftp out from the server, it will still work
-A INPUT -i eth1 -p ! icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

#puts a log into /var/messages if anyone sends a port scan/etc.
-A INPUT -p tcp -j LOG -m limit --limit 20/minute --limit-burst 20 --log-prefix "PORT SCAN:"

#DHCP access for clients on local network
-A INPUT -i eth0 -s 0.0.0.0/255.255.255.255 -j ACCEPT

#required for forwarding, this accepts any packets on their way out
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [345:55824]
:POSTROUTING ACCEPT [1:243]
:OUTPUT ACCEPT [1:243]

#This allows people to connect to the Ftp server.
-A PREROUTING -p tcp -m tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.5:21

#Webserver Routing
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.3:81

#SourceOffSite None Encrypted
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 81 -i eth1 -j DNAT --to 192.168.0.3:8891

#Unreal Tournament 2003
-A PREROUTING -p tcp -m tcp --dport 7777:7787 -i eth1 -j DNAT --to 192.168.0.5:7777

#Messenger to work
-A PREROUTING -p tcp -m tcp --dport 6891 -i eth1 -j DNAT --to 192.168.0.2:6891

#this does all the NAT work
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

COMMIT

# Completed on Fri Jan 25 20:52:17 2002
# Updated on Tues Oct 8 00:16 2002

I hope that helps.

When I said put it in the hosts file you do realise I was talking about the windows PC hosts file don't you?


Also why are you forwarding to port 81?
-A PREROUTING -d 24.156.144.66 -p tcp -m tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.3:81

yes I did put it in the PC W2K host file... don't worry ....

I am forwarding to port 81 for the fun of it..... .. don't know... was one of those brain wave ideas that I thought one day if someone gets into the router they will have trouble finding the webserver.... then I realized that it is stupid.. and I was already setup so I just left it.....

Which makes sense why it wouldn't work.....

OK..... I have just switched all the websites over to port 80... and things are working.. but I am still having the same trouble of not being able to connect locally using the dns name......

I now get the message
Cannot find server or DNS Error

instead of the msn serach site. which is an improvement..