- This topic is empty.
-
Posts
-
Hi, I had tried a lot of solutions but anything apper to work, here is the problem.
I have a Zeroshell configuration where ETH0 is connected to my ISP in DMZ mode.
ETH1 interface is plugged to the office network switch. As simple as that.ETH0 ip 10.x.x.x
ETH1 ip 192.168.1.xMulti porpouse server ip 192.168.1.1 (Mail, WEB, SSH, ETC)
NAT is active in ETH0 and I have created the port forwarding rules to redirect almost every port request incoming from ETH0 to 192.168.1.1.
Ex.
ETH0/ANY 80 ANY/ANY 192.168.1.1:80
The problem is:
If im outside my localnetwork, for example a cel phone whith 3G, and I search for mydomain.com it resolves the public ip and finally access the service whith no problem.
If im inside the local network, for example in 192.168.1.2 and I try to access from a web browser http://mydomain.com the server never respond.
The port really doesn’t matter, any port trying from inside the network using the domain name doesn’t work. But the strange part is that if I try in the browser http://192.168.1.1 I get the same result! The browser never resolves the address.
More tests that could help you undertanding the problem. (All inside my network)
if i try telnet 192.168.1.1 80 I get response.
if I try telnet 192.168.1.1 21 I get response.
If I try telnet mydomain.com 80 I do not get response.
If I try from the web browser http://mydomain.com No response
If I try from the web browser http://mydomain.com/index.htm WORKS!!! WTF
If I try from the web browser http://192.168.1.1 I do not get response (Why? something related to http protocol?)
If I try from the web browser https://192.168.1.1 I do not get response (Why?)After some research I found that this could happend after a bad firewall configuration, so my first trobleshutting was disable the firewall…. no changes.
Someone says that creating a dns for the intranet could help, something like:
“midomain.com” – 192.168.1.1, but to be honest I dont have a clue about where to start configuring the dns.Some last thougths that maybe are totally unrelated but I feel that could help troubleshooting or could be messing the hole thing.
My realm is MYDOMAIN.COM (is this correct? if not how can i change it)
pinging the domain.com from inside the net always work (give me my public ip)
pinging any host inside the network works flawlesly
I do not have any kind of routing protocol.
I can access any internet host like google.com whith no problem.This is driving me crazy I don’t know what more to do, if someone can help will be terrific. Thanks in advance. and sorry for my trash english… π
In my case the inside network is 10.7.52.0/24 and the server is at 10.7.52.130. So if I try to access the server using the public IP it will get routed to the interface on the Zeroshell box that serves that IP address. But there are NAT rules on that, set up by the virtual server definition, that redirect the traffic to the actual server on the LAN.
Unfortunately the from address in the IP datagram has the inside address of my lap top. So the server responds directly to the laptop giving a LAN address in the from field. However my laptop is expecting responses from the public IP address so it does not handle the messages well (it should drop them all, possibly with logging). The tell-tale is when I pinged the public IP address the ping responses showed the LAN address of the server.
The solution is to NAT the traffic from your local LAN that is directed to your local server. That forces the return traffic from your server back to the Zeroshell box where the packet addresses are re-written to make everything work correctly.
Long explanation, but short fix. I don’t like playing with the main NAT chains directly so I set up a “custom local” chain, put my one rule in that then invoke the chain from the post-routing chain. The result is this in my “NAT and Virtual Servers” script:
#Fix issue with LAN clients accessing local servers with external IP addresses
iptables -t nat -N custom_postroute
iptables -t nat -A custom_postroute -s 10.7.52.0/24 -d 10.7.52.130 -j MASQUERADE
iptables -t nat -A POSTROUTING --match state --state NEW -j custom_postrouteThanks for the quick reply.
Im still having problems, I think what you suggest but I havent been able to excecute your solution. (I lack of knowledge of zeroshell and iptables π )
What I undestand is that I should have a POSROUTING rule indicating that everithing that goes out from an ip 192.168.2.0 and goes to my server(192.168.2.2) should be forwarded using your custom_postroute.
I tried two aproaches, first I opened the shell connecting to zeroshell via SSH and searched for iptables configuration file to add this lines. I wasnt able to find the iptables conf file so I tried to excecute in the shell the lines. That doesn’t produced error but didnt worked. The problem persist.
My NAT table looked like this after excecuting in shell your commands:
Chain PREROUTING (policy ACCEPT 516K packets, 39M bytes)
pkts bytes target prot opt in out source destination
1886 104K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:80
3287 197K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.2.2:21
59 3180 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8100 to:192.168.2.2:8100
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8100 to:192.168.2.2:8100
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:600 to:192.168.2.95:600
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:600 to:192.168.2.95:600
25 1500 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54352 to:192.168.2.2:54352
8 412 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.2:443
5653 283K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
35 2040 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690 to:192.168.2.2:3690
Chain POSTROUTING (policy ACCEPT 445 packets, 27948 bytes)
pkts bytes target prot opt in out source destination
364K 25M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
359K 25M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
5538 364K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination
I dont know how to interpret this output, I would be expecting something like this:
0 0 custom_postroute all -- * * 192.168.2.0/24 192.168.2.2/32
Anyway I tried in the setup cron tab adding your lines as script and the result was the same but duplicated lines in the nat table.
Chain POSTROUTING (policy ACCEPT 445 packets, 27948 bytes)
pkts bytes target prot opt in out source destination
364K 25M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
359K 25M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
5538 364K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
What Im doing wrong? Thanks again for the help.
PS. In my first post I told you that my subnet was 192.168.1.0/24 and that was wrong my subnet is 192.168.2.0/24
I would expect that a listing of the NAT chains using
iptables -t nat -vn -L
would include something like the following (my subnet, not yours):
Chain custom_postroute (1 references)
pkts bytes target prot opt in out source destination
1544 119K MASQUERADE all -- * * 10.7.52.0/24 10.7.52.130
I set that up using the following in the Zeroshell UI:
In your case, I don’t see the contents of the “custom_postroute” table so I can’t see if you have the “MASQUERADE” rule in there. The key is that you have to NAT (masquerade) the traffic from your LAN to your server or the return IP packets will not be routed properly.
Thanks again atheling, in fact I have those lines:
After executing iptables -t nat -vn -L :
Chain PREROUTING (policy ACCEPT 531K packets, 40M bytes)
pkts bytes target prot opt in out source destination
1910 105K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:80
3287 197K DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.2.2:21
59 3180 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8100 to:192.168.2.2:8100
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8100 to:192.168.2.2:8100
0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:600 to:192.168.2.95:600
0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:600 to:192.168.2.95:600
28 1680 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54352 to:192.168.2.2:54352
8 412 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.2:443
11030 554K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
49 2712 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690 to:192.168.2.2:3690
Chain POSTROUTING (policy ACCEPT 463 packets, 29185 bytes)
pkts bytes target prot opt in out source destination
377K 26M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
371K 26M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
5585 367K MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
21 1430 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
18 1237 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
18 1237 custom_postroute all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 172K packets, 14M bytes)
pkts bytes target prot opt in out source destination
Chain Proxy (1 references)
pkts bytes target prot opt in out source destination
Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination
Chain custom_postroute (3 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
0 0 MASQUERADE all -- * * 192.168.2.0/24 192.168.2.2
The duplicity maybe is because I executed more than one time the three comands that you provide me. π³ (I will do some research about iptables to discover how to erease the extra lines but if Im not wrong that should not interfeer cause the lines are excecuted from up to down)…
Anyway this is still not working, Im facing the same behavior of the first post. I missing something? If you need any log to get a better lanscape of my configuration just ask, I really apreciate the time you are consuming in helping me.
After reading and reading and reading more and more tutorials I found a guy that creates a postroute rule using the plublic ip instead the local subnet but I think that do not apply to me cause I have a dinamic public ip.
Looking through the traffic counts on your various rules, it appears that the custom_postroute chain is being executed but that the rules in it are not being matched.
So I guess I should verify that I really understand your topology. I am I correct in thinking that your LAN with the servers is attached to ETH2 and that your Internet connection is on ETH1 and nothing is attached to ETH0 or ETH3. This is different than your first post but is my guess based on the traffic counts for rule hits.
So is it like this?
Internet (Dynamic IP) –> DSL Modem (10.n.n.n) (10.m.m.m ETH1) Zeroshell (192.168.2.n) LAN
With your servers being on 192.168.2.2 and 192.168.2.95.
I assume you are doing some sort of dynamic DNS to allow external access to your servers. If you do a nslookup for your domain does it return a routable public address or are you getting one of your private subnet address ranges (either 10.0.0.0/8 or 192.168.0.0/16).
If you are getting the dynamic public IP, is your modem setup to NAT that back into the Zeroshell box?
Indeed, your guess is almost correct in all aspects.
Here it comes a detailed explanaition of my topology.
I have a cable modem isp connection attached to ETH1. This modem is subneted by the ISP, for example if i do a traceroute http://www.google.com the response is this.
traceroute to www.google.com (72.14.253.104), 30 hops max, 60 byte packets
1 192.168.2.254 (192.168.2.254) 0.249 ms 0.226 ms 0.167 ms
2 10.62.0.1 (10.62.0.1) 9.198 ms 9.206 ms 9.194 ms
3 10.0.56.61 (10.0.56.61) 9.493 ms 9.502 ms 9.495 ms
4 customer-GDL-192-247.megared.net.mx (200.52.x.x) 72.901 ms 72.903 ms 72.878 ms
Where 200.52.x.x is my public ip and 10.62.0.1 is the ip of the ETH1 interface in Zeroshell provided by the cablemodem dhcp. 10.0.56.61 is a subnet not done by me, this is produced by my ISP but that should not interfeer cause I have a special contract for companies where they ensure me that my cable modem is in some kind of DMZ. In other words pinging 200.52.x.x is related to my bussiness an no other one. In fact before implementing Zeroshell I was able to access my intranet services outside and inside the lan whith no problem having every computer in the 10.62.0.x subnet directly attached to the cable modem using a switch.
ETH2 is software and hardware department subnet. (192.168.2.x) and Eth3 will be contability and administration department subnet (192.168.3.x not yet implemented the cable is unplugged just like you comment)
ETH0 is unplugged but at some point I will be plugging it to my second ISP provider (This was the main reason for implementing Zeroshell)
I only have one server in 192.168.2.1 but i dont need external access to this cause this host only local services like sourcesafe, WINS, and some contability services. (Thats why this do not apper in the tables)
I have another server in 192.168.2.2 (the one that is breaking my brain), this host my web page, a web app in port 8100, subversion in https, ftp , etc.
And lastly 192.168.2.95 is not a server is just a computer of one developer that need the port 600 to test a GPRS app.
My domain myCompanyDomain.com is hosted in DynDNS and Im completely sure that this is working. If I ping myCompanyDomain.com this is always traduced to the correct public ip 200.52.x.x
Related to your last question, Im afraid Im not really know the way my cable modem is configured but like I said I can ensure you that this is working like a DMZ cause if I unplugg the Zerosell and plug my computer and run a simple program that start listening to a TCP port and try conecting to that sockets using other ISP connection it works flawlesly.
I hope this clarify a little the topology and sorry, you are completely rigth, my first post was not exactly clear. π₯
Hi,
first of all it is a big mess to use internet naming inside your LAN, but this is something that Atheling has already responded to you. Judging by the facts that you mentioned on the first post I am thinking it looks like a proxy issue.if i try telnet 192.168.1.1 80 I get response.
If I try telnet mydomain.com 80 I do not get response.
If I try from the web browser http://mydomain.com No response
If I try from the web browser http://mydomain.com/index.htm WORKS!!! WTF
If I try from the web browser http://192.168.1.1 I do not get response (Why? something related to http protocol?)
If I try from the web browser https://192.168.1.1 I do not get response (Why?)Telnet on 192.168.1.1 port 80 works and browser on same address fails, seems that browser is using a proxy to access the page.
Also if http://mydomain.com doesn’t work, though it should and http://mydomain.com/index.htm works also points to some proxy cache that still serves the index.htm, but not the top page. Since your test client and the server are both in the same subnet (192.168.1.X) then malufunction in the internal traffic is not a Zeroshell issue.Hi ppalias, your thougths really help me a lot because force me to do some testing and even If I havent resolved the problem now I really know what the problem is.
So here comes a brief description of the test:
I tried doing again a telnet to port 80 using the ip and one again and I got the next reponse:
301 Moved Permanently
Moved Permanently
The document has moved here.
Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g Server at Sistemas.lan Port 80
The first time I ran the telnet I didnt read the response I just said, Oh it responded! I feel really ashamed π³
Now I know that my Apache server is always redirecting the requests to mydomain.com and inside my network Zeroshell dont know how to manage that.
I wanted to be completely sure so I opened a new browser and typed ftp://192.168.2.2 and acceded my annonym ftp with no problem. Obviously ftp://mydomain.com didnt work.
So the problem (And this time Im sure) is that Zeroshell dont know how take out the request to the internet and return it to 192.168.2.2. So I think atheling aproach was completely correct but theres still something missing in my configuration.
Is there a way for troubleshooting the atheling aproach or could someone help me setting zeroshell DNS to redirect all mydomain.com request directly to 192.168.2.2. I really prefeer atheling aproach cause if at some point I need to add a second server I dont know if theres a way to add dns resolving rules to forward the correct ip to the client depending in ports or application.
Thanks again!!
It would be best to setup a master zone for your domain. Use ZS as DNS server for your LAN clients so that the name can be resolved to the internal IP. I think I have written a tutorial with some pictures in this forum, do a search and I think you’ll find it.
Thanks ppalias and atheling, finally I was able to solve the problem. The solution was like ppalias said add a DNS server just for my lan and redirect to my server the request that match my domain name.
POST that helped me:
http://www.zeroshell.net/eng/forum/viewtopic.php?t=1567&highlight=dns
I will be trying the loopback POSTROUTING rule that recomended atheling and if at some point I’m able to make it work I will post the solution.
Thanks again,
π π π π
- You must be logged in to reply to this topic.