Suse 10 DNS, firewall, or masquerading problem?

Suse 10 DNS, firewall, or masquerading problem?

Post by Ger » Sat, 10 Dec 2005 01:20:54



Hello
I have a small home LAN as follows:

|
Firewall (Smoothwall - ext ISDN; int eth0)
|
Crossover cable
|
Proxy server (Suse 10 with Squid - ext eth0; int eth1)
|
Switch
|
Clients (Windows XP)
|

On the firewall my external interface is dynamic (ISDN)
Internal is 192.168.0.1
Gateway is 192.168.0.1

On Squid external is DHCP from Smoothwall (eg. 192.168.0.100)
Internal is 192.168.40.1
Gateway is 192.168.0.1

The clients are set by DHCP from Squid

I am not a Linux expert by any means, but I have successfully set up the
Windows XP clients to go through Squid and Dansguardian on the proxy.
However, as Squid is only a HTTP proxy I can't get access to my ISP'sPOP
and news servers, at least from the clients.  I can from Squid. I
understand that to do this I need to enable NAT and packet forwarding on
Squid.

I *think* I have done this properly, but I am not sure.  When I start
Outlook on Windows and run Ethereal on Squid to capture the packets I see
that my Windows clients can't find 192.168.0.1.  The ARP broadcast just
runs and runs with no answer, and they can't find the gateway.  I have
tried turning off the firewall on Squid, with no joy.  I have tried to set
up a caching DNS server on Squid, but I don't have enough expertise to
know that what I am doing is right.

Is there anyone who can help me resolve this please?  I have looked and
looked on the internet but it's difficult to trawl through all the
questions and find the right answer.

Some information that might be helpful:
Ethereal capturing packets on Squid's internal interface while running
Outlook Send/receive on Linux client:
Windows PC sends DNS query mail.iol.ie
Squid replies ICMP Destination unreachable (port unreachable)
Windows then sends NetBIOS name query mail.iol.ie to 192.168.40.255
This request just loops

Please help me at least identify the problem here.  Many thanks.

Gerard
-
Remove underscore to reply

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Ger » Sat, 10 Dec 2005 01:40:39


<snip>

PS Some more info that might be useful

When I try to ping www.novell.com from clients I get Ping request could
not find host, but if I ping the IP address for
www.novell.com I get a timed out error.  This suggests to me I have DNS
and firewall issues?

I would like to set up a mail server later on the Linux box and use
fetchmail to collect mail for my clients but that's for a later date when
I get more experience.  Very happy using Linux so far by the way.  An
exciting trip!

-
Gerard.

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Ger » Sat, 10 Dec 2005 08:04:05



> Hello
> I have a small home LAN as follows:

> Firewall (Smoothwall - ext ISDN; int eth0)
> |
> Crossover cable
> |
> Proxy server (Suse 10 with Squid - ext eth0; int eth1)
> |
> Switch
> |
> Clients (Windows XP)
> |
> |
> On the firewall my external interface is dynamic (ISDN) Internal is
> 192.168.0.1
> Gateway is 192.168.0.1

> On Squid external is DHCP from Smoothwall (eg. 192.168.0.100) Internal is
> 192.168.40.1
> Gateway is 192.168.0.1

> The clients are set by DHCP from Squid

> I am not a Linux expert by any means, but I have successfully set up the
> Windows XP clients to go through Squid and Dansguardian on the proxy.
> However, as Squid is only a HTTP proxy I can't get access to my ISP'sPOP
> and news servers, at least from the clients.  I can from Squid. I
> understand that to do this I need to enable NAT and packet forwarding on
> Squid.

> I *think* I have done this properly, but I am not sure.  When I start
> Outlook on Windows and run Ethereal on Squid to capture the packets I see
> that my Windows clients can't find 192.168.0.1.  The ARP broadcast just
> runs and runs with no answer, and they can't find the gateway.  I have
> tried turning off the firewall on Squid, with no joy.  I have tried to set
> up a caching DNS server on Squid, but I don't have enough expertise to
> know that what I am doing is right.

> Is there anyone who can help me resolve this please?  I have looked and
> looked on the internet but it's difficult to trawl through all the
> questions and find the right answer.

> Some information that might be helpful: Ethereal capturing packets on
> Squid's internal interface while running Outlook Send/receive on Linux
> client: Windows PC sends DNS query mail.iol.ie Squid replies ICMP
> Destination unreachable (port unreachable) Windows then sends NetBIOS name
> query mail.iol.ie to 192.168.40.255 This request just loops

Update:
I have manged to get a local DNS caching server going I think.  Capturing
on SuSE's external interface while trying an email Send\receive from a
Windows client shows me that the POP and SMTP mail servers are now being
resolved, but it only gets so far. Once it fixes upon the actual server IP
address everything stops??

What could this be?  Somebody help -- please!!

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Clifford Kit » Sat, 10 Dec 2005 08:59:02



> Hello
> I have a small home LAN as follows:
> |
> Firewall (Smoothwall - ext ISDN; int eth0)
> |
> Crossover cable
> |
> Proxy server (Suse 10 with Squid - ext eth0; int eth1)
> |
> Switch
> |
> Clients (Windows XP)
> |
> On the firewall my external interface is dynamic (ISDN)
> Internal is 192.168.0.1
> Gateway is 192.168.0.1
> On Squid external is DHCP from Smoothwall (eg. 192.168.0.100)
> Internal is 192.168.40.1
> Gateway is 192.168.0.1
> The clients are set by DHCP from Squid
> I am not a Linux expert by any means, but I have successfully set up the
> Windows XP clients to go through Squid and Dansguardian on the proxy.
> However, as Squid is only a HTTP proxy I can't get access to my ISP'sPOP
> and news servers, at least from the clients.  I can from Squid. I
> understand that to do this I need to enable NAT and packet forwarding on
> Squid.
> I *think* I have done this properly, but I am not sure.  When I start
> Outlook on Windows and run Ethereal on Squid to capture the packets I see
> that my Windows clients can't find 192.168.0.1.  The ARP broadcast just
> runs and runs with no answer, and they can't find the gateway.  I have
> tried turning off the firewall on Squid, with no joy.  I have tried to set
> up a caching DNS server on Squid, but I don't have enough expertise to
> know that what I am doing is right.

Just so you'll know, in case the comment below is wrong and/or worthless,
I've never played with Squid.

Quote:> Is there anyone who can help me resolve this please?  I have looked and
> looked on the internet but it's difficult to trawl through all the
> questions and find the right answer.
> Some information that might be helpful:
> Ethereal capturing packets on Squid's internal interface while running
> Outlook Send/receive on Linux client:
> Windows PC sends DNS query mail.iol.ie
> Squid replies ICMP Destination unreachable (port unreachable)

For what it's worth, that ICMP message essentially means nothing is
listening on the port.  No DNS server running on the port means no
IP address for mail.iol.ie is returned to the "Windows PC."

--

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Ger » Sat, 10 Dec 2005 09:16:45




>> Some information that might be helpful: Ethereal capturing packets on
>> Squid's internal interface while running Outlook Send/receive on Linux
>> client: Windows PC sends DNS query mail.iol.ie Squid replies ICMP
>> Destination unreachable (port unreachable)

> For what it's worth, that ICMP message essentially means nothing is
> listening on the port.  No DNS server running on the port means no IP
> address for mail.iol.ie is returned to the "Windows PC."

Well thank you Clifford!  I think I have DNS working now.  When I start a
send\receive on the Windows machine and capture packets on SuSE's
external interface I can see that IP addresses for mail.iol.ie and
pop.iol.ie are being resolved, up to a certain point.  I also see from
netstat that the SuSE machine is listening to port 53 on TCP only, on both
external and internal interfaces, but not on UDP. Is this a good thing?

I'm still at a loss to understand what's going on.  I honestly amn't a
networking guru by any means but I've learned so much over the past week
trying to figure this out!  That's why I put the Linux system together --
to learn!!  I really would appreciate someone helping me resolve my email
and news issues though!!

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Ger » Sat, 10 Dec 2005 09:58:45





>>> Some information that might be helpful: Ethereal capturing packets on
>>> Squid's internal interface while running Outlook Send/receive on Linux
>>> client: Windows PC sends DNS query mail.iol.ie Squid replies ICMP
>>> Destination unreachable (port unreachable)

>> For what it's worth, that ICMP message essentially means nothing is
>> listening on the port.  No DNS server running on the port means no IP
>> address for mail.iol.ie is returned to the "Windows PC."

> Well thank you Clifford!  I think I have DNS working now.  When I start a
> send\receive on the Windows machine and capture packets on SuSE's external
> interface I can see that IP addresses for mail.iol.ie and pop.iol.ie are
> being resolved, up to a certain point.  I also see from netstat that the
> SuSE machine is listening to port 53 on TCP only, on both external and
> internal interfaces, but not on UDP. Is this a good thing?

> I'm still at a loss to understand what's going on.  I honestly amn't a
> networking guru by any means but I've learned so much over the past week
> trying to figure this out!  That's why I put the Linux system together --
> to learn!!  I really would appreciate someone helping me resolve my email
> and news issues though!!

This is weird.  At one point I could see my news client connecting to my
ISP's news server, but that's as far as it went.  It didn't connect.  I've
tried to replicate this since but it gets stuck on "Finding host ... "

What on earth is going on?  Anybody!!???  Please!

 
 
 

Suse 10 DNS, firewall, or masquerading problem?

Post by Clifford Kit » Sun, 11 Dec 2005 02:18:27




>> For what it's worth, that ICMP message essentially means nothing is
>> listening on the port.  No DNS server running on the port means no IP
>> address for mail.iol.ie is returned to the "Windows PC."
> Well thank you Clifford!  I think I have DNS working now.  When I start a
> send\receive on the Windows machine and capture packets on SuSE's
> external interface I can see that IP addresses for mail.iol.ie and
> pop.iol.ie are being resolved, up to a certain point.  I also see from
> netstat that the SuSE machine is listening to port 53 on TCP only, on both
> external and internal interfaces, but not on UDP. Is this a good thing?

I don't know enough to answer that definitively.  But here, when
a host name is resolved to an IP address using an ISP nameserver
in /etc/resolv.conf, UDP is used in both the request and the reply.
However both 53/tcp and 53/udp are defined in /etc/services for the
"domain" service-name with alias "nameserver."

--

 
 
 

1. Problems with RH 5.0 as masquerading firewall/RAS/DNS/forwarder

    Please, any help would be greatly appreciated, since I can't figure out
if anything is wrong with my config.  I have RH 5.0 set up, with 2 ethernet
cards.  1 is assigned a real IP and the other is assigned an internal IP of
10.10.10.2.  I have masquerading turned on by using only
 "ipfwadm -F -a m -S 10.10.10.0/24 -D 0.0.0.0/0", and it works fine (the
internal network sees the external internet).  I have 2 external modems that
are used for dial-in remote access and use real IP addresses (in our range
if assigned IP addresses).  The reason I don't use "ipfwadm -F -p deny" is
because the modems cannot go anywhere if that is used.  Otherwise, they work
perfectly.
    The problem arises when I try to use ipautofw/ipfwadm to make my NT mail
server that is in the internal (at 10.10.10.1 for pop3 and smtp) accessible
to the external internet.  That is, I want to be able to point pop3/smtp
clients at my linux box and have them talk with the NT box instead.   I have
tried what I have used at home "ipautofw -A -v -r tcp 110 110 -h
10.10.10.1", and that doesn't work.  An ipautofw entry is added, but I
cannot use the pop3 services.  I have tried "ipfwadm -I accept -r 110 -P
tcp -S 0.0.0.0/0 -D 10.10.10.1/0 110"... it comes up with a "connected to "
message, and then disconnects.  I've tried various ipfwadm -F and ipautofw
commands according to the various howtos and man entries, to no avail.  I
really need help, since the deadline for this has passed, and the management
is threatening to switch to NT.  I really don't want that, since linux has
worked well so far.
    Please cc: any replies to my mail (remove spammed from address).  TIA.

Charlie C.

2. test

3. WTS: Suse Linux Enterprise Server 10 and Suse Linux Enterprise Server 9

4. Access to NFS mount boils TCP/IP networking? (long!)

5. Why do UMTS-links provide DNS Server 10.11.12.13 and 10.11.12.14?

6. New kernel ps -aux => crash

7. Masquerading problems and IPFWADM using 2.0.10

8. RIP count to infinity and OSPF

9. Suse 10 Installation Problems

10. Suse 10-Sound Problem

11. Flame my Firewall - Masquerade Masquerade !

12. Problems to connect suse 10 with a novell server

13. Networking problems with SuSE Enterprise Desktop 10