Very Computer

Hi,

I've a RH 6.2 box with 2 network cards. I've a set up as follows:

webserver (I.100)   <---> (I.70)  firewall (E.112) <---> laptop (E.110)

I.100 = xxx.xxx.xxx.100
E.112 = yyy.yyy.yyy.112

I want to be able to portforward external request (laptop) to E.112
to I.100 (the webserver):

so I tried:

ipmasqadm portfw -a -P tcp -L E.112 80 -R I.100 80
ipchains -I forward -p tcp -s I.100/32 80 -j MASQ

(Note that I use real IP nrs instead of E.112 !)

This doesn't work :-(. With ipchains -L -M I see entries added when
I use lynx E.112 on the laptop, but I don't see anything in the access_log
on the I.100 webserver box...

How can I debug this?

Anyone?

(yes, I did the echo 1 > ..../ip_forward  and  insmod ip_masq_portfw.o)

Thanks in advance,
John

--

C A S T L E  A M B E R   http://www.castleamber.com/

On Sat, 06 May 2000 17:40:08 GMT, John Bokma

Quote:>webserver (I.100)   <---> (I.70)  firewall (E.112) <---> laptop (E.110)

>I.100 = xxx.xxx.xxx.100
>E.112 = yyy.yyy.yyy.112
>ipmasqadm portfw -a -P tcp -L E.112 80 -R I.100 80
>ipchains -I forward -p tcp -s I.100/32 80 -j MASQ

Tested this here, works like a charm.  So the idea is cool.

Quote:>This doesn't work :-(. With ipchains -L -M I see entries added when
>I use lynx E.112 on the laptop,

Which means the portfw module does its job.  What does the entry say?

Quote:>but I don't see anything in the access_log on the I.100 webserver box...

>How can I debug this?

First of all... can you connect to the web server directly from the
firewall without problem?  If you can't, your routing table is probably
flucked, or you're blocking traffic somehow.  It's not the masq code
in that case anyways.
(Don't need lynx on the firewall, just telnet I.100 80 and type "GET /")

If you can, log incoming tcp connections on the webserver and try to
connect from the laptop.  Does the tcp connection ever arrive there?

 If it doesn't, something is blocking the traffic.  Do you have any rules
 in the output chain on the firewall that might be blocking this traffic?
 Are all MTU's the same?

 If it does, listen to icmp traffic from I.100 to I.70 with tcpdump on
 the firewall and check if you see any weird icmp messages.

With a tcp logger, the logging facilites of ipchains and/or tcpdump, you
can follow your connection all the way from laptop to webserver and
back like this.  If you don't see traffic, the previous link is broken
somehow, and you can prolly catch an icmp message telling you what it
is.

And John... watch out for viruses ;-)

Arjan
--
Without question, the greatest invention in the history of mankind is
beer.  Oh,I grant you that the wheel was also a fine invention, but the
wheel does not go nearly as well with pizza.
-- Dave Barry's Bad Habits, Dave Barry

Yep: but I was using my personal box as webserver which has
a not the firewall box as gateway... Guess what :-). Even worse
the gateway configured was a firewall connected to the internet,
so I flushed all the returning packets :-)

So I solved the problem: make the firewall your gateway :-)
(Normally this is always the case, but I had 2 firewalls connected
 to the hub)

Quote:> >This doesn't work :-(. With ipchains -L -M I see entries added when
> >I use lynx E.112 on the laptop,

> Which means the portfw module does its job.  What does the entry say?

:-) I stripped the box down to almost nothing, ie. it hasn't even got
telnet
& friends, hence I didn't include them.

Quote:> >but I don't see anything in the access_log on the I.100 webserver box...

> >How can I debug this?

> First of all... can you connect to the web server directly from the
> firewall without problem?  If you can't, your routing table is probably
> flucked, or you're blocking traffic somehow.  It's not the masq code
> in that case anyways.
> (Don't need lynx on the firewall, just telnet I.100 80 and type "GET /")

I also followed your recommendations in some old postings, turn on logging.
I saw the packets leaving the box:

ipchains -A output -p tcp -d I.100 -l -j ACCEPT

So after some thinking all became clear... The box is *not* the gateway :-(
Stupid mistake...

Quote:

> If you can, log incoming tcp connections on the webserver and try to
> connect from the laptop.  Does the tcp connection ever arrive there?

Nope IIRC. The gateway thingy has higher priority??

Anyway, thanks for the help and especially your previous postings which
I found on deja which inspired me do use the -l logging and watch the
messages file.

Quote:> And John... watch out for viruses ;-)

He he he. This is an "inside" joke, most people reading this group don't
understand this one. I posted a lot of messages on the "ILOVEYOU"
virus in a dutch abuse news group. I warned people not to think they
can sleep without any worries when they have a Linux box. It is possible
to write a worm/virus which can do serious harm on a linux box.

I'll certainly watch out. Being paranoid is always safe :-)

John

--

C A S T L E  A M B E R   http://www.castleamber.com/

On Mon, 08 May 2000 19:47:40 GMT, John Bokma

Quote:>> If you can, log incoming tcp connections on the webserver and try to
>> connect from the laptop.  Does the tcp connection ever arrive there?

>Nope IIRC. The gateway thingy has higher priority??

If you mean in the routing table, the answer is no.  There's no such
thing as priority in a routing table.  The first line that matches
the packet's destination is used to determine the destination
interface.

The default gateway should be the last line.  0.0.0.0 is a "catch-all"
pattern, which means that anything that didn't match the previous
lines will go to the default gateway.

Glad you got things working :)

Arjan
--
The best way to accelerate a computer
running Windows is at 9.8 m/s^2