|
||||||||
David Burgess wrote: > On Fri, Jun 5, 2009 at 8:31 PM, Lyle Giese<lyle at lcrcomputer dot net> wrote: > >> David Burgess wrote: >> >> On Thu, Jun 4, 2009 at 8:45 PM, Lyle Giese <lyle at lcrcomputer dot net> wrote: >> >> >> I have an unusual setup and trying to figure it out. I have a working >> system on a full Linux system using IPTables. >> >> I am trying to make the config work on a Soekris NET4801. I have most >> of it figured out, but hit one block. >> >> I have a small hosting operation here. I have two T1's coming in with a >> Class C subnet assigned to it. I have a private IP subnet for the >> office and home PC's with a DSL connection for their Internet >> bandwidth. I did not want the office/home PC's to use any of the T1 >> bandwidth, reserving that bandwidth for our paying customers. >> >> I built a machine using IPTables so that the private subnet uses the DSL >> for Internet via NAT. While still having direct access to the public IP >> servers without going to the Internet. I have a printer on the private >> subnet. With IPTables, I was able to forward ports 515 and 9100 to the >> printer(HP LJ ip), so I could print config files from the hosting servers. >> >> On the Soekris NET4801, I have the DSL(sis0) and private subnet(sis1) >> setup along with access to the hosting subnet(sis2). I have NAT working >> between the private subnet and the other two subnets. But I can not >> seem to get forwarding of ports 515 and 9100 working from the hosting >> subnet(sis2 to sis1). >> >> It would appear that the Soekris does try to forward the packets hitting >> it's port 515 and 9100: >> >> Jun 4 19:57:18 <router ip> ipmon[89]: 19:57:18.086181 sis2 @300:1 p >> <hosting ip>,49916 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN >> Jun 4 19:57:44 <router ip> ipmon[89]: 19:57:43.987645 sis2 @300:1 p >> <hosting ip>,50432 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN >> Jun 4 20:02:17 <router ip> ipmon[89]: 20:02:17.377468 sis2 @300:1 p >> <hosting ip>,50514 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN >> Jun 4 20:06:35 <router ip> ipmon[89]: 20:06:35.418212 sis2 @300:1 p >> <hosting ip>,44627 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN >> Jun 4 20:09:21 <router ip> ipmon[89]: 20:09:20.795669 sis2 @300:1 p >> <hosting ip>,49848 -> <HP LJ ip>,515 PR tcp len 20 60 -S K-S IN >> >> But I don't get any response back. At this point I am not 100% certain >> where the issue is and how to correct it. Nothing I have tried seems to >> work. I have the DSL on SIS0, the private subnet on SIS1 and the >> hosting subnet on SIS2. The hosting subnet does not use the DSL, I only >> want access to the printer on the private subnet. >> >> It almost seems that the port forwarding from sis2(hosting) to sis1(LAN) >> does not work. It appears to work only from the WAN(sis0) port to the >> private subnet. >> >> Any suggestions? >> >> >> Normally you wouldn't use NAT between two LANs, so port-forwarding, or >> masquerading is moot. If your router is aware of the subnet on sis1 >> and that on sis2, then packets should naturally flow between the two >> without translation, assuming you have allowed traffic sis1<>sis2 in >> iptables. Unless your sis2 machines are trying to reach sis1 machines >> via the WAN (sis0) adress, in which case it would probably be simpler >> to add entries in your host files for local machines so trans-LAN DNS >> queries are redirected to local addresses. Or use a DNS proxy that >> will reference host entries on your router and keep an entry for the >> LJ IP in there. >> >> db >> >> >> >> I wish it was that simple! Right now, I can ping the printer from hosts on >> the public subnet, but can not telnet to it or send print jobs to either lpr >> or port 9100. >> >> Jun 5 21:13:52 <soekris> ipmon[89]: 21:13:52.212749 sis2 @0:13 b <Public >> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN >> Jun 5 21:13:57 <soekris> ipmon[89]: 21:13:56.910694 sis2 @0:13 b <Public >> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN >> Jun 5 21:14:16 <soekris> ipmon[89]: 21:14:16.457471 sis2 @0:13 b <Public >> Host>,1023 -> <HP LJ>,515 PR tcp len 20 64 -A IN >> Jun 5 21:14:23 <soekris> ipmon[89]: 21:14:23.025435 sis2 @0:13 b <Public >> Host>,1023 -> <HP LJ>,515 PR tcp len 20 61 -AP IN >> > > sis1 and sis2 aren't on the same subnet, are they? > > Let's have a look at your routing table (go to exec.php and do > "netstat -r"). If you're using NAT then there shouldn't be any > security issue with posting actual IP addresses that aren't on WAN. > > db > Here's the numerical version. I guess if I am doing things right, there are no security issues<GRIN>! > $ netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 209.112.68.1 UGSc 1 3510 ng0 > 127.0.0.1 127.0.0.1 UH 0 0 lo0 > 192.168.250 link#2 UC 12 0 sis1 > 192.168.250.4 00:e0:4c:03:55:3a UHLW 0 296 sis1 561 > 209.112.68.1 209.112.71.50 UH 1 0 ng0 > 209.112.71.50 lo0 UHS 0 0 lo0 > 209.172.152 link#3 UC 6 0 sis2 > 209.172.152.1 00:08:e3:13:5c:00 UHLW 0 18 sis2 1176 > 209.172.152.239 00:e0:81:25:ba:4f UHLW 0 2 sis2 1087 > > On the private net, I have an allow rule for all proto types from the public subnet and on the public subnet to allow all traffic from the private subnet. I added a rule on the Cisco router connected to the T1's to forward 192.168.250 to the public ip address of the Soekris on sis2. Still I can ping and traceroute from the two subnets through the Soekris, but it would appear that tcp or udp packets don't make it through intact. While I had this unit online with the DSL, I tried to ssh into the name server I have on the private net(port forwarded ssh from the WAN to the name server) and from a BSD host, I got a bad packet error. But I could use dig via UDP to query the name server. And outbound traffic to the Internet looked normal and I was able to connect via a VPN to a remote office. Lyle |