Lan to Wan reprise

Jeff Vian jvian10 at charter.net
Mon Mar 14 05:07:38 UTC 2005


On Sun, 2005-03-13 at 23:05 -0500, Claude Jones wrote:
> Claude Jones wrote:
> 
> > I had successfully configured an FC3 box at work to serve as internet 
> > router, firewall, web server, DHCP server to my Lan, etc. Tonight, I 
> > moved it to its final destination, my home, and I'm completely stuck 
> > on one issue.
> > The web server works.
> > The box has internet access.
> > Machines on the Lan are getting DHCP assigned IP addresses. They are 
> > also able to see my lone web page.
> > However, the machines on the Lan can't get past the firewall. It's not 
> > a DNS problem because it doesn't go away if you put an IP address in. 
> > I can ping the Wan NIC from the LAN but nothing further than that.
> > I've reviewed the procedures over and over  that I used successfully, 
> > and I can't find the problem.
> > DHCPD loads without errors.
> > I've checked and rechecked the firewall and SELinux settings, and they 
> > appear to be the same as at the office.
> > I've reviewed the network settings for my NICs twenty times.
> > IP forwarding and masquerade have been set up.
> > What have I overlooked??? I have to have this running in three hours 
> > so any suggestions would be greatly appreciated!
> >
> > Claude Jones
> > Bluemont, VA, USA
> >
> Another elaboration of the investigation:
> Below are 3 lines from a tcpdump monitoring the external nic as I 
> attempted to access the web from a lan machine. It looks to me like the 
> requests are making it to the external nic, because DNS lookups are 
> being attempted, no?  
> 22:49:22.142576 IP (tos 0x0, ttl 127, id 924, offset 0, flags [none], 
> proto 17, length: 64) 192.168.2.253.1031 > ns1.nlayer.net.domain:  
> 62240+ A? www.levitjames.com. (36)
> 22:49:22.603798 arp who-has 10.0.0.1 tell 10.0.4.62
> 22:49:22.735672 IP (tos 0x0, ttl 127, id 925, offset 0, flags [none], 
> proto 17, length: 61) 192.168.2.253.1025 > 
> ns2.rec.servercentral.net.domain:  7458+ A? www.directv.com. (33)
> 22:49:22.735936 IP (tos 0x0, ttl 127, id 926, offset 0, flags [none], 
> proto 17, length: 61) 192.168.2.253.1025 > ns1.nlayer.net.domain:  7458+ 
> A? www.directv.com. (33)
> 

I have not used tcpdump in some time, but that does not look correct for
the external interface.

192.168.2.253 and 10.0.4.62 are both private addresses.  You may have
forwarding on but not masquerading.  If that is true the it goes out but
never gets back.....

You don't say what the address of the external interface is so I can
only assume it is valid and reachable from the internet. (It has to be
either a valid internet address or masqueraded thru another
router/firewall that is providing NAT for you)

In either case, requests going out on the WAN port must originate from
the address of that NIC so they can be replied to properly.

What does a similar tcpdump look like when doing the same request from
the firewall box?
Is the firewall connected directly to the internet? or just inside
another larger private LAN? 

 
> -- 
> Claude Jones
> Bluemont, VA, USA
> 




More information about the fedora-list mailing list