ipchains and ipmasqadm

[Wu, Hu-Hwa]

Can you publish your ipchain rules ??

Maybe you have something blocking them from internal access ??

or Have you tried to remove all of the port deny and reject rules to see if
it works ??

but keep your port forwarding in place.

Something else you might want to try is using sniffit ( if you don't have a
hardware sniffer )to see what's going on when it hits the server.

How about logging for the port, do you have that turned on ??

What's your default gateway set to ??

What's your default gateway set to for the web machine ??

> The problem with this is that it doesn't allow for splitting 
> of multiple
> services.  You cant have blah.com split mail, web, ftp, etc..

Isn't that what you are doing though ipmasqadm port forwarding, splitting up
blah.com into various ports accessed by an IP address.

so if http comes in 10.1.1.1 80 -> internally to -> 192.168.1.1 80
or smtp comes in 10.1.1.1 25 -> internally to -> 192.168.1.2 25
or pop comes in 10.1.1.1 110 -> internally to -> 192.168.1.3 110

and so on.

-Hu






































Hu-Hwa Wu
Director of Information Systems and Technology
hu@cceng.com
Capital Consultants, Inc. 
725 Prudden Street
Lansing, MI  48906
Office: 517.371.1200
Fax:    517.371.2013

http://www.cceng.com





> 
> ----- Original Message -----
> From: "Matt Terry" <matt@abernackie.com>
> To: "Michael Malinak" <mm@crushedice.com>
> Cc: "GLLUG" <linux-user@egr.msu.edu>
> Sent: Sunday, December 03, 2000 10:24 PM
> Subject: Re: ipchains and ipmasqadm
> 
> 
> > I had the same concern and I read somewhere??? (I think a 
> mailing list)
> that when
> > masq'ing a network with ipchains you cannot
> > access the external ip from the internal net using the 
> rulesets you are
> > using. I cant remember why I think it is so because of security.
> > anyways a simple  workaround  is to set up your hosts or lmhosts for
> > windoze to point to your internal ip on the machine running 
> the web server
> >
> > If you want to test it out you can use a configure wvdial to
> > use netzero (a free 56k internet account) or just use your 
> own dial up
> > account and see if you reach your web server test page.
> > (of course you will need cable, dsl or something for the primary
> > connection, a second phone line would work too!)
> >
> > anyways a hosts file is the way to go....
> >
> > matt
> >
> >
> >
> >
> > On Thu, 30 Nov 2000, Michael Malinak wrote:
> >
> > > I'm using ipchains on my server to share a single IP.  I'm using
> ipmasqadm
> > > to forward ports to my inside machines (mostly games and 
> stuff).  One
> > > problem I'm having is that if I try to forward a port 
> like port 80 to
> one of
> > > my local machines, it works from the outside but not the inside.
> > > Ex:
> > > Server 192.168.1.1 port 80 forwarded to WWWServer port 80
> > > (ipmasqadm portfw -a -P tcp -L 192.168.1.1 80 -R 192.168.1.3 80)
> > > Client 192.168.1.2
> > > WWWServer 192.168.1.3
> > >
> > > I want all www requests from client to be served by 
> WWWServer.  This
> doesn't
> > > happen.
> > > What's wrong with the setup?
> > >
> > >
> > >
> > > _______________________________________________
> > > linux-user mailing list
> > > linux-user@egr.msu.edu
> > > http://www.egr.msu.edu/mailman/listinfo/linux-user
> > >
> >
> >
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
> 

> -----Original Message-----
> From: Michael Malinak [mailto:mm@crushedice.com]
> Sent: Wednesday, December 13, 2000 10:37 AM
> To: Matt Terry
> Cc: GLLUG
> Subject: Re: ipchains and ipmasqadm
> 
> 
> The problem with this is that it doesn't allow for splitting 
> of multiple
> services.  You cant have blah.com split mail, web, ftp, etc..
> I tried Mark Forwarding (mfw) and still couldn't get it to 
> work.  Has anyone
> else got this working before?
> 
> ----- Original Message -----
> From: "Matt Terry" <matt@abernackie.com>
> To: "Michael Malinak" <mm@crushedice.com>
> Cc: "GLLUG" <linux-user@egr.msu.edu>
> Sent: Sunday, December 03, 2000 10:24 PM
> Subject: Re: ipchains and ipmasqadm
> 
> 
> > I had the same concern and I read somewhere??? (I think a 
> mailing list)
> that when
> > masq'ing a network with ipchains you cannot
> > access the external ip from the internal net using the 
> rulesets you are
> > using. I cant remember why I think it is so because of security.
> > anyways a simple  workaround  is to set up your hosts or lmhosts for
> > windoze to point to your internal ip on the machine running 
> the web server
> >
> > If you want to test it out you can use a configure wvdial to
> > use netzero (a free 56k internet account) or just use your 
> own dial up
> > account and see if you reach your web server test page.
> > (of course you will need cable, dsl or something for the primary
> > connection, a second phone line would work too!)
> >
> > anyways a hosts file is the way to go....
> >
> > matt
> >
> >
> >
> >
> > On Thu, 30 Nov 2000, Michael Malinak wrote:
> >
> > > I'm using ipchains on my server to share a single IP.  I'm using
> ipmasqadm
> > > to forward ports to my inside machines (mostly games and 
> stuff).  One
> > > problem I'm having is that if I try to forward a port 
> like port 80 to
> one of
> > > my local machines, it works from the outside but not the inside.
> > > Ex:
> > > Server 192.168.1.1 port 80 forwarded to WWWServer port 80
> > > (ipmasqadm portfw -a -P tcp -L 192.168.1.1 80 -R 192.168.1.3 80)
> > > Client 192.168.1.2
> > > WWWServer 192.168.1.3
> > >
> > > I want all www requests from client to be served by 
> WWWServer.  This
> doesn't
> > > happen.
> > > What's wrong with the setup?
> > >
> > >
> > >
> > > _______________________________________________
> > > linux-user mailing list
> > > linux-user@egr.msu.edu
> > > http://www.egr.msu.edu/mailman/listinfo/linux-user
> > >
> >
> >
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>