OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roger Hayter (roger_at_hayter.org)
Date: Sat Aug 17 2002 - 06:59:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In message <1605542409.20020817133841lunetta.de>, Wojtek
    <mllunetta.de> writes
    >Hello,
    >
    >I have a problem related to NAT and IP forwarding:
    >
    >My SuSE server has two network interfaces. One is conneted to a
    >LinkSys DSL router (which is conntected to the internet), the other is
    >conncted to my LAN.
    >
    >The problem is that I am not able to access my SuSE server from inside
    >the network with my external IP. Maybe I am missing some routing
    >entry?
    >
    >Here's how my network is setup:
    >
    >SuSE server has 2 interfaces:
    >eth0 (192.168.2.2) connected to LAN
    >eth1 (192.168.1.2) connected to an Linksys router (192.168.1.1) which
    >is doing NAT.
    >
    >On the Linksys router I forwarded port 80 to my SuSE server.
    >
    >Clients from outside (internet) can connect to my SuSE server via the
    >external IP.
    >
    >The SuSE server itself can connect to itself via the external IP.
    >
    >An internal client of the 192.168.2.0 network is not able to connect
    >to the SuSE server using the external IP. The client end's up on the
    >Linksys router.
    >
    >What is the problem?
    >
    >
    >THANKS IN ADVANCE,
    >Wojtek
    >
    >
    >Here's a simple diagram of my network:
    >
    > +-----------------+
    > | Linksys router |
    > | doing NAT |
    > | |
    > | if0: external IP|
    > | if1: 192.168.1.1|
    > | |
    > | if0 if1 |
    > +--+-------+------+ +------------------+
    >+----------+
    > | | | SuSE server | |
    >LAN/ |
    > | | | eth0 192.168.2.2 +----------------+
    >SWITCH |
    > /--+----\ +------------+ eth1 192.168.1.2 | |
    >|
    > | inter | | |
    >+----+-----+
    > | net | +------------------+ |
    > \-------/
    >+--------------+
    > |
    >hal9000 |
    > |
    >192.168.2.120|
    >
    >+--------------+
    >
    >--
    >Wojtek mailto:mllunetta.de
    >
    >
    Hi Wojtek,

    Can you connect from the LAN to the webserver on 192.168.2.2? I don't
    know whether apache is supposed to bind to all available interfaces, but
    I can do this on mine with IP forwarding turned on. Your question comes
    down to what the linksys router is supposed to do with packets sent
    through it with the source address of your (presumably single) external
    IP and the same destination address. I would not think this would work,
    I would think the linksys router would dump them using some sort of
    anti-spoofing rule. What I can't understand is why the SuSE server can
    do it. I also would be very interested in an answer from an expert on
    this. 

    -- 
Roger Hayter

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here