thr3ads.net - LARTC - Debian Sarge Server with iptables behind D-Link Router [Jan 2006]

If this information is useful, please help other people find it:
Share via:

Ralph Brugger

2006-Jan-30 22:57 UTC

Debian Sarge Server with iptables behind D-Link Router

Hi,

I have the shown (end of this post) net work configuration.

In a "few" words: My Debian Sarge server is connected to a D-Link ADSL
Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router.

My Linux server has two NIC''s.
ethlan = internal Net
ethdsl = external -> D-Link

My Linux server is configured to make NAT via iptables.

Current state - what''s working:
- Access from internal LAN to Internet is working (http, https, ftp, etc)
- Access inside the LAN is working
- Access inside the LAN to the linux server is working (http, https,
IMAP and SSH)
- Access from outside the LAN (from internet) to the Linux server is
working for https, IMAP and SSH

***BUT***:
Same Problem simular for SSH, https and IMAP:
On an internet browser inside the lan I can''t access the webserver on
the Linux Server when I enter the external URL of the Linux server
(dynDNS domain name).
The https-page won''t be opened. A simple ping to the linux server with
the same dynDSN domain name works. Trying to enter the external IP of
the linux server in the browser also won''t work.
The page won''t be opened in the browser.

Die Seite wird im Browser dann nicht geöffnet.
Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
oder die lokale IP ein, dann geht es.

iptables schould log dropped pakets. But there aren''t any dropped
packets.
Ifconfig also does not show any errors (dropped packets) for ethlan /
ethdsl.

So I''ve tried to understand what tcpdumd shows for port 443. But
I''m
bound to say that I''m absolutety not firm with tcpdump.
Here''s what tcpdump shows:


tcpdump for port 443:
Not working access from inside the lan to the servers external Name /
the servers external IP:
=> no connection
===================================p54BE15A1.dip0.t-ipconnect.de.https: S
1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.477631 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
18:43:41.967525 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
18:43:42.468301 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1 win 0


tcpdump for port 443:
WORKING access from inside the lan to the servers INTERNAL Name / the
servers INTERNAL IP:
=> Successful connection
===================================18:45:38.773997 IP lp-java.linkpool.3492 >
lp-komodo.LINKPOOL.https: S
1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S
189223170:189223170(0) ack 1505679382 win 5840 <mss 1460,nop,nop,sackOK>
18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
ack 1 win 65535
18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P
1:106(105) ack 1 win 65535
18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: .
ack 106 win 5840
18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P
1:1055(1054) ack 106 win 5840
18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
ack 1055 win 64481

Is there any one who can interpret those results? Are these enough
informations to see where the problem may ve?
Wrong Routing? Linux server iptables problem? Problem inside the D-Link
Router?
Any suggestions are welcome!

     Internet
         |
        DSL
         |
         |
   D-Link DSL-562T
    192.168.200.5
         |
         |
  ------------------------------------
  | Dev=ethdsl      Linux Server     |
  | 192.168.200.2   lp-komodo        |
  |     |                            |
  |   route + iptables               |
  |     |                            |
  | 192.168.240.2                    |
  | Dev=ethlan                       |
  |-----------------------------------
                  |
                  |
            Switch 10/100/1000
                  |
                  |
  ------------------------------------
  |Dev=LAN            Windows Client |
  |                   XP Pro SP2     |
  |192.168.240.010    lp-java        |
  |                                  |
  -----------------------------------|


Regards,

Ralph

LinuXKiD

2006-Jan-31 14:58 UTC

head link

RE: Debian Sarge Server with iptables behind D-Link Router

try next:

- Put d-link ADSL as "modem"

- Make PPPoE call under Linux



->
-> Hi,
->
-> I have the shown (end of this post) net work configuration.
->
-> In a "few" words: My Debian Sarge server is connected to a
D-Link ADSL
-> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router.
->
-> My Linux server has two NIC''s.
-> ethlan = internal Net
-> ethdsl = external -> D-Link
->
-> My Linux server is configured to make NAT via iptables.
->
-> Current state - what''s working:
-> - Access from internal LAN to Internet is working (http, https, ftp, etc)
-> - Access inside the LAN is working
-> - Access inside the LAN to the linux server is working (http, https,
-> IMAP and SSH)
-> - Access from outside the LAN (from internet) to the Linux server is
-> working for https, IMAP and SSH
->
-> ***BUT***:
-> Same Problem simular for SSH, https and IMAP:
-> On an internet browser inside the lan I can''t access the
webserver on
-> the Linux Server when I enter the external URL of the Linux server
-> (dynDNS domain name).
-> The https-page won''t be opened. A simple ping to the linux server
with
-> the same dynDSN domain name works. Trying to enter the external IP of
-> the linux server in the browser also won''t work.
-> The page won''t be opened in the browser.
->
-> Die Seite wird im Browser dann nicht geöffnet.
-> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
-> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
-> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
-> oder die lokale IP ein, dann geht es.
->
-> iptables schould log dropped pakets. But there aren''t any
-> dropped packets.
-> Ifconfig also does not show any errors (dropped packets) for ethlan /
-> ethdsl.
->
-> So I''ve tried to understand what tcpdumd shows for port 443. But
I''m
-> bound to say that I''m absolutety not firm with tcpdump.
-> Here''s what tcpdump shows:
->
->
-> tcpdump for port 443:
-> Not working access from inside the lan to the servers external Name /
-> the servers external IP:
-> => no connection
-> ===================================->
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> 65535 <mss 1260,nop,nop,sackOK>
-> 18:43:41.477631 IP lp-java.linkpool.3491 >
-> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> 65535 <mss 1260,nop,nop,sackOK>
-> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
-> 18:43:41.967525 IP lp-java.linkpool.3491 >
-> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> 65535 <mss 1260,nop,nop,sackOK>
-> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> 18:43:42.468301 IP lp-java.linkpool.3491 >
-> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> 65535 <mss 1260,nop,nop,sackOK>
-> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
->
->
-> tcpdump for port 443:
-> WORKING access from inside the lan to the servers INTERNAL Name / the
-> servers INTERNAL IP:
-> => Successful connection
-> ===================================-> 18:45:38.773997 IP
lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S
-> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
-> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S
-> 189223170:189223170(0) ack 1505679382 win 5840 <mss
1460,nop,nop,sackOK>
-> 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
-> ack 1 win 65535
-> 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P
-> 1:106(105) ack 1 win 65535
-> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: .
-> ack 106 win 5840
-> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P
-> 1:1055(1054) ack 106 win 5840
-> 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
-> ack 1055 win 64481
->
-> Is there any one who can interpret those results? Are these enough
-> informations to see where the problem may ve?
-> Wrong Routing? Linux server iptables problem? Problem inside the D-Link
-> Router?
-> Any suggestions are welcome!
->
->      Internet
->          |
->         DSL
->          |
->          |
->    D-Link DSL-562T
->     192.168.200.5
->          |
->          |
->   ------------------------------------
->   | Dev=ethdsl      Linux Server     |
->   | 192.168.200.2   lp-komodo        |
->   |     |                            |
->   |   route + iptables               |
->   |     |                            |
->   | 192.168.240.2                    |
->   | Dev=ethlan                       |
->   |-----------------------------------
->                   |
->                   |
->             Switch 10/100/1000
->                   |
->                   |
->   ------------------------------------
->   |Dev=LAN            Windows Client |
->   |                   XP Pro SP2     |
->   |192.168.240.010    lp-java        |
->   |                                  |
->   -----------------------------------|
->
->
-> Regards,
->
-> Ralph
->
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Ralph Brugger

2006-Jan-31 15:21 UTC

head link

Re: Debian Sarge Server with iptables behind D-Link Router

Hi,
> try next:
> - Put d-link ADSL as "modem"
> - Make PPPoE call under Linux
Yes I''ve already tried this - that''s my current configuration
since one
week;)

But I want to understand why it''s not possible to use the D-Link as a
router, and for what kind of problem the tcpdump results stand for.

Ralph
> 
> 
> 
> ->
> -> Hi,
> ->
> -> I have the shown (end of this post) net work configuration.
> ->
> -> In a "few" words: My Debian Sarge server is connected to a
D-Link ADSL
> -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the
Router.
> ->
> -> My Linux server has two NIC''s.
> -> ethlan = internal Net
> -> ethdsl = external -> D-Link
> ->
> -> My Linux server is configured to make NAT via iptables.
> ->
> -> Current state - what''s working:
> -> - Access from internal LAN to Internet is working (http, https, ftp,
etc)
> -> - Access inside the LAN is working
> -> - Access inside the LAN to the linux server is working (http, https,
> -> IMAP and SSH)
> -> - Access from outside the LAN (from internet) to the Linux server is
> -> working for https, IMAP and SSH
> ->
> -> ***BUT***:
> -> Same Problem simular for SSH, https and IMAP:
> -> On an internet browser inside the lan I can''t access the
webserver on
> -> the Linux Server when I enter the external URL of the Linux server
> -> (dynDNS domain name).
> -> The https-page won''t be opened. A simple ping to the linux
server with
> -> the same dynDSN domain name works. Trying to enter the external IP of
> -> the linux server in the browser also won''t work.
> -> The page won''t be opened in the browser.
> ->
> -> Die Seite wird im Browser dann nicht geöffnet.
> -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
> -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
> -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
> -> oder die lokale IP ein, dann geht es.
> ->
> -> iptables schould log dropped pakets. But there aren''t any
> -> dropped packets.
> -> Ifconfig also does not show any errors (dropped packets) for ethlan /
> -> ethdsl.
> ->
> -> So I''ve tried to understand what tcpdumd shows for port 443.
But I''m
> -> bound to say that I''m absolutety not firm with tcpdump.
> -> Here''s what tcpdump shows:
> ->
> ->
> -> tcpdump for port 443:
> -> Not working access from inside the lan to the servers external Name /
> -> the servers external IP:
> -> => no connection
> -> ===================================> ->
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.477631 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
> -> 18:43:41.967525 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> 18:43:42.468301 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> ->
> ->
> -> tcpdump for port 443:
> -> WORKING access from inside the lan to the servers INTERNAL Name / the
> -> servers INTERNAL IP:
> -> => Successful connection
> -> ===================================> -> 18:45:38.773997 IP
lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S
> -> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
> -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
lp-java.linkpool.3492: S
> -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
1460,nop,nop,sackOK>
> -> 18:45:38.774062 IP lp-java.linkpool.3492 >
lp-komodo.LINKPOOL.https: .
> -> ack 1 win 65535
> -> 18:45:38.774608 IP lp-java.linkpool.3492 >
lp-komodo.LINKPOOL.https: P
> -> 1:106(105) ack 1 win 65535
> -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
lp-java.linkpool.3492: .
> -> ack 106 win 5840
> -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
lp-java.linkpool.3492: P
> -> 1:1055(1054) ack 106 win 5840
> -> 18:45:38.927284 IP lp-java.linkpool.3492 >
lp-komodo.LINKPOOL.https: .
> -> ack 1055 win 64481
> ->
> -> Is there any one who can interpret those results? Are these enough
> -> informations to see where the problem may ve?
> -> Wrong Routing? Linux server iptables problem? Problem inside the
D-Link
> -> Router?
> -> Any suggestions are welcome!
> ->
> ->      Internet
> ->          |
> ->         DSL
> ->          |
> ->          |
> ->    D-Link DSL-562T
> ->     192.168.200.5
> ->          |
> ->          |
> ->   ------------------------------------
> ->   | Dev=ethdsl      Linux Server     |
> ->   | 192.168.200.2   lp-komodo        |
> ->   |     |                            |
> ->   |   route + iptables               |
> ->   |     |                            |
> ->   | 192.168.240.2                    |
> ->   | Dev=ethlan                       |
> ->   |-----------------------------------
> ->                   |
> ->                   |
> ->             Switch 10/100/1000
> ->                   |
> ->                   |
> ->   ------------------------------------
> ->   |Dev=LAN            Windows Client |
> ->   |                   XP Pro SP2     |
> ->   |192.168.240.010    lp-java        |
> ->   |                                  |
> ->   -----------------------------------|
> ->
> ->
> -> Regards,
> ->
> -> Ralph
> ->
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

LinuXKiD

2006-Feb-01 22:11 UTC

head link

RE: Re: Debian Sarge Server with iptables behind D-Link Router

Some times, I fail to access some HTTPS URLs or MSN service
if you (dlink or router) miss manipulate mtu

andres


->
-> Hi,
->
-> > try next:
-> > - Put d-link ADSL as "modem"
-> > - Make PPPoE call under Linux
->
-> Yes I''ve already tried this - that''s my current
configuration since one
-> week;)
->
-> But I want to understand why it''s not possible to use the D-Link
as a
-> router, and for what kind of problem the tcpdump results stand for.
->
-> Ralph
->
-> >
-> >
-> >
-> > ->
-> > -> Hi,
-> > ->
-> > -> I have the shown (end of this post) net work configuration.
-> > ->
-> > -> In a "few" words: My Debian Sarge server is connected
to a
-> D-Link ADSL
-> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP
-> on the Router.
-> > ->
-> > -> My Linux server has two NIC''s.
-> > -> ethlan = internal Net
-> > -> ethdsl = external -> D-Link
-> > ->
-> > -> My Linux server is configured to make NAT via iptables.
-> > ->
-> > -> Current state - what''s working:
-> > -> - Access from internal LAN to Internet is working (http,
-> https, ftp, etc)
-> > -> - Access inside the LAN is working
-> > -> - Access inside the LAN to the linux server is working (http,
https,
-> > -> IMAP and SSH)
-> > -> - Access from outside the LAN (from internet) to the Linux
server is
-> > -> working for https, IMAP and SSH
-> > ->
-> > -> ***BUT***:
-> > -> Same Problem simular for SSH, https and IMAP:
-> > -> On an internet browser inside the lan I can''t access
the
-> webserver on
-> > -> the Linux Server when I enter the external URL of the Linux
server
-> > -> (dynDNS domain name).
-> > -> The https-page won''t be opened. A simple ping to the
linux
-> server with
-> > -> the same dynDSN domain name works. Trying to enter the
-> external IP of
-> > -> the linux server in the browser also won''t work.
-> > -> The page won''t be opened in the browser.
-> > ->
-> > -> Die Seite wird im Browser dann nicht geöffnet.
-> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine
Verbindung
-> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
-> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen
Namen
-> > -> oder die lokale IP ein, dann geht es.
-> > ->
-> > -> iptables schould log dropped pakets. But there aren''t
any
-> > -> dropped packets.
-> > -> Ifconfig also does not show any errors (dropped packets)
-> for ethlan /
-> > -> ethdsl.
-> > ->
-> > -> So I''ve tried to understand what tcpdumd shows for
port 443. But I''m
-> > -> bound to say that I''m absolutety not firm with
tcpdump.
-> > -> Here''s what tcpdump shows:
-> > ->
-> > ->
-> > -> tcpdump for port 443:
-> > -> Not working access from inside the lan to the servers
-> external Name /
-> > -> the servers external IP:
-> > -> => no connection
-> > -> ===================================-> > ->
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0)
win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
-> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0)
win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0)
win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > ->
-> > ->
-> > -> tcpdump for port 443:
-> > -> WORKING access from inside the lan to the servers INTERNAL
-> Name / the
-> > -> servers INTERNAL IP:
-> > -> => Successful connection
-> > -> ===================================-> > ->
18:45:38.773997 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: S
-> > -> 1505679381:1505679381(0) win 65535 <mss
1260,nop,nop,sackOK>
-> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: S
-> > -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
-> 1460,nop,nop,sackOK>
-> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: .
-> > -> ack 1 win 65535
-> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: P
-> > -> 1:106(105) ack 1 win 65535
-> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: .
-> > -> ack 106 win 5840
-> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: P
-> > -> 1:1055(1054) ack 106 win 5840
-> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: .
-> > -> ack 1055 win 64481
-> > ->
-> > -> Is there any one who can interpret those results? Are these
enough
-> > -> informations to see where the problem may ve?
-> > -> Wrong Routing? Linux server iptables problem? Problem
-> inside the D-Link
-> > -> Router?
-> > -> Any suggestions are welcome!
-> > ->
-> > ->      Internet
-> > ->          |
-> > ->         DSL
-> > ->          |
-> > ->          |
-> > ->    D-Link DSL-562T
-> > ->     192.168.200.5
-> > ->          |
-> > ->          |
-> > ->   ------------------------------------
-> > ->   | Dev=ethdsl      Linux Server     |
-> > ->   | 192.168.200.2   lp-komodo        |
-> > ->   |     |                            |
-> > ->   |   route + iptables               |
-> > ->   |     |                            |
-> > ->   | 192.168.240.2                    |
-> > ->   | Dev=ethlan                       |
-> > ->   |-----------------------------------
-> > ->                   |
-> > ->                   |
-> > ->             Switch 10/100/1000
-> > ->                   |
-> > ->                   |
-> > ->   ------------------------------------
-> > ->   |Dev=LAN            Windows Client |
-> > ->   |                   XP Pro SP2     |
-> > ->   |192.168.240.010    lp-java        |
-> > ->   |                                  |
-> > ->   -----------------------------------|
-> > ->
-> > ->
-> > -> Regards,
-> > ->
-> > -> Ralph
-> > ->
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
->
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Philippe Latu

2006-Feb-01 22:37 UTC

head link

Re: Re: Debian Sarge Server with iptables behind D-Link Router

Hello,

Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit :> Some times, I fail to access some HTTPS URLs or MSN service
> if you (dlink or router) miss manipulate mtu
Did you try the TCPMSS netfilter target ?

For instance :
-A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss \     
   1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o ppp0 -j MASQUERADE

As you are probably using pppoe on the telephon loop, the maximum transmit 
unit cannot reach its maximum 1500 bytes.
The pppoe header takes 4 bytes.

You should also let some icmp packets get in in order to have pmtu discovery 
effective.

HTH,
>
> andres
>
>
> ->
> -> Hi,
> ->
> -> > try next:
> -> > - Put d-link ADSL as "modem"
> -> > - Make PPPoE call under Linux
> ->
> -> Yes I''ve already tried this - that''s my current
configuration since one
> -> week;)
> ->
> -> But I want to understand why it''s not possible to use the
D-Link as a
> -> router, and for what kind of problem the tcpdump results stand for.
> ->
> -> Ralph
> ->
> -> >
> -> >
> -> >
> -> > ->
> -> > -> Hi,
> -> > ->
> -> > -> I have the shown (end of this post) net work
configuration.
> -> > ->
> -> > -> In a "few" words: My Debian Sarge server is
connected to a
> -> D-Link ADSL
> -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP
> -> on the Router.
> -> > ->
> -> > -> My Linux server has two NIC''s.
> -> > -> ethlan = internal Net
> -> > -> ethdsl = external -> D-Link
> -> > ->
> -> > -> My Linux server is configured to make NAT via iptables.
> -> > ->
> -> > -> Current state - what''s working:
> -> > -> - Access from internal LAN to Internet is working (http,
> -> https, ftp, etc)
> -> > -> - Access inside the LAN is working
> -> > -> - Access inside the LAN to the linux server is working
(http,
> https, -> > -> IMAP and SSH)
> -> > -> - Access from outside the LAN (from internet) to the Linux
server
> is -> > -> working for https, IMAP and SSH
> -> > ->
> -> > -> ***BUT***:
> -> > -> Same Problem simular for SSH, https and IMAP:
> -> > -> On an internet browser inside the lan I can''t
access the
> -> webserver on
> -> > -> the Linux Server when I enter the external URL of the
Linux server
> -> > -> (dynDNS domain name).
> -> > -> The https-page won''t be opened. A simple ping to
the linux
> -> server with
> -> > -> the same dynDSN domain name works. Trying to enter the
> -> external IP of
> -> > -> the linux server in the browser also won''t work.
> -> > -> The page won''t be opened in the browser.
> -> > ->
> -> > -> Die Seite wird im Browser dann nicht geöffnet.
> -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine
> Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN
Domainnamen
> angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens
den
> lokalen Namen -> > -> oder die lokale IP ein, dann geht es.
> -> > ->
> -> > -> iptables schould log dropped pakets. But there
aren''t any
> -> > -> dropped packets.
> -> > -> Ifconfig also does not show any errors (dropped packets)
> -> for ethlan /
> -> > -> ethdsl.
> -> > ->
> -> > -> So I''ve tried to understand what tcpdumd shows
for port 443. But
> I''m -> > -> bound to say that I''m absolutety not
firm with tcpdump.
> -> > -> Here''s what tcpdump shows:
> -> > ->
> -> > ->
> -> > -> tcpdump for port 443:
> -> > -> Not working access from inside the lan to the servers
> -> external Name /
> -> > -> the servers external IP:
> -> > -> => no connection
> -> > -> ===================================> -> > ->
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https
>
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
> -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https
>
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https
>
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> > ->
> -> > ->
> -> > -> tcpdump for port 443:
> -> > -> WORKING access from inside the lan to the servers INTERNAL
> -> Name / the
> -> > -> servers INTERNAL IP:
> -> > -> => Successful connection
> -> > -> ===================================> -> > ->
18:45:38.773997 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: S
> -> > -> 1505679381:1505679381(0) win 65535 <mss
1260,nop,nop,sackOK>
> -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: S
> -> > -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
> -> 1460,nop,nop,sackOK>
> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: .
> -> > -> ack 1 win 65535
> -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: P
> -> > -> 1:106(105) ack 1 win 65535
> -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: .
> -> > -> ack 106 win 5840
> -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: P
> -> > -> 1:1055(1054) ack 106 win 5840
> -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: .
> -> > -> ack 1055 win 64481
> -> > ->
> -> > -> Is there any one who can interpret those results? Are
these enough
> -> > -> informations to see where the problem may ve?
> -> > -> Wrong Routing? Linux server iptables problem? Problem
> -> inside the D-Link
> -> > -> Router?
> -> > -> Any suggestions are welcome!
> -> > ->
> -> > ->      Internet
> -> > ->          |
> -> > ->         DSL
> -> > ->          |
> -> > ->          |
> -> > ->    D-Link DSL-562T
> -> > ->     192.168.200.5
> -> > ->          |
> -> > ->          |
> -> > ->   ------------------------------------
> -> > ->   | Dev=ethdsl      Linux Server     |
> -> > ->   | 192.168.200.2   lp-komodo        |
> -> > ->   |     |                            |
> -> > ->   |   route + iptables               |
> -> > ->   |     |                            |
> -> > ->   | 192.168.240.2                    |
> -> > ->   | Dev=ethlan                       |
> -> > ->   |-----------------------------------
> -> > ->                   |
> -> > ->                   |
> -> > ->             Switch 10/100/1000
> -> > ->                   |
> -> > ->                   |
> -> > ->   ------------------------------------
> -> > ->   |Dev=LAN            Windows Client |
> -> > ->   |                   XP Pro SP2     |
> -> > ->   |192.168.240.010    lp-java        |
> -> > ->   |                                  |
> -> > ->   -----------------------------------|
> -> > ->
> -> > ->
> -> > -> Regards,
> -> > ->
> -> > -> Ralph
> -> > ->
> -> > -> _______________________________________________
> -> > -> LARTC mailing list
> -> > -> LARTC@mailman.ds9a.nl
> -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> ->
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-- 
- Philippe Latu
< G N U / Linux >
philippe.latu(at)linux-france.org
Projet inetdoc.Linux 
http://www.linux-france.org/prj/inetdoc
</>
< I U T ''A''  Paul Sabatier >
philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28
Enseignant/Chargé de mission Systèmes & Réseau
</>

LinuXKiD

2006-Feb-02 08:41 UTC

head link

RE: Re: Debian Sarge Server with iptables behind D-Link Router

very good. thank you


->
->
-> Hello,
->
-> Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit :
-> > Some times, I fail to access some HTTPS URLs or MSN service
-> > if you (dlink or router) miss manipulate mtu
->
-> Did you try the TCPMSS netfilter target ?
->
-> For instance :
-> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss
-> --mss \
->    1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-> -A POSTROUTING -o ppp0 -j MASQUERADE
->
-> As you are probably using pppoe on the telephon loop, the
-> maximum transmit
-> unit cannot reach its maximum 1500 bytes.
-> The pppoe header takes 4 bytes.
->
-> You should also let some icmp packets get in in order to have
-> pmtu discovery
-> effective.
->
-> HTH,
->
-> >
-> > andres
-> >
-> >
-> > ->
-> > -> Hi,
-> > ->
-> > -> > try next:
-> > -> > - Put d-link ADSL as "modem"
-> > -> > - Make PPPoE call under Linux
-> > ->
-> > -> Yes I''ve already tried this - that''s my
current
-> configuration since one
-> > -> week;)
-> > ->
-> > -> But I want to understand why it''s not possible to use
the
-> D-Link as a
-> > -> router, and for what kind of problem the tcpdump results stand
for.
-> > ->
-> > -> Ralph
-> > ->
-> > -> >
-> > -> >
-> > -> >
-> > -> > ->
-> > -> > -> Hi,
-> > -> > ->
-> > -> > -> I have the shown (end of this post) net work
configuration.
-> > -> > ->
-> > -> > -> In a "few" words: My Debian Sarge server
is connected to a
-> > -> D-Link ADSL
-> > -> > -> Router (DSL-562T). DMZ is enabled for the Debian
Sarge IP
-> > -> on the Router.
-> > -> > ->
-> > -> > -> My Linux server has two NIC''s.
-> > -> > -> ethlan = internal Net
-> > -> > -> ethdsl = external -> D-Link
-> > -> > ->
-> > -> > -> My Linux server is configured to make NAT via
iptables.
-> > -> > ->
-> > -> > -> Current state - what''s working:
-> > -> > -> - Access from internal LAN to Internet is working
(http,
-> > -> https, ftp, etc)
-> > -> > -> - Access inside the LAN is working
-> > -> > -> - Access inside the LAN to the linux server is
working (http,
-> > https, -> > -> IMAP and SSH)
-> > -> > -> - Access from outside the LAN (from internet) to the
-> Linux server
-> > is -> > -> working for https, IMAP and SSH
-> > -> > ->
-> > -> > -> ***BUT***:
-> > -> > -> Same Problem simular for SSH, https and IMAP:
-> > -> > -> On an internet browser inside the lan I
can''t access the
-> > -> webserver on
-> > -> > -> the Linux Server when I enter the external URL of
the
-> Linux server
-> > -> > -> (dynDNS domain name).
-> > -> > -> The https-page won''t be opened. A simple
ping to the linux
-> > -> server with
-> > -> > -> the same dynDSN domain name works. Trying to enter
the
-> > -> external IP of
-> > -> > -> the linux server in the browser also won''t
work.
-> > -> > -> The page won''t be opened in the browser.
-> > -> > ->
-> > -> > -> Die Seite wird im Browser dann nicht geöffnet.
-> > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso
keine
-> > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN
Domainnamen
-> > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS
Domainnamens den
-> > lokalen Namen -> > -> oder die lokale IP ein, dann geht es.
-> > -> > ->
-> > -> > -> iptables schould log dropped pakets. But there
aren''t any
-> > -> > -> dropped packets.
-> > -> > -> Ifconfig also does not show any errors (dropped
packets)
-> > -> for ethlan /
-> > -> > -> ethdsl.
-> > -> > ->
-> > -> > -> So I''ve tried to understand what tcpdumd
shows for
-> port 443. But
-> > I''m -> > -> bound to say that I''m
absolutety not firm with tcpdump.
-> > -> > -> Here''s what tcpdump shows:
-> > -> > ->
-> > -> > ->
-> > -> > -> tcpdump for port 443:
-> > -> > -> Not working access from inside the lan to the
servers
-> > -> external Name /
-> > -> > -> the servers external IP:
-> > -> > -> => no connection
-> > -> > -> ===================================-> > ->
> -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.479358 IP
p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
-> > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.969239 IP
p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:42.470116 IP
p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> > ->
-> > -> > ->
-> > -> > -> tcpdump for port 443:
-> > -> > -> WORKING access from inside the lan to the servers
INTERNAL
-> > -> Name / the
-> > -> > -> servers INTERNAL IP:
-> > -> > -> => Successful connection
-> > -> > -> ===================================-> > ->
> -> 18:45:38.773997 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: S
-> > -> > -> 1505679381:1505679381(0) win 65535 <mss
1260,nop,nop,sackOK>
-> > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: S
-> > -> > -> 189223170:189223170(0) ack 1505679382 win 5840
<mss
-> > -> 1460,nop,nop,sackOK>
-> > -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: .
-> > -> > -> ack 1 win 65535
-> > -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: P
-> > -> > -> 1:106(105) ack 1 win 65535
-> > -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: .
-> > -> > -> ack 106 win 5840
-> > -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: P
-> > -> > -> 1:1055(1054) ack 106 win 5840
-> > -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: .
-> > -> > -> ack 1055 win 64481
-> > -> > ->
-> > -> > -> Is there any one who can interpret those results?
Are
-> these enough
-> > -> > -> informations to see where the problem may ve?
-> > -> > -> Wrong Routing? Linux server iptables problem?
Problem
-> > -> inside the D-Link
-> > -> > -> Router?
-> > -> > -> Any suggestions are welcome!
-> > -> > ->
-> > -> > ->      Internet
-> > -> > ->          |
-> > -> > ->         DSL
-> > -> > ->          |
-> > -> > ->          |
-> > -> > ->    D-Link DSL-562T
-> > -> > ->     192.168.200.5
-> > -> > ->          |
-> > -> > ->          |
-> > -> > ->   ------------------------------------
-> > -> > ->   | Dev=ethdsl      Linux Server     |
-> > -> > ->   | 192.168.200.2   lp-komodo        |
-> > -> > ->   |     |                            |
-> > -> > ->   |   route + iptables               |
-> > -> > ->   |     |                            |
-> > -> > ->   | 192.168.240.2                    |
-> > -> > ->   | Dev=ethlan                       |
-> > -> > ->   |-----------------------------------
-> > -> > ->                   |
-> > -> > ->                   |
-> > -> > ->             Switch 10/100/1000
-> > -> > ->                   |
-> > -> > ->                   |
-> > -> > ->   ------------------------------------
-> > -> > ->   |Dev=LAN            Windows Client |
-> > -> > ->   |                   XP Pro SP2     |
-> > -> > ->   |192.168.240.010    lp-java        |
-> > -> > ->   |                                  |
-> > -> > ->   -----------------------------------|
-> > -> > ->
-> > -> > ->
-> > -> > -> Regards,
-> > -> > ->
-> > -> > -> Ralph
-> > -> > ->
-> > -> > -> _______________________________________________
-> > -> > -> LARTC mailing list
-> > -> > -> LARTC@mailman.ds9a.nl
-> > -> > ->
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> > ->
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> >
-> > _______________________________________________
-> > LARTC mailing list
-> > LARTC@mailman.ds9a.nl
-> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
->
-> --
-> - Philippe Latu
-> < G N U / Linux >
-> philippe.latu(at)linux-france.org
-> Projet inetdoc.Linux
-> http://www.linux-france.org/prj/inetdoc
-> </>
-> < I U T ''A''  Paul Sabatier >
-> philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28
-> Enseignant/Chargé de mission Systèmes & Réseau
-> </>
->
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Apparently Analagous Threads

Search for more reasonably related threads

LARTC - Jan 2006 - Debian Sarge Server with iptables behind D-Link Router

Debian Sarge Server with iptables behind D-Link Router

RE: Debian Sarge Server with iptables behind D-Link Router

Re: Debian Sarge Server with iptables behind D-Link Router

RE: Re: Debian Sarge Server with iptables behind D-Link Router

Re: Re: Debian Sarge Server with iptables behind D-Link Router

RE: Re: Debian Sarge Server with iptables behind D-Link Router

Apparently Analagous Threads