[CS-FSLUG] Routing Issue

Tim Young Tim.Young at LightSys.org
Thu Feb 2 12:39:49 CST 2012 

Some routers support this, others do not.  So this could be a router 
issue, not just a routing issue.

What is happening is this.  From inside your network on your client 
computer, you attempt to access the external interface.  The local 
computer compares the destination ipaddress and netmask with it's own 
IP address and determines that the destination IP is not local.  So, 
it sends it to the firewall (gateway).  The gateway, upon receiving 
the packet, realizes that it needs to port-forward the packet back to 
the internal server.  The return packet then goes from the server, 
back through the reverse NAT, and then back inside to your client 
computer.  The issue is probably occurring inside the firewall when 
it first gets a packet from the client.

Many firewalls on the port forwarding side of things only forward 
packets that come from the Internet.  They do not have rules that 
look for packets with the source on the inside.  The packets from the 
client are usually masqueraded to the outside world (so the source IP 
appears to be 174.96.151.128 to the outside).  All sort of odd things 
could occur based on how the iptables rules are configured, which 
order they are in, etc.

Anyway.  Most likely your issue is an iptables issue on your 
firewall.  Is that a linux box, or something else?  Do you have the 
ability to hand-edit the iptables rules, or are they simply generated 
by a GUI?  When you say "you have done this before", was that with 
this router with this configuration, or was that using a different 
router/firewall?

     - Tim Young

On 2/2/2012 11:35 AM, Don Parris wrote:
> Guys,
>
> I have a routing issue.  I am fairly certain it is a routing 
> issue.  I have configured my CentOS 6.2 server to provide SSH and 
> WWW service.  I can connect to the server via the internal IP 
> (192.168*).  I can likewise connect to the server via the external 
> IP, but only from outside the LAN.  What I cannot do is connect to 
> the external IP from inside my LAN.  I have done this several times 
> before, but right now am just really confused.
>
> Router Internal IP is *.1 (provides DHCP to my LAN), External = *128
> Server IP is *.22
>
>
> Running traceroute from the server to the internal IP of the router 
> gave *** as a result.
> Running traceroute from the laptop the the external IP of the 
> router gave *** as a result.
>
> Running traceroute from my laptop to the server (from inside the 
> router) gave this result:
> traceroute to 192.168.1.22 (192.168.1.22), 30 hops max, 60 byte packets
>  1  192.168.1.22 (192.168.1.22)  7.639 ms !X  7.646 ms !X  7.639 ms !X
>
> man traceroute says the !X means "communication administratively 
> prohibited".
>
> Here is my routing table on my router:
> 0.0.0.0 	255.255.255.0 	174.96.151.128 	WAN (Internet)
> 0.0.0.0 	0.0.0.0 	174.96.128.1 	WAN (Internet)
> 174.96.128.0 	255.255.224.0 	174.96.151.128 	WAN (Internet)
> 192.168.1.0 	255.255.255.0 	192.168.1.1 	LAN & Wireless
>
>
> I am just really confused.
>
>
> -- 
> D.C. Parris, FMP, LEED AP O+M, ESL Certificate
> Minister, Security/FM Coordinator, Free Software Advocate
> https://www.xing.com/profile/Don_Parris  | 
> http://www.linkedin.com/in/dcparris
> GPG Key ID: F5E179BE
>
>
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com

More information about the Christiansource mailing list