[CS-FSLUG] Routing Issue

Don Parris parrisdc at gmail.com
Thu Feb 2 14:02:41 CST 2012 

Thanks Tim,

I should have remembered to put the router in - it's a Linksys WRT54g.  I
have used it before and am quite certain I was able to do the u-turn thing
before.  It doesn't offer iptables at all (or at least not any interface to
that), although my CentOS server does.  Even with the iptables turned off
temporarily, I still could not do the u-turn.  I am positive I did this
before with this same router.  I am actually considering upgrading the
router - this one is ancient and I would like one that supports IPv6 as
well as IPv4.

I am open to recommendations on such a router as well.

On Thu, Feb 2, 2012 at 13:39, Tim Young <Tim.Young at lightsys.org> wrote:

> Some routers support this, others do not.  So this could be a router
> issue, not just a routing issue.
>
> What is happening is this.  From inside your network on your client
> computer, you attempt to access the external interface.  The local computer
> compares the destination ipaddress and netmask with it's own IP address and
> determines that the destination IP is not local.  So, it sends it to the
> firewall (gateway).  The gateway, upon receiving the packet, realizes that
> it needs to port-forward the packet back to the internal server.  The
> return packet then goes from the server, back through the reverse NAT, and
> then back inside to your client computer.  The issue is probably occurring
> inside the firewall when it first gets a packet from the client.
>
> Many firewalls on the port forwarding side of things only forward packets
> that come from the Internet.  They do not have rules that look for packets
> with the source on the inside.  The packets from the client are usually
> masqueraded to the outside world (so the source IP appears to be
> 174.96.151.128 to the outside).  All sort of odd things could occur based
> on how the iptables rules are configured, which order they are in, etc.
>
> Anyway.  Most likely your issue is an iptables issue on your firewall.  Is
> that a linux box, or something else?  Do you have the ability to hand-edit
> the iptables rules, or are they simply generated by a GUI?  When you say
> "you have done this before", was that with this router with this
> configuration, or was that using a different router/firewall?
>
>    - Tim Young
>
>
> On 2/2/2012 11:35 AM, Don Parris wrote:
>
>> Guys,
>>
>> I have a routing issue.  I am fairly certain it is a routing issue.  I
>> have configured my CentOS 6.2 server to provide SSH and WWW service.  I can
>> connect to the server via the internal IP (192.168*).  I can likewise
>> connect to the server via the external IP, but only from outside the LAN.
>>  What I cannot do is connect to the external IP from inside my LAN.  I have
>> done this several times before, but right now am just really confused.
>>
>> Router Internal IP is *.1 (provides DHCP to my LAN), External = *128
>> Server IP is *.22
>>
>>
>> Running traceroute from the server to the internal IP of the router gave
>> *** as a result.
>> Running traceroute from the laptop the the external IP of the router gave
>> *** as a result.
>>
>> Running traceroute from my laptop to the server (from inside the router)
>> gave this result:
>> traceroute to 192.168.1.22 (192.168.1.22), 30 hops max, 60 byte packets
>>  1  192.168.1.22 (192.168.1.22)  7.639 ms !X  7.646 ms !X  7.639 ms !X
>>
>> man traceroute says the !X means "communication administratively
>> prohibited".
>>
>> Here is my routing table on my router:
>> 0.0.0.0         255.255.255.0   174.96.151.128  WAN (Internet)
>> 0.0.0.0         0.0.0.0         174.96.128.1    WAN (Internet)
>> 174.96.128.0    255.255.224.0   174.96.151.128  WAN (Internet)
>> 192.168.1.0     255.255.255.0   192.168.1.1     LAN & Wireless
>>
>>
>> I am just really confused.
>>
>>
>> --
>> D.C. Parris, FMP, LEED AP O+M, ESL Certificate
>> Minister, Security/FM Coordinator, Free Software Advocate
>> https://www.xing.com/profile/**Don_Parris<https://www.xing.com/profile/Don_Parris> |
>> http://www.linkedin.com/in/**dcparris<http://www.linkedin.com/in/dcparris>
>> GPG Key ID: F5E179BE
>>
>>
>>
>> ______________________________**_________________
>> ChristianSource FSLUG mailing list
>> Christiansource at ofb.biz
>> http://cs.uninetsolutions.com
>>
>
> ______________________________**_________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>



-- 
D.C. Parris, FMP, LEED AP O+M, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
https://www.xing.com/profile/Don_Parris  |
http://www.linkedin.com/in/dcparris
GPG Key ID: F5E179BE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20120202/82524885/attachment.htm>

More information about the Christiansource mailing list