* [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
@ 2006-01-31 15:21 Ralph Brugger
2006-02-01 22:11 ` LinuXKiD
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ralph Brugger @ 2006-01-31 15:21 UTC (permalink / raw)
To: lartc
Hi,
> try next:
> - Put d-link ADSL as "modem"
> - Make PPPoE call under Linux
Yes I've already tried this - that's my current configuration since one
week;)
But I want to understand why it's not possible to use the D-Link as a
router, and for what kind of problem the tcpdump results stand for.
Ralph
>
>
>
> ->
> -> Hi,
> ->
> -> I have the shown (end of this post) net work configuration.
> ->
> -> In a "few" words: My Debian Sarge server is connected to a D-Link ADSL
> -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router.
> ->
> -> My Linux server has two NIC's.
> -> ethlan = internal Net
> -> ethdsl = external -> D-Link
> ->
> -> My Linux server is configured to make NAT via iptables.
> ->
> -> Current state - what's working:
> -> - Access from internal LAN to Internet is working (http, https, ftp, etc)
> -> - Access inside the LAN is working
> -> - Access inside the LAN to the linux server is working (http, https,
> -> IMAP and SSH)
> -> - Access from outside the LAN (from internet) to the Linux server is
> -> working for https, IMAP and SSH
> ->
> -> ***BUT***:
> -> Same Problem simular for SSH, https and IMAP:
> -> On an internet browser inside the lan I can't access the webserver on
> -> the Linux Server when I enter the external URL of the Linux server
> -> (dynDNS domain name).
> -> The https-page won't be opened. A simple ping to the linux server with
> -> the same dynDSN domain name works. Trying to enter the external IP of
> -> the linux server in the browser also won't work.
> -> The page won't be opened in the browser.
> ->
> -> Die Seite wird im Browser dann nicht geöffnet.
> -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
> -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
> -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
> -> oder die lokale IP ein, dann geht es.
> ->
> -> iptables schould log dropped pakets. But there aren't any
> -> dropped packets.
> -> Ifconfig also does not show any errors (dropped packets) for ethlan /
> -> ethdsl.
> ->
> -> So I've tried to understand what tcpdumd shows for port 443. But I'm
> -> bound to say that I'm absolutety not firm with tcpdump.
> -> Here's what tcpdump shows:
> ->
> ->
> -> tcpdump for port 443:
> -> Not working access from inside the lan to the servers external Name /
> -> the servers external IP:
> -> => no connection
> -> ==================
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.477631 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
> -> 18:43:41.967525 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> 18:43:42.468301 IP lp-java.linkpool.3491 >
> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> 65535 <mss 1260,nop,nop,sackOK>
> -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> ->
> ->
> -> tcpdump for port 443:
> -> WORKING access from inside the lan to the servers INTERNAL Name / the
> -> servers INTERNAL IP:
> -> => Successful connection
> -> ==================
> -> 18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S
> -> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
> -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S
> -> 189223170:189223170(0) ack 1505679382 win 5840 <mss 1460,nop,nop,sackOK>
> -> 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
> -> ack 1 win 65535
> -> 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P
> -> 1:106(105) ack 1 win 65535
> -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: .
> -> ack 106 win 5840
> -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P
> -> 1:1055(1054) ack 106 win 5840
> -> 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
> -> ack 1055 win 64481
> ->
> -> Is there any one who can interpret those results? Are these enough
> -> informations to see where the problem may ve?
> -> Wrong Routing? Linux server iptables problem? Problem inside the D-Link
> -> Router?
> -> Any suggestions are welcome!
> ->
> -> Internet
> -> |
> -> DSL
> -> |
> -> |
> -> D-Link DSL-562T
> -> 192.168.200.5
> -> |
> -> |
> -> ------------------------------------
> -> | Dev=ethdsl Linux Server |
> -> | 192.168.200.2 lp-komodo |
> -> | | |
> -> | route + iptables |
> -> | | |
> -> | 192.168.240.2 |
> -> | Dev=ethlan |
> -> |-----------------------------------
> -> |
> -> |
> -> Switch 10/100/1000
> -> |
> -> |
> -> ------------------------------------
> -> |Dev=LAN Windows Client |
> -> | XP Pro SP2 |
> -> |192.168.240.010 lp-java |
> -> | |
> -> -----------------------------------|
> ->
> ->
> -> Regards,
> ->
> -> Ralph
> ->
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
2006-01-31 15:21 [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router Ralph Brugger
@ 2006-02-01 22:11 ` LinuXKiD
2006-02-01 22:37 ` Philippe Latu
2006-02-02 8:41 ` LinuXKiD
2 siblings, 0 replies; 4+ messages in thread
From: LinuXKiD @ 2006-02-01 22:11 UTC (permalink / raw)
To: lartc
Some times, I fail to access some HTTPS URLs or MSN service
if you (dlink or router) miss manipulate mtu
andres
->
-> Hi,
->
-> > try next:
-> > - Put d-link ADSL as "modem"
-> > - Make PPPoE call under Linux
->
-> Yes I've already tried this - that's my current configuration since one
-> week;)
->
-> But I want to understand why it's not possible to use the D-Link as a
-> router, and for what kind of problem the tcpdump results stand for.
->
-> Ralph
->
-> >
-> >
-> >
-> > ->
-> > -> Hi,
-> > ->
-> > -> I have the shown (end of this post) net work configuration.
-> > ->
-> > -> In a "few" words: My Debian Sarge server is connected to a
-> D-Link ADSL
-> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP
-> on the Router.
-> > ->
-> > -> My Linux server has two NIC's.
-> > -> ethlan = internal Net
-> > -> ethdsl = external -> D-Link
-> > ->
-> > -> My Linux server is configured to make NAT via iptables.
-> > ->
-> > -> Current state - what's working:
-> > -> - Access from internal LAN to Internet is working (http,
-> https, ftp, etc)
-> > -> - Access inside the LAN is working
-> > -> - Access inside the LAN to the linux server is working (http, https,
-> > -> IMAP and SSH)
-> > -> - Access from outside the LAN (from internet) to the Linux server is
-> > -> working for https, IMAP and SSH
-> > ->
-> > -> ***BUT***:
-> > -> Same Problem simular for SSH, https and IMAP:
-> > -> On an internet browser inside the lan I can't access the
-> webserver on
-> > -> the Linux Server when I enter the external URL of the Linux server
-> > -> (dynDNS domain name).
-> > -> The https-page won't be opened. A simple ping to the linux
-> server with
-> > -> the same dynDSN domain name works. Trying to enter the
-> external IP of
-> > -> the linux server in the browser also won't work.
-> > -> The page won't be opened in the browser.
-> > ->
-> > -> Die Seite wird im Browser dann nicht geöffnet.
-> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
-> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
-> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
-> > -> oder die lokale IP ein, dann geht es.
-> > ->
-> > -> iptables schould log dropped pakets. But there aren't any
-> > -> dropped packets.
-> > -> Ifconfig also does not show any errors (dropped packets)
-> for ethlan /
-> > -> ethdsl.
-> > ->
-> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm
-> > -> bound to say that I'm absolutety not firm with tcpdump.
-> > -> Here's what tcpdump shows:
-> > ->
-> > ->
-> > -> tcpdump for port 443:
-> > -> Not working access from inside the lan to the servers
-> external Name /
-> > -> the servers external IP:
-> > -> => no connection
-> > -> ==================
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
-> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
-> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
-> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > ->
-> > ->
-> > -> tcpdump for port 443:
-> > -> WORKING access from inside the lan to the servers INTERNAL
-> Name / the
-> > -> servers INTERNAL IP:
-> > -> => Successful connection
-> > -> ==================
-> > -> 18:45:38.773997 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: S
-> > -> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
-> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: S
-> > -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
-> 1460,nop,nop,sackOK>
-> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: .
-> > -> ack 1 win 65535
-> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: P
-> > -> 1:106(105) ack 1 win 65535
-> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: .
-> > -> ack 106 win 5840
-> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
-> lp-java.linkpool.3492: P
-> > -> 1:1055(1054) ack 106 win 5840
-> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
-> lp-komodo.LINKPOOL.https: .
-> > -> ack 1055 win 64481
-> > ->
-> > -> Is there any one who can interpret those results? Are these enough
-> > -> informations to see where the problem may ve?
-> > -> Wrong Routing? Linux server iptables problem? Problem
-> inside the D-Link
-> > -> Router?
-> > -> Any suggestions are welcome!
-> > ->
-> > -> Internet
-> > -> |
-> > -> DSL
-> > -> |
-> > -> |
-> > -> D-Link DSL-562T
-> > -> 192.168.200.5
-> > -> |
-> > -> |
-> > -> ------------------------------------
-> > -> | Dev=ethdsl Linux Server |
-> > -> | 192.168.200.2 lp-komodo |
-> > -> | | |
-> > -> | route + iptables |
-> > -> | | |
-> > -> | 192.168.240.2 |
-> > -> | Dev=ethlan |
-> > -> |-----------------------------------
-> > -> |
-> > -> |
-> > -> Switch 10/100/1000
-> > -> |
-> > -> |
-> > -> ------------------------------------
-> > -> |Dev=LAN Windows Client |
-> > -> | XP Pro SP2 |
-> > -> |192.168.240.010 lp-java |
-> > -> | |
-> > -> -----------------------------------|
-> > ->
-> > ->
-> > -> Regards,
-> > ->
-> > -> Ralph
-> > ->
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
->
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
2006-01-31 15:21 [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router Ralph Brugger
2006-02-01 22:11 ` LinuXKiD
@ 2006-02-01 22:37 ` Philippe Latu
2006-02-02 8:41 ` LinuXKiD
2 siblings, 0 replies; 4+ messages in thread
From: Philippe Latu @ 2006-02-01 22:37 UTC (permalink / raw)
To: lartc
Hello,
Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit :
> Some times, I fail to access some HTTPS URLs or MSN service
> if you (dlink or router) miss manipulate mtu
Did you try the TCPMSS netfilter target ?
For instance :
-A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss \
1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o ppp0 -j MASQUERADE
As you are probably using pppoe on the telephon loop, the maximum transmit
unit cannot reach its maximum 1500 bytes.
The pppoe header takes 4 bytes.
You should also let some icmp packets get in in order to have pmtu discovery
effective.
HTH,
>
> andres
>
>
> ->
> -> Hi,
> ->
> -> > try next:
> -> > - Put d-link ADSL as "modem"
> -> > - Make PPPoE call under Linux
> ->
> -> Yes I've already tried this - that's my current configuration since one
> -> week;)
> ->
> -> But I want to understand why it's not possible to use the D-Link as a
> -> router, and for what kind of problem the tcpdump results stand for.
> ->
> -> Ralph
> ->
> -> >
> -> >
> -> >
> -> > ->
> -> > -> Hi,
> -> > ->
> -> > -> I have the shown (end of this post) net work configuration.
> -> > ->
> -> > -> In a "few" words: My Debian Sarge server is connected to a
> -> D-Link ADSL
> -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP
> -> on the Router.
> -> > ->
> -> > -> My Linux server has two NIC's.
> -> > -> ethlan = internal Net
> -> > -> ethdsl = external -> D-Link
> -> > ->
> -> > -> My Linux server is configured to make NAT via iptables.
> -> > ->
> -> > -> Current state - what's working:
> -> > -> - Access from internal LAN to Internet is working (http,
> -> https, ftp, etc)
> -> > -> - Access inside the LAN is working
> -> > -> - Access inside the LAN to the linux server is working (http,
> https, -> > -> IMAP and SSH)
> -> > -> - Access from outside the LAN (from internet) to the Linux server
> is -> > -> working for https, IMAP and SSH
> -> > ->
> -> > -> ***BUT***:
> -> > -> Same Problem simular for SSH, https and IMAP:
> -> > -> On an internet browser inside the lan I can't access the
> -> webserver on
> -> > -> the Linux Server when I enter the external URL of the Linux server
> -> > -> (dynDNS domain name).
> -> > -> The https-page won't be opened. A simple ping to the linux
> -> server with
> -> > -> the same dynDSN domain name works. Trying to enter the
> -> external IP of
> -> > -> the linux server in the browser also won't work.
> -> > -> The page won't be opened in the browser.
> -> > ->
> -> > -> Die Seite wird im Browser dann nicht geöffnet.
> -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine
> Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen
> angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den
> lokalen Namen -> > -> oder die lokale IP ein, dann geht es.
> -> > ->
> -> > -> iptables schould log dropped pakets. But there aren't any
> -> > -> dropped packets.
> -> > -> Ifconfig also does not show any errors (dropped packets)
> -> for ethlan /
> -> > -> ethdsl.
> -> > ->
> -> > -> So I've tried to understand what tcpdumd shows for port 443. But
> I'm -> > -> bound to say that I'm absolutety not firm with tcpdump.
> -> > -> Here's what tcpdump shows:
> -> > ->
> -> > ->
> -> > -> tcpdump for port 443:
> -> > -> Not working access from inside the lan to the servers
> -> external Name /
> -> > -> the servers external IP:
> -> > -> => no connection
> -> > -> ==================
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
> -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
> -> > -> 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
> -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
> -> > ->
> -> > ->
> -> > -> tcpdump for port 443:
> -> > -> WORKING access from inside the lan to the servers INTERNAL
> -> Name / the
> -> > -> servers INTERNAL IP:
> -> > -> => Successful connection
> -> > -> ==================
> -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: S
> -> > -> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
> -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: S
> -> > -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
> -> 1460,nop,nop,sackOK>
> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: .
> -> > -> ack 1 win 65535
> -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: P
> -> > -> 1:106(105) ack 1 win 65535
> -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: .
> -> > -> ack 106 win 5840
> -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
> -> lp-java.linkpool.3492: P
> -> > -> 1:1055(1054) ack 106 win 5840
> -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
> -> lp-komodo.LINKPOOL.https: .
> -> > -> ack 1055 win 64481
> -> > ->
> -> > -> Is there any one who can interpret those results? Are these enough
> -> > -> informations to see where the problem may ve?
> -> > -> Wrong Routing? Linux server iptables problem? Problem
> -> inside the D-Link
> -> > -> Router?
> -> > -> Any suggestions are welcome!
> -> > ->
> -> > -> Internet
> -> > -> |
> -> > -> DSL
> -> > -> |
> -> > -> |
> -> > -> D-Link DSL-562T
> -> > -> 192.168.200.5
> -> > -> |
> -> > -> |
> -> > -> ------------------------------------
> -> > -> | Dev=ethdsl Linux Server |
> -> > -> | 192.168.200.2 lp-komodo |
> -> > -> | | |
> -> > -> | route + iptables |
> -> > -> | | |
> -> > -> | 192.168.240.2 |
> -> > -> | Dev=ethlan |
> -> > -> |-----------------------------------
> -> > -> |
> -> > -> |
> -> > -> Switch 10/100/1000
> -> > -> |
> -> > -> |
> -> > -> ------------------------------------
> -> > -> |Dev=LAN Windows Client |
> -> > -> | XP Pro SP2 |
> -> > -> |192.168.240.010 lp-java |
> -> > -> | |
> -> > -> -----------------------------------|
> -> > ->
> -> > ->
> -> > -> Regards,
> -> > ->
> -> > -> Ralph
> -> > ->
> -> > -> _______________________________________________
> -> > -> LARTC mailing list
> -> > -> LARTC@mailman.ds9a.nl
> -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> ->
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
- Philippe Latu
< G N U / Linux >
philippe.latu(at)linux-france.org
Projet inetdoc.Linux
http://www.linux-france.org/prj/inetdoc
</>
< I U T 'A' Paul Sabatier >
philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28
Enseignant/Chargé de mission Systèmes & Réseau
</>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
2006-01-31 15:21 [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router Ralph Brugger
2006-02-01 22:11 ` LinuXKiD
2006-02-01 22:37 ` Philippe Latu
@ 2006-02-02 8:41 ` LinuXKiD
2 siblings, 0 replies; 4+ messages in thread
From: LinuXKiD @ 2006-02-02 8:41 UTC (permalink / raw)
To: lartc
very good. thank you
->
->
-> Hello,
->
-> Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit :
-> > Some times, I fail to access some HTTPS URLs or MSN service
-> > if you (dlink or router) miss manipulate mtu
->
-> Did you try the TCPMSS netfilter target ?
->
-> For instance :
-> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss
-> --mss \
-> 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-> -A POSTROUTING -o ppp0 -j MASQUERADE
->
-> As you are probably using pppoe on the telephon loop, the
-> maximum transmit
-> unit cannot reach its maximum 1500 bytes.
-> The pppoe header takes 4 bytes.
->
-> You should also let some icmp packets get in in order to have
-> pmtu discovery
-> effective.
->
-> HTH,
->
-> >
-> > andres
-> >
-> >
-> > ->
-> > -> Hi,
-> > ->
-> > -> > try next:
-> > -> > - Put d-link ADSL as "modem"
-> > -> > - Make PPPoE call under Linux
-> > ->
-> > -> Yes I've already tried this - that's my current
-> configuration since one
-> > -> week;)
-> > ->
-> > -> But I want to understand why it's not possible to use the
-> D-Link as a
-> > -> router, and for what kind of problem the tcpdump results stand for.
-> > ->
-> > -> Ralph
-> > ->
-> > -> >
-> > -> >
-> > -> >
-> > -> > ->
-> > -> > -> Hi,
-> > -> > ->
-> > -> > -> I have the shown (end of this post) net work configuration.
-> > -> > ->
-> > -> > -> In a "few" words: My Debian Sarge server is connected to a
-> > -> D-Link ADSL
-> > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP
-> > -> on the Router.
-> > -> > ->
-> > -> > -> My Linux server has two NIC's.
-> > -> > -> ethlan = internal Net
-> > -> > -> ethdsl = external -> D-Link
-> > -> > ->
-> > -> > -> My Linux server is configured to make NAT via iptables.
-> > -> > ->
-> > -> > -> Current state - what's working:
-> > -> > -> - Access from internal LAN to Internet is working (http,
-> > -> https, ftp, etc)
-> > -> > -> - Access inside the LAN is working
-> > -> > -> - Access inside the LAN to the linux server is working (http,
-> > https, -> > -> IMAP and SSH)
-> > -> > -> - Access from outside the LAN (from internet) to the
-> Linux server
-> > is -> > -> working for https, IMAP and SSH
-> > -> > ->
-> > -> > -> ***BUT***:
-> > -> > -> Same Problem simular for SSH, https and IMAP:
-> > -> > -> On an internet browser inside the lan I can't access the
-> > -> webserver on
-> > -> > -> the Linux Server when I enter the external URL of the
-> Linux server
-> > -> > -> (dynDNS domain name).
-> > -> > -> The https-page won't be opened. A simple ping to the linux
-> > -> server with
-> > -> > -> the same dynDSN domain name works. Trying to enter the
-> > -> external IP of
-> > -> > -> the linux server in the browser also won't work.
-> > -> > -> The page won't be opened in the browser.
-> > -> > ->
-> > -> > -> Die Seite wird im Browser dann nicht geöffnet.
-> > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine
-> > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen
-> > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den
-> > lokalen Namen -> > -> oder die lokale IP ein, dann geht es.
-> > -> > ->
-> > -> > -> iptables schould log dropped pakets. But there aren't any
-> > -> > -> dropped packets.
-> > -> > -> Ifconfig also does not show any errors (dropped packets)
-> > -> for ethlan /
-> > -> > -> ethdsl.
-> > -> > ->
-> > -> > -> So I've tried to understand what tcpdumd shows for
-> port 443. But
-> > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump.
-> > -> > -> Here's what tcpdump shows:
-> > -> > ->
-> > -> > ->
-> > -> > -> tcpdump for port 443:
-> > -> > -> Not working access from inside the lan to the servers
-> > -> external Name /
-> > -> > -> the servers external IP:
-> > -> > -> => no connection
-> > -> > -> ==================
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
-> > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 >
-> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S
-> 1859848764:1859848764(0) win
-> > -> > -> 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
-> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
-> > -> > ->
-> > -> > ->
-> > -> > -> tcpdump for port 443:
-> > -> > -> WORKING access from inside the lan to the servers INTERNAL
-> > -> Name / the
-> > -> > -> servers INTERNAL IP:
-> > -> > -> => Successful connection
-> > -> > -> ==================
-> > -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: S
-> > -> > -> 1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
-> > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: S
-> > -> > -> 189223170:189223170(0) ack 1505679382 win 5840 <mss
-> > -> 1460,nop,nop,sackOK>
-> > -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: .
-> > -> > -> ack 1 win 65535
-> > -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: P
-> > -> > -> 1:106(105) ack 1 win 65535
-> > -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: .
-> > -> > -> ack 106 win 5840
-> > -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https >
-> > -> lp-java.linkpool.3492: P
-> > -> > -> 1:1055(1054) ack 106 win 5840
-> > -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 >
-> > -> lp-komodo.LINKPOOL.https: .
-> > -> > -> ack 1055 win 64481
-> > -> > ->
-> > -> > -> Is there any one who can interpret those results? Are
-> these enough
-> > -> > -> informations to see where the problem may ve?
-> > -> > -> Wrong Routing? Linux server iptables problem? Problem
-> > -> inside the D-Link
-> > -> > -> Router?
-> > -> > -> Any suggestions are welcome!
-> > -> > ->
-> > -> > -> Internet
-> > -> > -> |
-> > -> > -> DSL
-> > -> > -> |
-> > -> > -> |
-> > -> > -> D-Link DSL-562T
-> > -> > -> 192.168.200.5
-> > -> > -> |
-> > -> > -> |
-> > -> > -> ------------------------------------
-> > -> > -> | Dev=ethdsl Linux Server |
-> > -> > -> | 192.168.200.2 lp-komodo |
-> > -> > -> | | |
-> > -> > -> | route + iptables |
-> > -> > -> | | |
-> > -> > -> | 192.168.240.2 |
-> > -> > -> | Dev=ethlan |
-> > -> > -> |-----------------------------------
-> > -> > -> |
-> > -> > -> |
-> > -> > -> Switch 10/100/1000
-> > -> > -> |
-> > -> > -> |
-> > -> > -> ------------------------------------
-> > -> > -> |Dev=LAN Windows Client |
-> > -> > -> | XP Pro SP2 |
-> > -> > -> |192.168.240.010 lp-java |
-> > -> > -> | |
-> > -> > -> -----------------------------------|
-> > -> > ->
-> > -> > ->
-> > -> > -> Regards,
-> > -> > ->
-> > -> > -> Ralph
-> > -> > ->
-> > -> > -> _______________________________________________
-> > -> > -> LARTC mailing list
-> > -> > -> LARTC@mailman.ds9a.nl
-> > -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> > ->
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> >
-> > _______________________________________________
-> > LARTC mailing list
-> > LARTC@mailman.ds9a.nl
-> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
->
-> --
-> - Philippe Latu
-> < G N U / Linux >
-> philippe.latu(at)linux-france.org
-> Projet inetdoc.Linux
-> http://www.linux-france.org/prj/inetdoc
-> </>
-> < I U T 'A' Paul Sabatier >
-> philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28
-> Enseignant/Chargé de mission Systèmes & Réseau
-> </>
->
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-02-02 8:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-31 15:21 [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router Ralph Brugger
2006-02-01 22:11 ` LinuXKiD
2006-02-01 22:37 ` Philippe Latu
2006-02-02 8:41 ` LinuXKiD
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.