Re: Understanding my network

Arthur Dent <misc.lists@xxxxxxxxxxxxxxxx> · Wed, 29 Aug 2012 21:56:38 +0100

On Wed, 2012-08-29 at 15:31 -0500, Dale Dellutri wrote:
> On Wed, Aug 29, 2012 at 2:40 PM, Arthur Dent
> <misc.lists@xxxxxxxxxxxxxxxx> wrote:
> > Hello all,
> >
> > I am part-way through a bare-metal rebuild of my small home server (it
> > was F15, I am rebuilding as F17). This machine serves up my IMAP mail
> > with Dovecot and Squirrelmail and hosts my small (mainly static)
> > website.
> >
> > The machine in question sits on my home network at 192.168.2.2. I have
> > opened port 993 on the firewall. I have a domain name (let's call it
> > example.org) with dyndns.org which points to my IP address (let's call
> > that 123.456.789.123) and my router forwards port 993 to 192.168.2.2.
> >
> > So here's the thing - and I don't remember having this problem with F15
> > (or previous):
> > I can access my mail using a client on another machine in my network if
> > I configure it to use 192.168.2.2, but for my mobile devices I configure
> > the email client to point to example.org. If I am outside of my network
> > they can access mail fine, but if I am at home and they are connecting
> > via my own wi-fi... no joy...
> >
> > The same by the way is true of SSH. Although I use a non-standard port
> > for SSH the principle is the same.
> >
> > I have obviously messed up or missed out some configuration step, but I
> > can't understand where I have gone wrong.
> >
> > Can anyone help me to fix this?
> 
> I assume that your router forwards all of certain port traffic (like port 993)
> to 192.168.2.2.  I assume that the server sees that traffic as coming from
> the wan, and not the lan.  Therefore, it sounds like it has some restriction
> to only accept certain traffic if it doesn't come from the lan.
> 
> This could be an iptables rule set up to only accept non-lan addresses,
> or a problem with /etc/hosts.deny or /etc/hosts.allow .
> 
> Take a look at the output of
>   # iptables -nvL
>   # cat /etc/hosts.allow46626
>   # cat /etc/hosts.deny
> 
> Also, the output of
>   # lsof -n -i -P | grep LISTEN
> may be interesting.
> 
> -- 
> Dale Dellutri

Hi - Thanks for helping!

I have nothing in /etc/hosts.allow (or deny) Should I have?

Here are the other outputs (look out for line-wraps!)

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1391K  611M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  111  6660 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
   42  2388 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
 1738  390K ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          state NEW udp dpt:5353
 2763  718K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:631
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:631
   11   660 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2049
    5   284 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:12345
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:12345
 9542 1120K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 1312K packets, 373M bytes)
 pkts bytes target     prot opt in     out     source               destination      

# lsof -n -i -P | grep LISTEN
systemd       1     root   35u  IPv6  11851      0t0  TCP *:631 (LISTEN)
cupsd       473     root    4u  IPv6  11851      0t0  TCP *:631 (LISTEN)
cupsd       473     root   13u  IPv4  18549      0t0  TCP 127.0.0.1:631 (LISTEN)
dovecot     561     root   22u  IPv4  16881      0t0  TCP *:110 (LISTEN)
dovecot     561     root   23u  IPv6  16882      0t0  TCP *:110 (LISTEN)
dovecot     561     root   24u  IPv4  16883      0t0  TCP *:995 (LISTEN)
dovecot     561     root   25u  IPv6  16884      0t0  TCP *:995 (LISTEN)
dovecot     561     root   33u  IPv4  16899      0t0  TCP *:143 (LISTEN)
dovecot     561     root   34u  IPv6  16900      0t0  TCP *:143 (LISTEN)
dovecot     561     root   35u  IPv4  16901      0t0  TCP *:993 (LISTEN)
dovecot     561     root   36u  IPv6  16902      0t0  TCP *:993 (LISTEN)
rpcbind     565     root    9u  IPv4  16596      0t0  TCP *:111 (LISTEN)
rpcbind     565     root   12u  IPv6  16599      0t0  TCP *:111 (LISTEN)
sshd        581     root    3u  IPv4  16135      0t0  TCP *:12345 (LISTEN)
sshd        581     root    4u  IPv6  16137      0t0  TCP *:12345 (LISTEN)
rpc.statd   596  rpcuser    9u  IPv4  17689      0t0  TCP *:55993 (LISTEN)
rpc.statd   596  rpcuser   11u  IPv6  17381      0t0  TCP *:35449 (LISTEN)
rpc.rquot   629     root    4u  IPv4  17326      0t0  TCP *:875 (LISTEN)
rpc.mount   644     root    8u  IPv4  17336      0t0  TCP *:20048 (LISTEN)
rpc.mount   644     root   10u  IPv6  17358      0t0  TCP *:20048 (LISTEN)
sendmail    702     root    4u  IPv4  18811      0t0  TCP 127.0.0.1:25 (LISTEN)
sshd      14300     mark    9u  IPv6 442359      0t0  TCP [::1]:6010 (LISTEN)
sshd      14300     mark   10u  IPv4 442360      0t0  TCP 127.0.0.1:6010 (LISTEN)
imap-logi 14738 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
imap-logi 14738 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
imap-logi 14738 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
imap-logi 14738 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
imap-logi 14741 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
imap-logi 14741 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
imap-logi 14741 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
imap-logi 14741 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
imap-logi 16617 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
imap-logi 16617 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
imap-logi 16617 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
imap-logi 16617 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
imap-logi 16619 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
imap-logi 16619 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
imap-logi 16619 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
imap-logi 16619 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
sshd      16630     mark    9u  IPv6 490439      0t0  TCP [::1]:6011 (LISTEN)
sshd      16630     mark   10u  IPv4 490440      0t0  TCP 127.0.0.1:6011 (LISTEN)

Attachment:
signature.asc

Description: This is a digitally signed message part
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org