Re: Understanding my network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/29/2012 03:56 PM, Arthur Dent wrote:
> On Wed, 2012-08-29 at 15:31 -0500, Dale Dellutri wrote:
>> On Wed, Aug 29, 2012 at 2:40 PM, Arthur Dent
>> <misc.lists@xxxxxxxxxxxxxxxx> wrote:
>>> Hello all,
>>>
>>> I am part-way through a bare-metal rebuild of my small home server (it
>>> was F15, I am rebuilding as F17). This machine serves up my IMAP mail
>>> with Dovecot and Squirrelmail and hosts my small (mainly static)
>>> website.
>>>
>>> The machine in question sits on my home network at 192.168.2.2. I have
>>> opened port 993 on the firewall. I have a domain name (let's call it
>>> example.org) with dyndns.org which points to my IP address (let's call
>>> that 123.456.789.123) and my router forwards port 993 to 192.168.2.2.
>>>
>>> So here's the thing - and I don't remember having this problem with F15
>>> (or previous):
>>> I can access my mail using a client on another machine in my network if
>>> I configure it to use 192.168.2.2, but for my mobile devices I configure
>>> the email client to point to example.org. If I am outside of my network
>>> they can access mail fine, but if I am at home and they are connecting
>>> via my own wi-fi... no joy...
>>>
>>> The same by the way is true of SSH. Although I use a non-standard port
>>> for SSH the principle is the same.
>>>
>>> I have obviously messed up or missed out some configuration step, but I
>>> can't understand where I have gone wrong.
>>>
>>> Can anyone help me to fix this?
>>
>> I assume that your router forwards all of certain port traffic (like port 993)
>> to 192.168.2.2.  I assume that the server sees that traffic as coming from
>> the wan, and not the lan.  Therefore, it sounds like it has some restriction
>> to only accept certain traffic if it doesn't come from the lan.
>>
>> This could be an iptables rule set up to only accept non-lan addresses,
>> or a problem with /etc/hosts.deny or /etc/hosts.allow .
>>
>> Take a look at the output of
>>   # iptables -nvL
>>   # cat /etc/hosts.allow46626
>>   # cat /etc/hosts.deny
>>
>> Also, the output of
>>   # lsof -n -i -P | grep LISTEN
>> may be interesting.
>>
>> -- 
>> Dale Dellutri
> 
> Hi - Thanks for helping!
> 
> I have nothing in /etc/hosts.allow (or deny) Should I have?
> 
> Here are the other outputs (look out for line-wraps!)
> 
> 
> # iptables -nvL
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> 1391K  611M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
>   111  6660 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
>     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
>    42  2388 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:993
>  1738  390K ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          state NEW udp dpt:5353
>  2763  718K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:631
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:631
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:631
>    11   660 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2049
>     5   284 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:12345
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:12345
>  9542 1120K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
>     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
>     0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
> 
> Chain OUTPUT (policy ACCEPT 1312K packets, 373M bytes)
>  pkts bytes target     prot opt in     out     source               destination      
> 
> 
> # lsof -n -i -P | grep LISTEN
> systemd       1     root   35u  IPv6  11851      0t0  TCP *:631 (LISTEN)
> cupsd       473     root    4u  IPv6  11851      0t0  TCP *:631 (LISTEN)
> cupsd       473     root   13u  IPv4  18549      0t0  TCP 127.0.0.1:631 (LISTEN)
> dovecot     561     root   22u  IPv4  16881      0t0  TCP *:110 (LISTEN)
> dovecot     561     root   23u  IPv6  16882      0t0  TCP *:110 (LISTEN)
> dovecot     561     root   24u  IPv4  16883      0t0  TCP *:995 (LISTEN)
> dovecot     561     root   25u  IPv6  16884      0t0  TCP *:995 (LISTEN)
> dovecot     561     root   33u  IPv4  16899      0t0  TCP *:143 (LISTEN)
> dovecot     561     root   34u  IPv6  16900      0t0  TCP *:143 (LISTEN)
> dovecot     561     root   35u  IPv4  16901      0t0  TCP *:993 (LISTEN)
> dovecot     561     root   36u  IPv6  16902      0t0  TCP *:993 (LISTEN)
> rpcbind     565     root    9u  IPv4  16596      0t0  TCP *:111 (LISTEN)
> rpcbind     565     root   12u  IPv6  16599      0t0  TCP *:111 (LISTEN)
> sshd        581     root    3u  IPv4  16135      0t0  TCP *:12345 (LISTEN)
> sshd        581     root    4u  IPv6  16137      0t0  TCP *:12345 (LISTEN)
> rpc.statd   596  rpcuser    9u  IPv4  17689      0t0  TCP *:55993 (LISTEN)
> rpc.statd   596  rpcuser   11u  IPv6  17381      0t0  TCP *:35449 (LISTEN)
> rpc.rquot   629     root    4u  IPv4  17326      0t0  TCP *:875 (LISTEN)
> rpc.mount   644     root    8u  IPv4  17336      0t0  TCP *:20048 (LISTEN)
> rpc.mount   644     root   10u  IPv6  17358      0t0  TCP *:20048 (LISTEN)
> sendmail    702     root    4u  IPv4  18811      0t0  TCP 127.0.0.1:25 (LISTEN)
> sshd      14300     mark    9u  IPv6 442359      0t0  TCP [::1]:6010 (LISTEN)
> sshd      14300     mark   10u  IPv4 442360      0t0  TCP 127.0.0.1:6010 (LISTEN)
> imap-logi 14738 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
> imap-logi 14738 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
> imap-logi 14738 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
> imap-logi 14738 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
> imap-logi 14741 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
> imap-logi 14741 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
> imap-logi 14741 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
> imap-logi 14741 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
> imap-logi 16617 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
> imap-logi 16617 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
> imap-logi 16617 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
> imap-logi 16617 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
> imap-logi 16619 dovenull    7u  IPv4  16899      0t0  TCP *:143 (LISTEN)
> imap-logi 16619 dovenull    8u  IPv6  16900      0t0  TCP *:143 (LISTEN)
> imap-logi 16619 dovenull    9u  IPv4  16901      0t0  TCP *:993 (LISTEN)
> imap-logi 16619 dovenull   10u  IPv6  16902      0t0  TCP *:993 (LISTEN)
> sshd      16630     mark    9u  IPv6 490439      0t0  TCP [::1]:6011 (LISTEN)
> sshd      16630     mark   10u  IPv4 490440      0t0  TCP 127.0.0.1:6011 (LISTEN)
> 
> 
> 
> 

I think you are getting in a loop as it doesn't appear that you are NATing incoming traffic.  So what happens is that the traffic
from, say, 192,168.2.3 goes to example.org but the ip info is not nat'd so the mail server on 192.168.2.2 answers directly to
192.168.2.3 but the client is expecting the data to come back from example.org so you get a nasty circular routing issue.  You
should probably nat the incoming traffic to 192.168.2.2 over your router so it looks like it's coming from the router and get's
routed back to the router.  Then the router can redirect the traffic back to where it needs to go.

Kevin
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux