Debian Sarge Server with iptables behind D-Link Router

Ralph Brugger <sitecopy@xxxxxxxxxxxxxxxxxx> · Mon, 30 Jan 2006 23:57:33 +0100

Hi,

I have the shown (end of this post) net work configuration.

In a "few" words: My Debian Sarge server is connected to a D-Link ADSL
Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router.

My Linux server has two NIC's.
ethlan = internal Net
ethdsl = external -> D-Link

My Linux server is configured to make NAT via iptables.

Current state - what's working:
- Access from internal LAN to Internet is working (http, https, ftp, etc)
- Access inside the LAN is working
- Access inside the LAN to the linux server is working (http, https,
IMAP and SSH)
- Access from outside the LAN (from internet) to the Linux server is
working for https, IMAP and SSH

***BUT***:
Same Problem simular for SSH, https and IMAP:
On an internet browser inside the lan I can't access the webserver on
the Linux Server when I enter the external URL of the Linux server
(dynDNS domain name).
The https-page won't be opened. A simple ping to the linux server with
the same dynDSN domain name works. Trying to enter the external IP of
the linux server in the browser also won't work.
The page won't be opened in the browser.

Die Seite wird im Browser dann nicht geöffnet.
Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung
aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe.
Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen
oder die lokale IP ein, dann geht es.

iptables schould log dropped pakets. But there aren't any dropped packets.
Ifconfig also does not show any errors (dropped packets) for ethlan /
ethdsl.

So I've tried to understand what tcpdumd shows for port 443. But I'm
bound to say that I'm absolutety not firm with tcpdump.
Here's what tcpdump shows:

tcpdump for port 443:
Not working access from inside the lan to the servers external Name /
the servers external IP:
=> no connection
====================================
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.477631 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0
18:43:41.967525 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1 win 0
18:43:42.468301 IP lp-java.linkpool.3491 >
p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win
65535 <mss 1260,nop,nop,sackOK>
18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https >
lp-java.linkpool.3491: R 0:0(0) ack 1 win 0

tcpdump for port 443:
WORKING access from inside the lan to the servers INTERNAL Name / the
servers INTERNAL IP:
=> Successful connection
====================================
18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S
1505679381:1505679381(0) win 65535 <mss 1260,nop,nop,sackOK>
18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S
189223170:189223170(0) ack 1505679382 win 5840 <mss 1460,nop,nop,sackOK>
18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
ack 1 win 65535
18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P
1:106(105) ack 1 win 65535
18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: .
ack 106 win 5840
18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P
1:1055(1054) ack 106 win 5840
18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: .
ack 1055 win 64481

Is there any one who can interpret those results? Are these enough
informations to see where the problem may ve?
Wrong Routing? Linux server iptables problem? Problem inside the D-Link
Router?
Any suggestions are welcome!

     Internet
         |
        DSL
         |
         |
   D-Link DSL-562T
    192.168.200.5
         |
         |
  ------------------------------------
  | Dev=ethdsl      Linux Server     |
  | 192.168.200.2   lp-komodo        |
  |     |                            |
  |   route + iptables               |
  |     |                            |
  | 192.168.240.2                    |
  | Dev=ethlan                       |
  |-----------------------------------
                  |
                  |
            Switch 10/100/1000
                  |
                  |
  ------------------------------------
  |Dev=LAN            Windows Client |
  |                   XP Pro SP2     |
  |192.168.240.010    lp-java        |
  |                                  |
  -----------------------------------|

Regards,

Ralph

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Debian Sarge Server with iptables behind D-Link Router

Linux Advanced Routing and Traffic Control