Jeff Vian wrote:
On Sun, 2005-03-13 at 23:05 -0500, Claude Jones wrote:
Another elaboration of the investigation:
Below are 3 lines from a tcpdump monitoring the external nic as I attempted to access the web from a lan machine. It looks to me like the requests are making it to the external nic, because DNS lookups are being attempted, no? 22:49:22.142576 IP (tos 0x0, ttl 127, id 924, offset 0, flags [none], proto 17, length: 64) 192.168.2.253.1031 > ns1.nlayer.net.domain: 62240+ A? www.levitjames.com. (36)
22:49:22.603798 arp who-has 10.0.0.1 tell 10.0.4.62
22:49:22.735672 IP (tos 0x0, ttl 127, id 925, offset 0, flags [none], proto 17, length: 61) 192.168.2.253.1025 > ns2.rec.servercentral.net.domain: 7458+ A? www.directv.com. (33)
22:49:22.735936 IP (tos 0x0, ttl 127, id 926, offset 0, flags [none], proto 17, length: 61) 192.168.2.253.1025 > ns1.nlayer.net.domain: 7458+ A? www.directv.com. (33)
I have not used tcpdump in some time, but that does not look correct for the external interface.
192.168.2.253 and 10.0.4.62 are both private addresses. You may have forwarding on but not masquerading. If that is true the it goes out but never gets back.....
You don't say what the address of the external interface is so I can only assume it is valid and reachable from the internet. (It has to be either a valid internet address or masqueraded thru another router/firewall that is providing NAT for you)
In either case, requests going out on the WAN port must originate from the address of that NIC so they can be replied to properly.
What does a similar tcpdump look like when doing the same request from
the firewall box?
Is the firewall connected directly to the internet? or just inside
another larger private LAN?
The above tcpdump was run on the firewall, on the outside (wan) interface. The traffic was initiated by trying to access a website, for the first line above, www.levitjames.com, from a pc on the lan. So the originating address was 192.168.2.253, which is the lan pc. I'm not sure where the 10. addresses are coming from since there are no such on my lan. The named dns servers are the ones I've entered into my configuration for my network in the network administratioon gui. It looks to me like my inside pc placed a DNS request for www.levitjames.com which request made it to the outside nic on the firewall. Then, no response gets back to the lan pc. Below is the nat/masquerade section of my firewall script:
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
#higher up in the script NAT is set to the outside IP address, #not left blank
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to 66.225.207.87
fi
-- Claude Jones Bluemont, VA, USA