Understanding my network
Kevin Martin
ktmdms at gmail.com
Wed Aug 29 21:32:39 UTC 2012
On 08/29/2012 03:56 PM, Arthur Dent wrote:
> On Wed, 2012-08-29 at 15:31 -0500, Dale Dellutri wrote:
>> On Wed, Aug 29, 2012 at 2:40 PM, Arthur Dent
>> <misc.lists at blueyonder.co.uk> wrote:
>>> Hello all,
>>>
>>> I am part-way through a bare-metal rebuild of my small home server (it
>>> was F15, I am rebuilding as F17). This machine serves up my IMAP mail
>>> with Dovecot and Squirrelmail and hosts my small (mainly static)
>>> website.
>>>
>>> The machine in question sits on my home network at 192.168.2.2. I have
>>> opened port 993 on the firewall. I have a domain name (let's call it
>>> example.org) with dyndns.org which points to my IP address (let's call
>>> that 123.456.789.123) and my router forwards port 993 to 192.168.2.2.
>>>
>>> So here's the thing - and I don't remember having this problem with F15
>>> (or previous):
>>> I can access my mail using a client on another machine in my network if
>>> I configure it to use 192.168.2.2, but for my mobile devices I configure
>>> the email client to point to example.org. If I am outside of my network
>>> they can access mail fine, but if I am at home and they are connecting
>>> via my own wi-fi... no joy...
>>>
>>> The same by the way is true of SSH. Although I use a non-standard port
>>> for SSH the principle is the same.
>>>
>>> I have obviously messed up or missed out some configuration step, but I
>>> can't understand where I have gone wrong.
>>>
>>> Can anyone help me to fix this?
>>
>> I assume that your router forwards all of certain port traffic (like port 993)
>> to 192.168.2.2. I assume that the server sees that traffic as coming from
>> the wan, and not the lan. Therefore, it sounds like it has some restriction
>> to only accept certain traffic if it doesn't come from the lan.
>>
>> This could be an iptables rule set up to only accept non-lan addresses,
>> or a problem with /etc/hosts.deny or /etc/hosts.allow .
>>
>> Take a look at the output of
>> # iptables -nvL
>> # cat /etc/hosts.allow46626
>> # cat /etc/hosts.deny
>>
>> Also, the output of
>> # lsof -n -i -P | grep LISTEN
>> may be interesting.
>>
>> --
>> Dale Dellutri
>
> Hi - Thanks for helping!
>
> I have nothing in /etc/hosts.allow (or deny) Should I have?
>
> Here are the other outputs (look out for line-wraps!)
>
>
> # iptables -nvL
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 1391K 611M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> 111 6660 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
> 42 2388 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
> 1738 390K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 state NEW udp dpt:5353
> 2763 718K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:631
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:631
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:631
> 11 660 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
> 5 284 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:12345
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:12345
> 9542 1120K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0
> 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT 1312K packets, 373M bytes)
> pkts bytes target prot opt in out source destination
>
>
> # lsof -n -i -P | grep LISTEN
> systemd 1 root 35u IPv6 11851 0t0 TCP *:631 (LISTEN)
> cupsd 473 root 4u IPv6 11851 0t0 TCP *:631 (LISTEN)
> cupsd 473 root 13u IPv4 18549 0t0 TCP 127.0.0.1:631 (LISTEN)
> dovecot 561 root 22u IPv4 16881 0t0 TCP *:110 (LISTEN)
> dovecot 561 root 23u IPv6 16882 0t0 TCP *:110 (LISTEN)
> dovecot 561 root 24u IPv4 16883 0t0 TCP *:995 (LISTEN)
> dovecot 561 root 25u IPv6 16884 0t0 TCP *:995 (LISTEN)
> dovecot 561 root 33u IPv4 16899 0t0 TCP *:143 (LISTEN)
> dovecot 561 root 34u IPv6 16900 0t0 TCP *:143 (LISTEN)
> dovecot 561 root 35u IPv4 16901 0t0 TCP *:993 (LISTEN)
> dovecot 561 root 36u IPv6 16902 0t0 TCP *:993 (LISTEN)
> rpcbind 565 root 9u IPv4 16596 0t0 TCP *:111 (LISTEN)
> rpcbind 565 root 12u IPv6 16599 0t0 TCP *:111 (LISTEN)
> sshd 581 root 3u IPv4 16135 0t0 TCP *:12345 (LISTEN)
> sshd 581 root 4u IPv6 16137 0t0 TCP *:12345 (LISTEN)
> rpc.statd 596 rpcuser 9u IPv4 17689 0t0 TCP *:55993 (LISTEN)
> rpc.statd 596 rpcuser 11u IPv6 17381 0t0 TCP *:35449 (LISTEN)
> rpc.rquot 629 root 4u IPv4 17326 0t0 TCP *:875 (LISTEN)
> rpc.mount 644 root 8u IPv4 17336 0t0 TCP *:20048 (LISTEN)
> rpc.mount 644 root 10u IPv6 17358 0t0 TCP *:20048 (LISTEN)
> sendmail 702 root 4u IPv4 18811 0t0 TCP 127.0.0.1:25 (LISTEN)
> sshd 14300 mark 9u IPv6 442359 0t0 TCP [::1]:6010 (LISTEN)
> sshd 14300 mark 10u IPv4 442360 0t0 TCP 127.0.0.1:6010 (LISTEN)
> imap-logi 14738 dovenull 7u IPv4 16899 0t0 TCP *:143 (LISTEN)
> imap-logi 14738 dovenull 8u IPv6 16900 0t0 TCP *:143 (LISTEN)
> imap-logi 14738 dovenull 9u IPv4 16901 0t0 TCP *:993 (LISTEN)
> imap-logi 14738 dovenull 10u IPv6 16902 0t0 TCP *:993 (LISTEN)
> imap-logi 14741 dovenull 7u IPv4 16899 0t0 TCP *:143 (LISTEN)
> imap-logi 14741 dovenull 8u IPv6 16900 0t0 TCP *:143 (LISTEN)
> imap-logi 14741 dovenull 9u IPv4 16901 0t0 TCP *:993 (LISTEN)
> imap-logi 14741 dovenull 10u IPv6 16902 0t0 TCP *:993 (LISTEN)
> imap-logi 16617 dovenull 7u IPv4 16899 0t0 TCP *:143 (LISTEN)
> imap-logi 16617 dovenull 8u IPv6 16900 0t0 TCP *:143 (LISTEN)
> imap-logi 16617 dovenull 9u IPv4 16901 0t0 TCP *:993 (LISTEN)
> imap-logi 16617 dovenull 10u IPv6 16902 0t0 TCP *:993 (LISTEN)
> imap-logi 16619 dovenull 7u IPv4 16899 0t0 TCP *:143 (LISTEN)
> imap-logi 16619 dovenull 8u IPv6 16900 0t0 TCP *:143 (LISTEN)
> imap-logi 16619 dovenull 9u IPv4 16901 0t0 TCP *:993 (LISTEN)
> imap-logi 16619 dovenull 10u IPv6 16902 0t0 TCP *:993 (LISTEN)
> sshd 16630 mark 9u IPv6 490439 0t0 TCP [::1]:6011 (LISTEN)
> sshd 16630 mark 10u IPv4 490440 0t0 TCP 127.0.0.1:6011 (LISTEN)
>
>
>
>
I think you are getting in a loop as it doesn't appear that you are NATing incoming traffic. So what happens is that the traffic
from, say, 192,168.2.3 goes to example.org but the ip info is not nat'd so the mail server on 192.168.2.2 answers directly to
192.168.2.3 but the client is expecting the data to come back from example.org so you get a nasty circular routing issue. You
should probably nat the incoming traffic to 192.168.2.2 over your router so it looks like it's coming from the router and get's
routed back to the router. Then the router can redirect the traffic back to where it needs to go.
Kevin
More information about the users
mailing list