Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] IP Masquerading



On Sun, Aug 18, 2002 at 05:39:12PM +0900, Ryan Shaw wrote:

>I am trying to setup a server on my OCN ADSL
>connection. I can successfully connect to
>port 80 of my server if I connect my server
>directly to my ADSL router and configure IP 
>masquerading on the router, but when I try 
>to put my Corega hub in between the router 
>and my server (so other machines in my house
>can use the ADSL), port 80 is closed to the

>outside, even though I have enabled IP
>masquerading on the hub... 

Umm, hubs don't do IP masquerading.  They don't do anything
at all except connect devices together.  A hub is a 
completely dumb device that takes in packets on
port A and broadcasts them out every other port it has.
The machine whose MAC address is in the packets will then
pick them up (along with any machine with its NIC in promsiscuous
mode).  This is why you can sniff packets on a network with a
hub in it.  You can't sniff a switched network b/c it sends
packets only out the port they are destined for.  Hubs
and (normal) switches do not understand anything above layer 2.
TCP and UDP ports, along with IP addresses and NAT, happen on
layer 3.


>But this doesn't (nmap -p 80 from remote machine
>shows port 80 closed, and I cannot browse via lynx):
>
> [ Internet ]
>       |
>       |
>  Dynamic IP
>[ ADSL Router: IP masq. port 80 -> 192.168.0.2:80 ]
>  192.168.0.1
>       |
>       |
>  192.168.0.2
>[ Corega Hub: IP masq. port 80 -> 192.168.1.11:80 ]
>  192.168.1.1
>       |
>       |
>  192.168.1.11
>[ Apache Server ]

OK, you're trying to double-NAT.  I suggest not doing that
until you have a more basic setup working.  Even then, 
as B0ti mentioned, it's probably overkill.  Setup this
Corega device to function as a simple switch and try
this again.

Once that is working, then go back and try to set up 
the double-NAT again if you really want to do that.
One thing to watch out for is that you say in your diagram
above:

>[ Corega Hub: IP masq. port 80 -> 192.168.1.11:80 ]

but this is probably not enough.  What you probably need to
do is port forwarding like this:

192.168.0.2:80 -> 192.168.1.11:80

Now, if you are paranoid enough to use double-NAT and you want
to add yet another step of paranoia, have your web server listen
on an alternate port above 1024 and do this:

192.168.0.2:80 -> 192.168.1.1:8080
(that port picked just as an example).

>I have IP filtering turned off on the hub. The Corega
>configuration app (web-based) calls its IP masquerading
>functionality "Virtual Server Setting";

A web interface and IP masquerading?  This definitely is
not a hub.  It sounds like a layer three switch, or maybe
even a router, but I didn't know Corega even made such things.
It's definitely not a hub, anyway.  Got a model number and
URL for this thing's docs?

"Virtual Server Setting" would be a pretty stupid name for NAT,
but maybe somebody in marketing thought it sounded cool :-p

HTH,

J
-- 
GPG key: DF12B4EF (5399 C834 3ABB C3AF 610C  5345 D5D6 E6EA DF12 B4EF)

Attachment: pgp00022.pgp
Description: PGP signature


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links