Bering-uClibc 2.2.1 IP Alias Configuration Question
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Bering-uClibc 2.2.1 IP Alias Configuration Question
by Robert Harrison-4
::
Rate this Message:
I've run my firewall with this software for several years. Recently
changed ISP and in the confusion something went wrong that I can't figure out. The firewall is supposed to send web browser requests and ssh requests to a computer on the local net. The Apache server is configured using virtualhost to provide results based on one of several domain name all of which resolve to the same ip address 173.x.x.180. However, the virtualhost configuration is only read if a wild card is given for the ip address or the computer's local ip address (192.168.1.120)! Other sites which should be served based on their IP address alone are not seen at all. It seems to me that the HTTP request is being rewritten to contain the local destination (192.168.1.120) rather than the originating address (173.x.x.180). Configuration information is given below. I'd appreciate any advice on how to proceed. Results from "ip addr" 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:bf:1c:57:f2 brd ff:ff:ff:ff:ff:ff inet 173.x.x.180/29 brd 173.x.x.255 scope global eth0 inet 173.x.x.178/29 brd 173.x.x.255 scope global secondary eth0:0 inet 173.x.x.179/29 brd 173.x.x.255 scope global secondary eth0:1 inet 173.x.x.181/29 brd 173.x.x.255 scope global secondary eth0:2 inet 173.x.x.182/29 brd 173.x.x.255 scope global secondary eth0:3 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:14:6c:76:1c:56 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 scope global eth1 Results from "ip route" 173.x.x.176/29 dev eth0 proto kernel scope link src 173.x.x.180 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 173.x.x.177 dev eth0 Selected Results from "shorewall show" Shorewall-2.09 Chain at issacA - Thu Nov 5 18:43:53 UTC 2009 Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 879 501K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 19 1068 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 19 1068 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 878 501K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 879 501K net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 369 68491 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 5 240 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 5 240 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 5 240 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 369 68491 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 945 173K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 945 173K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 385 25807 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 385 25807 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 240 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:' queue_threshold 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 364 68251 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 5 240 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 860 500K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 multiport dports 80,443,22 ctorigdst 173.x.x.178 1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 multiport dports 80,443,22 ctorigdst 173.x.x.179 9 544 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 multiport dports 80,443,22 ctorigdst 173.x.x.180 3 176 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 multiport dports 80,443,22 ctorigdst 173.x.x.181 1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 multiport dports 80,443,22 ctorigdst 173.x.x.182 4 204 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.120 tcp dpt:25 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 10.0.0.0/8 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 173.x.x.255 0.0.0.0/0 0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain rfc1918 (6 references) pkts bytes target prot opt in out source destination 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:rfc1918:DROP:' queue_threshold 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain smurfs (2 references) pkts bytes target prot opt in out source destination 0 0 ULOG all -- * * 173.x.x.255 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:' queue_threshold 1 0 0 DROP all -- * * 173.x.x.255 0.0.0.0/0 0 0 ULOG all -- * * 192.168.1.255 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:' queue_threshold 1 0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0 0 0 ULOG all -- * * 255.255.255.255 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:' queue_threshold 1 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 ULOG all -- * * 224.0.0.0/4 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:' queue_threshold 1 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (2 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 Thanks, Bob "In theory there is no difference between theory and practice. In practice there is." Yogi Berra ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@... https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ |
|
|
Re: Bering-uClibc 2.2.1 IP Alias Configuration Question
by Charles Steinkuehler
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Robert Harrison wrote: > I've run my firewall with this software for several years. Recently > changed ISP and in the confusion something went wrong that I can't > figure out. The firewall is supposed to send web browser requests and > ssh requests to a computer on the local net. The Apache server is > configured using virtualhost to provide results based on one of > several domain name all of which resolve to the same ip address > 173.x.x.180. However, the virtualhost configuration is only read if a > wild card is given for the ip address or the computer's local ip > address (192.168.1.120)! Other sites which should be served based on > their IP address alone are not seen at all. It seems to me that the > HTTP request is being rewritten to contain the local destination > (192.168.1.120) rather than the originating address (173.x.x.180). > Configuration information is given below. I'd appreciate any advice > on how to proceed. Based on your rules, it looks like you have assigned all of the IP addresses to your firewall, and are port-forwarding the desired traffic to the internal system(s). This should work, but you did not include any real details on your port-forwarding setup (/etc/shorewall/rules) or how your apache is configured. Note that when the traffic is port-forwarded from the various IP addresses on the firewall, the destination address *WILL* get re-written. If you want to use IP based virtual hosting, you will need to assign multiple IP addresses on the internal system, and port-forward each public IP on the firewall to an appropriate IP address on the internal system. Otherwise, apache will have no idea which IP address the original request was sent to. If you don't want to use IP addresses, you could do a similar thing with ports on the internal apache system, forwarding each external public IP to a unique port number on the internal system. - -- Charles Steinkuehler charles@... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFK8y+oLywbqEHdNFwRAkPbAJ9kUA56uRlrJ8KfwVxTJi219I1iAwCeN04y KH+zxJbCyvxlkRDB/TQUpmk= =hxLP -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@... https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ |
|
|
|
|
|
Re: Bering-uClibc 2.2.1 IP Alias Configuration Question
by Erich Titl
::
Rate this Message:
Hi
Robert Harrison wrote: > I've run my firewall with this software for several years. Recently > changed ISP and in the confusion something went wrong that I can't > figure out. The firewall is supposed to send web browser requests and > ssh requests to a computer on the local net. The Apache server is > configured using virtualhost to provide results based on one of > several domain name all of which resolve to the same ip address > 173.x.x.180. However, the virtualhost configuration is only read if a > wild card is given for the ip address or the computer's local ip > address (192.168.1.120)! Other sites which should be served based on > their IP address alone are not seen at all. It seems to me that the > HTTP request is being rewritten to contain the local destination > (192.168.1.120) rather than the originating address (173.x.x.180). > Configuration information is given below. I'd appreciate any advice > on how to proceed. then you will have to assign the public addresses to the server on the internal network. See http://www.shorewall.net/ProxyARP.htm cheers Erich ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@... https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ |
| Free embeddable forum powered by Nabble | Forum Help |
