no access on internal network

greets!

I've got the SuSE 8.2 firewall set up on the machine - call it A - which
faces the internet, one or occasionally two other machines go through it
masqueraded to the internet.

everything is fine except that I cannot access A by its external ip
address. for instance, "http://xxx.xxx.xxx/~davisf/" just times out. I can
access by the internal ip address.

I cannot figure out which setting in the firewall controls this (or does
the problem lie elsewhere?).

Felmon

On Wed, 28 Apr 2004 02:27:38 -0400
"felmon" <(E-Mail Removed)> wrote:

> greets!
>
> I've got the SuSE 8.2 firewall set up on the machine - call it A - which
> faces the internet, one or occasionally two other machines go through it
> masqueraded to the internet.
>
> everything is fine except that I cannot access A by its external ip
> address. for instance, "http://xxx.xxx.xxx/~davisf/" just times out. I can
> access by the internal ip address.
>
> I cannot figure out which setting in the firewall controls this (or does
> the problem lie elsewhere?).
>
> Felmon
>

Check out that a: the webserver listens on both interfaces
b: the port 80 is not blocked by the firewall

I do not know the syntax of the SuSE-firewall, but you can check this with iptables -L

Greets
Chris

On Wed, 28 Apr 2004 02:27:38 -0400, felmon <(E-Mail Removed)> wrote:
> greets!
>
> I've got the SuSE 8.2 firewall set up on the machine - call it A - which
> faces the internet, one or occasionally two other machines go through it
> masqueraded to the internet.
>
> everything is fine except that I cannot access A by its external ip
> address. for instance, "http://xxx.xxx.xxx/~davisf/" just times out. I can
> access by the internal ip address.
>
> I cannot figure out which setting in the firewall controls this (or does
> the problem lie elsewhere?).

What is allowed to firewall from outside is controlled in
/etc/sysconfig/SuSEfirewall2 by FW_SERVICES_EXT_* variables. For example
FW_SERVICES_EXT_TCP="www" (or "80") would allow http web access from
internet hosts.

However, if you are trying to access your public name of your public IP
from masqueraded LAN behind it, that is best done with /etc/host entry on
client or local DNS pointing the name to server's LAN IP. There may be a
way to do it with iptables settings, but that might open you to IP
spoofing (private source IP arriving on external interface, which by
default is blocked).

--
David Efflandt - All spam ignored http://www.de-srv.com/

On Wed, 28 Apr 2004 18:10:40 +0000, David Efflandt wrote:

>> I cannot figure out which setting in the firewall controls this (or does
>> the problem lie elsewhere?).
>
> What is allowed to firewall from outside is controlled in
> /etc/sysconfig/SuSEfirewall2 by FW_SERVICES_EXT_* variables. For example
> FW_SERVICES_EXT_TCP="www" (or "80") would allow http web access from
> internet hosts.
>
> However, if you are trying to access your public name of your public IP
> from masqueraded LAN behind it, that is best done with /etc/host entry on
> client or local DNS pointing the name to server's LAN IP. There may be a
> way to do it with iptables settings, but that might open you to IP
> spoofing (private source IP arriving on external interface, which by
> default is blocked).

ok, thanks for the tips (and sorry for the delayed reply -- that was a mad
1/2 week!).

yeah, I can access the network from outside, what I want is to access the
network from inside but using the external ip address. I guess I will
modify /etc/hosts....

I added an entry to both machines' /etc/host files but so far, no success.
maybe I need to restart the network? if so, can't do it right this minute.

would love to get this working. I guess I don't want to set up dns.

Felmon

On Wed, 28 Apr 2004 13:07:59 +0200, Christoph Scheurer wrote:

>> Felmon
>>
>>
> Check out that a: the webserver listens on both interfaces
> b: the port 80 is not blocked by the firewall
>
> I do not know the syntax of the SuSE-firewall, but you can check this
> with iptables -L

yeah, the webserver is fine if I access it from outside the internal
network, do it all the time. php, mysql and all that jazz spilling out
fine too. I just can't access the internal network from any machine (other
than the server) from within the network.

sorry for the delay in replying - crazy week!

Felmon