FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 06-25-2010, 12:25 PM
Chuck Kuecker
 
Default Need network advice

Hello,

I am running Ubuntu 9.10 for my DNS, web page, and email server, as well
as to develop embedded Linux code for a customer. I have a development
kit that needs to access the Internet to serve an internal web page. My
Internet connection is T6 wireless broadband, and I have a static IP.

I installed a second Ethernet card in the Ubuntu box for the embedded
device to connect to. It is running on the 10.0.0.x network. My main
local network between the broadband modem and other computers, including
the Ubuntu box, is 192.168.0.x.

The problems: First, I am running Firestarter as an interface to the
firewall, and have it set to allow traffic to my email and web servers
from the Internet. My DNS setup is working fine for this. When I have
the firewall enabled, the 10.0.0. network cannot reach the Ubuntu
machine for TFTP, HTTP, or email. If I disable the firewall, I can talk
to the development system via TFTP, and see the internal web page if I
enter the local IP in Firefox. The IP of the Ubuntu port is 10.0.0.1,
the development system is on 10.0.0.2. I can TFTP from the dev system to
the main box at 192.168.0.200 with the firewall off, but this fails with
the firewall on. I don't see any rules in Firestarter that should cause
this. A fix would be nice in that I would not have to kill the firewall
every time I want to access the development system, but if it's too much
trouble, I can live with this.

Ultimately, I want the local DNS server to steer HTTP traffic for the
development system to its' internal IP, while HTTP traffic to my regular
web site goes to the main web server on the Ubuntu box at 192.168.0.200,
so my customer could access and interact with the development system.
Obviously, I cannot give him the internal IP address to put in his
browser. I think I need to make changes to the BIND configuration files,
and have studied the O'Reilly DNS and BIND book, but I just get more
confused.

I can post my DNS zone files if that helps.

Another thought occurred to me - could I simply put the development
system on the 192.168.0 network, and have my DNS steer traffic directly
to that IP? Do I really need two Ethernet ports in the main computer?
Maybe I am making this more complicated than I need to. I only installed
the second port because the examples in the O'Reilly book seemed to make
that look like the only way I could get it to work. The firewall issue
did not exist when everything was on the 192.168.0 network.

Any help would be greatly appreciated. I'm not a network person!

Chuck Kuecker


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 01:01 PM
Patrick Doyle
 
Default Need network advice

On Fri, Jun 25, 2010 at 8:25 AM, Chuck Kuecker <ckuecker@ckent.org> wrote:
> Hello,
>
> I am running Ubuntu 9.10 for my DNS, web page, and email server, as well
> as to develop embedded Linux code for a customer. I have a development
> kit that needs to access the Internet to serve an internal web page. My
> Internet connection is T6 wireless broadband, and I have a static IP.
>
> I installed a second Ethernet card in the Ubuntu box for the embedded
> device to connect to. It is running on the 10.0.0.x network. My main
> local network between the broadband modem and other computers, including
> the Ubuntu box, is 192.168.0.x.
>
> The problems: First, I am running Firestarter as an interface to the
> firewall, and have it set to allow traffic to my email and web servers
> from the Internet. My DNS setup is working fine for this. When I have
> the firewall enabled, the 10.0.0. network cannot reach the Ubuntu
> machine for TFTP, HTTP, or email. If I disable the firewall, I can talk
> to the development system via TFTP, and see the internal web page if I
> enter the local IP in Firefox. The IP of the Ubuntu port is 10.0.0.1,
> the development system is on 10.0.0.2. I can TFTP from the dev system to
> the main box at 192.168.0.200 with the firewall off, but this fails with
> the firewall on. I don't see any rules in Firestarter that should cause
> this. A fix would be nice in that I would not have to kill the firewall
> every time I want to access the development system, but if it's too much
> trouble, I can live with this.
>
> Ultimately, I want the local DNS server to steer HTTP traffic for the
> development system to its' internal IP, while HTTP traffic to my regular
> web site goes to the main web server on the Ubuntu box at 192.168.0.200,
> so my customer could access and interact with the development system.
> Obviously, I cannot give him the internal IP address to put in his
> browser. I think I need to make changes to the BIND configuration files,
> and have studied the O'Reilly DNS and BIND book, but I just get more
> confused.
>
> I can post my DNS zone files if that helps.
>
> Another thought occurred to me - could I simply put the development
> system on the 192.168.0 network, and have my DNS steer traffic directly
> to that IP? Do I really need two Ethernet ports in the main computer?
> Maybe I am making this more complicated than I need to. I only installed
> the second port because the examples in the O'Reilly book seemed to make
> that look like the only way I could get it to work. The firewall issue
> did not exist when everything was on the 192.168.0 network.
>
> Any help would be greatly appreciated. I'm not a network person!
>
> Chuck Kuecker
Hi Chuck,
I'm not sure I followed your whole explanation, but I suspect that the
answer to your question about making this more complicated than you
need is probably "yes". It would be helpful if you drew a diagram, or
described what machines are hooked up to what networks how.

As I understand it, you have an Internet connection ("Wide Area
Network" or "WAN") to a local router/firewall. Your "Local Area
Network" (or "LAN") is managed by that router, serving up addresses on
your 192.168.0.x internal network.

It seems like you have configured your router to route connections to
ports 80 (http) and 25 (email) to a Linux server on your LAN.

I'm confused about your need/desire to run your own DNS server, so I
suspect that one of us is missing something (probably me).

If you want your client to be able to access your development system
using HTTP, you could open up another port in your router, say 8080
and point that at your development system (port 80), having placed
your development system on your 192.168.0.x LAN.

--wpd

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 01:55 PM
Chan Chung Hang Christopher
 
Default Need network advice

Chuck Kuecker wrote:
> Hello,
>
> I am running Ubuntu 9.10 for my DNS, web page, and email server, as well
> as to develop embedded Linux code for a customer. I have a development
> kit that needs to access the Internet to serve an internal web page. My
> Internet connection is T6 wireless broadband, and I have a static IP.
>
> I installed a second Ethernet card in the Ubuntu box for the embedded
> device to connect to. It is running on the 10.0.0.x network. My main
> local network between the broadband modem and other computers, including
> the Ubuntu box, is 192.168.0.x.

192.168.0.x is not a 'static ip' aka assigned real ip address. I assume
you have a router that does the appropriate natting for you...


>
> The problems: First, I am running Firestarter as an interface to the
> firewall, and have it set to allow traffic to my email and web servers
> from the Internet. My DNS setup is working fine for this. When I have
> the firewall enabled, the 10.0.0. network cannot reach the Ubuntu
> machine for TFTP, HTTP, or email. If I disable the firewall, I can talk
> to the development system via TFTP, and see the internal web page if I
> enter the local IP in Firefox. The IP of the Ubuntu port is 10.0.0.1,
> the development system is on 10.0.0.2. I can TFTP from the dev system to
> the main box at 192.168.0.200 with the firewall off, but this fails with
> the firewall on. I don't see any rules in Firestarter that should cause
> this. A fix would be nice in that I would not have to kill the firewall
> every time I want to access the development system, but if it's too much
> trouble, I can live with this.

I suspect that firestarter will set the incoming policy to drop/reject.

please pastebin the output of 'iptables -L -n' at pastebin.ubuntu.com

I suppose that you already have ip forwarding enabled given your comment
about tftp working from 10.0.0.2 to 192.168.0.200.

>
> Ultimately, I want the local DNS server to steer HTTP traffic for the
> development system to its' internal IP, while HTTP traffic to my regular
> web site goes to the main web server on the Ubuntu box at 192.168.0.200,
> so my customer could access and interact with the development system.

Ugh...it would be so much easier with djbdns' tinydns...


> Obviously, I cannot give him the internal IP address to put in his
> browser. I think I need to make changes to the BIND configuration files,
> and have studied the O'Reilly DNS and BIND book, but I just get more
> confused.

heh. You need to use views. Fun, fun, fun.


>
> I can post my DNS zone files if that helps.

Well, we could fix it up for you...unless you insist on doing the grind
yourself of course. Don't want to take away the fun from you.


>
> Another thought occurred to me - could I simply put the development
> system on the 192.168.0 network, and have my DNS steer traffic directly

???


> to that IP? Do I really need two Ethernet ports in the main computer?

No...you could run two different subnets on the same physical network
but dhcp will not be possible in that environment. One interface can
take more than one ip and of different subnets too.


> Maybe I am making this more complicated than I need to. I only installed
> the second port because the examples in the O'Reilly book seemed to make
> that look like the only way I could get it to work. The firewall issue
> did not exist when everything was on the 192.168.0 network.
>
> Any help would be greatly appreciated. I'm not a network person!
>

What do you want to achieve?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 02:33 PM
Chuck Kuecker
 
Default Need network advice

Chan Chung Hang Christopher wrote:
> Chuck Kuecker wrote:
>
> 192.168.0.x is not a 'static ip' aka assigned real ip address. I assume
> you have a router that does the appropriate natting for you...
>
>
I've got a static IP assigned by my ISP. 192.168.0 is the local network.
> I suspect that firestarter will set the incoming policy to drop/reject.
>
> please pastebin the output of 'iptables -L -n' at pastebin.ubuntu.com
>
> I suppose that you already have ip forwarding enabled given your comment
> about tftp working from 10.0.0.2 to 192.168.0.200.
>
iptables output pasted...
>
>> Ultimately, I want the local DNS server to steer HTTP traffic for the
>> development system to its' internal IP, while HTTP traffic to my regular
>> web site goes to the main web server on the Ubuntu box at 192.168.0.200,
>> so my customer could access and interact with the development system.
>>
>
> Ugh...it would be so much easier with djbdns' tinydns...
Interesting. I did not realize bind was a security mess. I will look at
switching over. Got to be cautious - if I screw up my DNS, I might lose
my email, and that would not be good.
>> Obviously, I cannot give him the internal IP address to put in his
>> browser. I think I need to make changes to the BIND configuration files,
>> and have studied the O'Reilly DNS and BIND book, but I just get more
>> confused.
>>
>
> heh. You need to use views. Fun, fun, fun.
>
??? Googling 'Ubuntu views' turns up a slew of stuff. Do you have a link?

Everything is now on the 192.168.0. network. The device can reach my
mail server. I'm getting '403 Forbidden' when I try the web server in
the device now - but I can fix that. At least I am getting a response now.
> What do you want to achieve?
The ultimate goal is for my customer to be able to access the web server
in the device from the Internet. He's going to do the web page
development while I work on the controlling code in the thing.
C coding is my skill - web page development is definitely NOT.

Chuck Kuecker


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 02:47 PM
Chan Chung Hang Christopher
 
Default Need network advice

Chuck Kuecker wrote:
> Chan Chung Hang Christopher wrote:
>> Chuck Kuecker wrote:
>>
>> 192.168.0.x is not a 'static ip' aka assigned real ip address. I assume
>> you have a router that does the appropriate natting for you...
>>
>>
> I've got a static IP assigned by my ISP. 192.168.0 is the local network.
>> I suspect that firestarter will set the incoming policy to drop/reject.
>>
>> please pastebin the output of 'iptables -L -n' at pastebin.ubuntu.com
>>
>> I suppose that you already have ip forwarding enabled given your comment
>> about tftp working from 10.0.0.2 to 192.168.0.200.
>>
> iptables output pasted...

Link please.

>>
>>> Ultimately, I want the local DNS server to steer HTTP traffic for the
>>> development system to its' internal IP, while HTTP traffic to my regular
>>> web site goes to the main web server on the Ubuntu box at 192.168.0.200,
>>> so my customer could access and interact with the development system.
>>>
>> Ugh...it would be so much easier with djbdns' tinydns...
> Interesting. I did not realize bind was a security mess. I will look at
> switching over. Got to be cautious - if I screw up my DNS, I might lose
> my email, and that would not be good.

:-D. Same when you do your views in BIND. Please accept my apologies for
the FUD mongering.


>>> Obviously, I cannot give him the internal IP address to put in his
>>> browser. I think I need to make changes to the BIND configuration files,
>>> and have studied the O'Reilly DNS and BIND book, but I just get more
>>> confused.
>>>
>> heh. You need to use views. Fun, fun, fun.
>>
> ??? Googling 'Ubuntu views' turns up a slew of stuff. Do you have a link?

You want 'BIND views'/


>
> Everything is now on the 192.168.0. network. The device can reach my
> mail server. I'm getting '403 Forbidden' when I try the web server in
> the device now - but I can fix that. At least I am getting a response now.

Oh, okay.

>> What do you want to achieve?
> The ultimate goal is for my customer to be able to access the web server
> in the device from the Internet. He's going to do the web page
> development while I work on the controlling code in the thing.
> C coding is my skill - web page development is definitely NOT.


Hahaha. I can do a bit of both...messes your mind up I tell you.

So what kind of access do you want your client to have to the device?
ssh? It can be just as simple as redirecting a specific port to the
device in the router as was suggested already by Patrick. Although that
would make things tricky if your client is to create/dynamically create
normal urls for testing...you'd probably need a rewriting proxy in front
of the device or something.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 03:00 PM
Chuck Kuecker
 
Default Need network advice

Chan Chung Hang Christopher wrote:
>> iptables output pasted...
>>
>
> Link please.
>

Sorry - never used pastebin before. It's at pastebin.ubuntu.com/454999

>
>>>
>>>
>>>> Ultimately, I want the local DNS server to steer HTTP traffic for the
>>>> development system to its' internal IP, while HTTP traffic to my regular
>>>> web site goes to the main web server on the Ubuntu box at 192.168.0.200,
>>>> so my customer could access and interact with the development system.
>>>>
>>>>
>>> Ugh...it would be so much easier with djbdns' tinydns...
>>>
>> Interesting. I did not realize bind was a security mess. I will look at
>> switching over. Got to be cautious - if I screw up my DNS, I might lose
>> my email, and that would not be good.
>>
>
> :-D. Same when you do your views in BIND. Please accept my apologies for
> the FUD mongering.
>
>
>
>>
>> ??? Googling 'Ubuntu views' turns up a slew of stuff. Do you have a link?
>>
>
> You want 'BIND views'/
>
OK.
>> The ultimate goal is for my customer to be able to access the web server
>> in the device from the Internet. He's going to do the web page
>> development while I work on the controlling code in the thing.
>> C coding is my skill - web page development is definitely NOT.
>>
>
>
> Hahaha. I can do a bit of both...messes your mind up I tell you.
>
> So what kind of access do you want your client to have to the device?
> ssh? It can be just as simple as redirecting a specific port to the
> device in the router as was suggested already by Patrick. Although that
> would make things tricky if your client is to create/dynamically create
> normal urls for testing...you'd probably need a rewriting proxy in front
> of the device or something.
>
>

Basically, he is going to write the web interface for a remotely
controlled device, so he needs to be able to access the device's Apache
server to see what he is doing. He won't need ssh - he will just email
me the HTTP and CGI files, and I will build them into the flash
filesystem on the device. He's just going to be testing the interface.

If I redirect port 8080 to the device's port 80, anyone accessing the
device has to specify port 8080 in their web browser, correct?

Chuck





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 03:10 PM
Chan Chung Hang Christopher
 
Default Need network advice

> Basically, he is going to write the web interface for a remotely
> controlled device, so he needs to be able to access the device's Apache
> server to see what he is doing. He won't need ssh - he will just email
> me the HTTP and CGI files, and I will build them into the flash
> filesystem on the device. He's just going to be testing the interface.
>
> If I redirect port 8080 to the device's port 80, anyone accessing the
> device has to specify port 8080 in their web browser, correct?


That is correct...and any urls generated by the device pointing to
itself will need to have that port in the urls too.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 03:21 PM
Patrick Doyle
 
Default Need network advice

On Fri, Jun 25, 2010 at 11:00 AM, Chuck Kuecker <ckuecker@ckent.org> wrote:
> If I redirect port 8080 to the device's port 80, anyone accessing the
> device has to specify port 8080 in their web browser, correct?

Correct. I meant to mention that in my earlier post. Your customer
should be able to browse to chuck.com:8080/this/that and it will show
up on the device at port 80 (assuming you set up your router).

If that causes angst for you or your customer, I can think of only 2
other options for you (although I'm sure there are more than 2
options).

1) Change your personal web site to port 8080 and route port 80 to
your customer's device.

2) Obtain another static IP address from your ISP. I'm not sure
if/how well/ your ISP/router will be able to deal with this.

Hmmm.... I just came up with a 3rd possibility, which is outside my
realm of expertise. Perhaps you could just obtain a new domainname
for your customer's device and configure apache to
redirect/pipe/tunnel/proxy to the device. I don't know anything about
apache configuration, so I'm way out of my league here.

--wpd

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 06-25-2010, 03:57 PM
Chuck Kuecker
 
Default Need network advice

Chan Chung Hang Christopher wrote:
>> Basically, he is going to write the web interface for a remotely
>> controlled device, so he needs to be able to access the device's Apache
>> server to see what he is doing. He won't need ssh - he will just email
>> me the HTTP and CGI files, and I will build them into the flash
>> filesystem on the device. He's just going to be testing the interface.
>>
>> If I redirect port 8080 to the device's port 80, anyone accessing the
>> device has to specify port 8080 in their web browser, correct?
>>
>
>
> That is correct...and any urls generated by the device pointing to
> itself will need to have that port in the urls too.
>
>
>
Thanks. I believe I can run with this from here.

I'm currently trying to get tinydns going, and while I'm at it, I'm
going to set up a second Ubuntu machine for backup DNS, website, and
email. It's long past time for that.

Probably gonna need a bigger UPS here...

Chuck


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 05:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org