?
Solved

sending mail from behind a firewall

Posted on 2003-03-07
58
Medium Priority
?
402 Views
Last Modified: 2008-02-01
I'm trying to use a php form to send email messages, but there is a firewall stopping it.
The firewall uses iptables, and squid proxy.  How do I set up the firewall to allow the email message through?  And if the firewall isn't stopping the messages then what is?  Do I need to have some kind of DNS server set up?

zeus11
0
Comment
Question by:zeus11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 24
  • 18
  • 13
  • +2
58 Comments
 
LVL 9

Expert Comment

by:majorwoo
ID: 8092018
well a little more information.

You have stated you think the firewall is blocking it, why do you say that?

What error message do you get?

Most firewalls allow anything out so i doubt that is the problem, however as root run:

/sbin/iptables -L

on the firewall, and you will get  alisting of the rules, (paste them here if you cant decipher them yourself)

A DNS server is not needed, however access to one is -> you can use your ISP's or whatever.  Can you send mail from any other machines behind the firewall?
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8099456
If your FW rules are good (leting traffic out towards TCP port 25), it could be the receiving mail transfer agent rejects the mail due to bad sender address (usually composed from the local username and machine+domain name as specified in the network setings). Usually cause your "protected" machine name does not resolv in the public DNS name space (and it shouldn't).
If that is the case, I think I've seen a similar quesiton here on EE earlier...
The solution is/was either to specify sender address as the 5:th (or was it 4:th) argument to the PHP mail() function, or simply call sendmail with the -f switch using the system() function. (The later may mean a bit of rewrite to your PHP script)
Another option may be to use a relay server that does masquerading, or setup the local MTA to masquerade as yourdomain.tld.

If FW rules really are the problem you could add rules to allow outbound traffic towards port 25/TCP.

From your internal machine try "telnet mail.somedomain.tld 25" and you should see the remote MTA's greeting message.
(type QUIT+<ENTER> to return to the prompt)
If you do, there is nothing that block your outbound SMTP traffic.
If you need to add FW rules, the exact command switches may vary slightly depending on what rules and policy that already exist.

/bummer
0
 

Author Comment

by:zeus11
ID: 8103014
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 9

Expert Comment

by:majorwoo
ID: 8103085
if you are using your ISP server all you do is enter it in /etc/resolv.conf

nameserver 192.168.2.1

(it's ip there instead)

most firewalls do not check outbount traffic, but you can check with

/sbin/iptables -L
o
/sbin/ipchains -L

(only one will work, ipchains is older then iptables)
0
 

Author Comment

by:zeus11
ID: 8103097
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
 

Author Comment

by:zeus11
ID: 8103425
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
 
LVL 20

Expert Comment

by:Gns
ID: 8104034
What sendmail needs is to be able to _resolve: names. You do not need to setup a DNS server for that, only configure the resolver library with DNS servers it can reach (we're back to the firewalling bit there).
You've had several excellent suggestions from the experts so far, lets regurgitate them:-):

1). Configure your local mailer (MTA), so that it can send messages. Usually this is as simple as setting up /etc/resolv.conf to contain a few "nameserver ...." entries (as per majorwoos suggestion). Test it with tools like "nslookup", "dig" or "host". Also test mailing with a really simple mailer like "mail foo@bar.com<Enter>".

Also note the comment by bummerlord... It is the 5:th argument, and it can be used as:
mail("nobody@aol.com", "the subject", $message,
     "From: webmaster@$SERVER_NAME", "-fwebmaster@$SERVERNAME");

2) Test with telnet that you can actually go through the firewall on the SMTP port:
telnet anypublicmailserver.anywhere.net 25
You should be greeted by a "Banner string" informing you that you have reached a SMTP server...
EHLO<Enter>
should produce some output
QUIT<Enter>
is selfexplanatory:-). As per bummerlords suggestion.

Now, what is needed to move this further is relevant test-results from you zeus11. And perhaps a bit more (or rather clear) descriptions of your network topology.

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8104397
i edited the resolv.conf file, then tried the nslookup method and it gave me an error message about unable to reach network.  I also tried mail which did not work.  and i could not telnet through the firewall because it said unable ot reach network also.  But i can view the web pages on the machine from other pc's so i know the ip and that it is accessable from internally.

now what do I do? is something wrong with the /etc/resolv.conf file
it looks like this
nameserver 1.1.1.1
nameserver 2.2.2.2
nameserver 3.3.3.3
because our ip gave us three ip's for dns
0
 
LVL 20

Expert Comment

by:Gns
ID: 8104694
That is just fine.

That you can reach (and can be reached) on the local network is unsurprising, since you will always be able to reach addresses on the same network...

If you check your routing table, I'd bet you don't have a default router setup, so the linux box cannot determine where to send packages on "remote" networks. Or the default route is just plain wrong;-).

/sbin/route -n<Enter>
should reveal if there is a correct route for 0.0.0.0
It is easy to add
route add default gw <gateways IP address>

The default route should be setup to point to the same IP address as all the other clients on the same LAN.

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8104803
when i type route -n i get:

Destination     Gateway       Genmask   ...
<my ip>         0.0.0.0       255.255.255.192  ...
127.0.0.0       0.0.0.0       255.0.0.0  ...
0.0.0.0         <gatewayip>   0.0.0.0 ...

so it looks like it is set up correctly.
when i tried the
route add default gw <gatewayip>
i get SIOCADDRT:File exists

now what?
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8105403
Do your ISP really use those addresses for the DNS servers??

Anyway, are you able to reach anything on the internet (surfing the web for instance)?

Did you setup this firewall yourself, or is that one of those "firewall distributions"?
Perhaps it's configure as a proxy only firewall!?
In the proxy only case the firewall probably has ip forwarding disabled (thus won't do any routing from your network). In this case the only iptables rules you will see are to block/log inbound packets and to do redirects on your internal interface to do transparent proxying.

Try these commands on the firewall to enable forwarding and masquerade your outbound packets towards 25/tcp;

firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j MASQ
firewall# iptables -I OUTPUT -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -I POSTROUTING -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j MASQ
firewall# echo 1 > /proc/sys/net/ipv4/ip_forward

Depending on the current configuration, some of the above may be unecessary and possibly even make the firewall less secure, so don't blame me if anything burns up!
It is also possible that you need even more rules (in the mangle table for one) if the policy for all tables has been set to REJECT or DENY.

Replace <internalNIC> with your internal interface name (eth1 perhaps).
Replace <externalNIC> with your external interface name (eth0 perhaps).


Then try this on your inside machine;

inside# telnet 65.54.253.230 25
Escape character is '^]'.
220 mc8-f24.law1.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready at  Mon, 10 Mar 2003 11:32:00 -0800
QUIT
inside#

Also regarding DNS, you probably need firewall rules to allow DNS queries towards your ISP DNS as well.
DNS uses port 53 UDP as well as TCP (depending on the size of the query/answer)

If you have done the above, and telnet to port 25 works as the example above, then add rules to allow outbound DNS queries;

firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I OUTPUT -o <externalNIC> -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I OUTPUT -o <externalNIC> -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -I POSTROUTING -o <externalNIC> -p udp --dport 53 -j MASQ
firewall# iptables -t nat -I POSTROUTING -o <externalNIC> -p tcp --dport 53 -j MASQ


On the other hand, if you are running a concept firewall distribution, you could probably get some hints its documentation?? Perhaps there is a DNS and SMTP proxy for you to enable with a click?! ;-)

/b
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8105414
(sorry for the duplicate -t nat rules for SMTP :-))
0
 

Author Comment

by:zeus11
ID: 8105801
i still can't get anything and i've removed the linux box from the internal lan now, and i've got a direct connection to the internet through a hub.
examples:
the gateway ip is 1.1.1.225
the subnet ip is 255.255.255.224
the dns server ip is 2.2.0.8
the linux box ip is 1.1.1.236

when i type route -n i get:
Destination     Gateway       Genmask   ...
1.1.1.224       0.0.0.0       255.255.255.224  ...
127.0.0.0       0.0.0.0       255.0.0.0  ...
0.0.0.0         1.1.1.225     0.0.0.0 ...

does this look correct?
I've tried the telnet thing and i get nothing
I've tried surfing the web with mozilla and i get unable to resolve host

oh what to do next?
0
 

Author Comment

by:zeus11
ID: 8106609
i can access the web pages on the machine from any other pc, but i cannot access anything from it.  I've checked the firewall's dns settings and stuff which is also on the same switch, and i've tried to mimic those settings on mine, but it still doesn't act right.
i've got the same dns server configured
i've got the same gateway configured
i've got the same subnet mask configured
and it still doesn't want to work right.  From the firewall i can do nslookup, telnet, ping, mail, all of the things you guys have said.  does anyone have any clue what's wrong?
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8107151
Where do you get the IP address from?
To me it doesn't look like that address space (1.1.1.0) is registered to be routed on the Internet (yet?)
--
% ARIN Internet Routing Registry Whois Interface

% No entries found in ANS, ARCSTAR, ARIN, BCONNEX,
% BELL, CANET, CW, FGC, KOREN, LEVEL3, POC, RADB, RIPE and VERIO database.

---
Anyway, your ISP may be using the 1.1.1.0 network in their local network. (I see no reason why, but they might think it's cool!?)

I'm not sure I have a clear view of your network setup..
Can you describe it in a bit more detail?
Sort of just like what is connected to what?
What IP addresses, subnetmask and default gateway each machine uses.

For instance:
- ISP connection connected to firewall external interface.
External firewall interface configured via DHCP (1.1.1.235/255.255.255.224 gw 1.1.1.225)
Internal firewall interface statically configured (192.168.0.1/255.255.255.0)
- Firewall internal interface connected to layer 2 switch
- Intel PC (linux) connected to layer 2 switch
(192.168.0.2/255.255.255.0 gw 192.168.0.1)
- Intel PC (QNX) connected to layer 2 switch
(192.168.0.3/255.255.255.0 gw 192.168.0.1)
- Sparc ultra 1 (Soliars) connected to layer 2 switch.
(192.168.0.4/255.255.255.0 gw 192.168.0.1)

... and so on.

The fact that your other local machines can connect to your "problem" machine, but not the other way around sounds like a subnet mask problem.


/b
0
 
LVL 5

Expert Comment

by:arvind
ID: 8110026
do simple thing ..


From any window client -- confgiured browser to use ur Squid Proxy and try to browse some site. let me know the result...


Did u enabled IP masqurading on ur firewall machine -- if u donot want use proxy...




0
 

Author Comment

by:zeus11
ID: 8111250
bell is my isp.  those are not the real ip addresses though, but i am using the dns ip's they gave us, the gateway ip, and the subnet ip they gave us as well.  Again the other linux box(the firewall which i am not using anymore) is connected to the same hub, so I am using the same subnet mask as it, the same gateway ip as it, and the same dns servers as it.  I am suppose to be using the same ones aren't I????

subnet 255.255.255.224
gateway 66.*.*.224
myip 66.*.*.236
dns 205.152.0.8
     205.152.16.8
      205.152.32.8

I can browse the internet through the proxy though, because that is how i am getting to this site from this machine.  

In my resolv.conf file do i need an entry that says
 "search foobar.com" on the first line or is that unneccessary.
0
 
LVL 20

Expert Comment

by:Gns
ID: 8118066
The search line just tell the resolver in which domain to search for unqualified names. It's so that you could do
ping machine_next_to_me
instead of
ping machine_next_to_me.my_local.domain
if you have
search my_local.domain
IOW, it's sometimes nice, but not really needed.

Your seeming "local machine" rpoblem seems more and more to be solely FW-related, now doesn't it.

I'm not to sure I get your topology exactly, so could you please repeat it in as verbose detail as you feel comfortable with?

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8118238
Unless you made a typo above the default gateway IP is your problem.
Try gateway 66.b.c.225

With 27 bit netmask "usable" IP addresses range from 225 to 254 (224 is the subnet, and 255 is the broadcast address)

/b

0
 
LVL 20

Expert Comment

by:Gns
ID: 8118881
I assume zeus11 made a typo, since s/he gave it as 1.1.1.225 in the "edited" example previously.

If zeus11 trusts the firewall, it shouldn't be a _huge_ risk in divulging the address space behind the FW. Especially if no NAT or similar is in effect. Perhaps best to be cautious though:-)

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8119520
i would give the exact addresses, except that my boss knows my user name and is also a member.  He also told me not to post that info, and there is NAT in the iptables script.

also, the problem isn;t the firewall anymore, because the machine is not going through it anymore.  it is directly connected to the net now. the problem seems as someone stated earlier, that it could be a subnet mask problem.  should two machines on the same hub have the same subnet mask?  Or should they be different?

but i did make a typo on the gateway it is 225 instead of 224.  if you guys want to email me, it is dsteed@miskellys.com.  And i will still assign the points to you if you help me solve the problem, but i can't post too much detail over the net.  
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8119957
ok :-)

So we have a single machine (no firewall, NAT, ,etc) that cannot comminicate on the Internet, but can communicate to it's next neighbour (on the same subnet, even the same HUB).
IP configuration is assumed to be correct.

Before I give up...
A few more questions for zeus11;

Is iptables configured on this machine as well?
(if so flush the rules; iptables -F ; iptables -t nat -F ; iptables -P INPUT ACCEPT ; iptables -P OUTPUT ACCEPT )

Can you ping default gateway?

Is there a arp entry for your default gateway?
# netstat -pn
or
# arp -an

Can you paste the output from "ifconfig -a" and "netstat -rn" here (the above 'route -n' didn't show the interface names)?
(...with or without the real IP addresses)

/b
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8120028
Machines on the same hub/switch does not have to be on the same subnet. Though to be able to talk (ip) to each other there has to be a router forwarding the packets (the router has know about both subnets of course)

/b
0
 
LVL 20

Expert Comment

by:Gns
ID: 8120034
What type of GW is that? Some access router owned by the ISP?

If you have connected your machine between the router/gateway and your company firewall (which does NAT for you), I assume you've assigned your box a public IP address suitable for the "mini-LAN" between the router/gw and the fw... right?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8120089
If you like, mail as detailed info as possible (linux box, firewall IFs, router ... IP addresses/netmasks, routing tables etc) to glennsteen<at>netscape.net

If you do, post comment here... I don't monitor that mailbox to frequently:-).

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8120385
i can ping the default gateway.
i get this from arp -an
? (66.a.b.225) at 00:05:32:81:5F:60 [ether] on eth0
netstat -pn gives alot of stuff but here it is
ctive Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 66.a.b.236:22         66.a.b.227:47746      ESTABLISHED 1069/sshd
udp        0      0 66.a.b.236:32890      205.152.0.8:53          ESTABLISHED 877/h2AEsjR01343: f
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  9      [ ]         DGRAM                    903    548/syslogd         /dev/log
unix  3      [ ]         STREAM     CONNECTED     1593   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1592   1068/xsri
unix  3      [ ]         STREAM     CONNECTED     1590   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1589   1067/gdmlogin
unix  3      [ ]         STREAM     CONNECTED     1584   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1583   1067/gdmlogin
unix  3      [ ]         STREAM     CONNECTED     1568   994/xfs             /tmp/.font-unix/fs7100
unix  3      [ ]         STREAM     CONNECTED     1567   1061/X
unix  3      [ ]         STREAM     CONNECTED     1570   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1560   1060/gdm
unix  2      [ ]         DGRAM                    1530   1042/perl
unix  2      [ ]         DGRAM                    1456   994/xfs
unix  2      [ ]         DGRAM                    1393   934/crond
unix  2      [ ]         DGRAM                    1317   873/sendmail: accep
unix  2      [ ]         DGRAM                    1192   784/xinetd
unix  2      [ ]         DGRAM                    969    601/rpc.statd
unix  2      [ ]         DGRAM                    914    553/klogd
0
 

Author Comment

by:zeus11
ID: 8120419
also there are no iptable rules listed when i do
iptables -L
the ip address of the machine is one assigned by the isp
gateway 66.a.b.225
subnet 66.a.b.224
fw ip 66.a.b.227
my ip 66.a.b.236

i read somewhere that once a dns server fails, the machine will go to the next and never use that one again.  I do I get back to using the first one instead of the third one?  Just delete the 2nd and 3rd entry?
0
 

Author Comment

by:zeus11
ID: 8120522
also there are no iptable rules listed when i do
iptables -L
the ip address of the machine is one assigned by the isp
gateway 66.a.b.225
subnet 66.a.b.224
fw ip 66.a.b.227
my ip 66.a.b.236

i read somewhere that once a dns server fails, the machine will go to the next and never use that one again.  I do I get back to using the first one instead of the third one?  Just delete the 2nd and 3rd entry?
0
 

Author Comment

by:zeus11
ID: 8120533
How do i get back , not I do I get? sorry about the typo.
0
 

Author Comment

by:zeus11
ID: 8120577
How do i get back , not I do I get? sorry about the typo.
0
 
LVL 20

Expert Comment

by:Gns
ID: 8120652
No, a "failed attempt" will just timeout and the query move to the next server.
Upon a subsequent query you will start by trying the first DNS server again, if that fails ...

The "reshuffling" of DNS servers is known to play havoc on windoze systems (2k/xp), not Linux. Also note that on windoze it is the order in which they are used that can be affected.

On the "working" client machines, what DNS source do they use. A local DNS? It might be we're barking up the wrong tree here:-). There could feasibly be filters for DNS in the GW.

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8120671
Ok you've received arp replies from your default gateway.. that's good :-)
Your machine also thinks there is a connection towards 205.152.0.8:53... could be good. There is usually no 'state' used with UDP, but since you have iptables enabled kernel this may indicate that the kernel has seen UDP packets for this session in both directions. I've never seen ESTABLISHED for a UDP "connection" before though.

Do you still get "network unreachable" when trying to connect outside your subnet?

Can you ping the default gateway IP?

By "assigned by the isp", do you mean by using DHCP?

What is the output from
/usr/sbin/traceroute -n 216.239.53.101
(it's the IP for www.google.com)

/b
0
 

Author Comment

by:zeus11
ID: 8120746

Do you still get "network unreachable" when trying to connect outside your subnet?
#nslookup
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
www.google.com
;; connection timed out; no servers could be reached
>
Can you ping the default gateway IP?
#ping 66.a.b.225
PING 66.a.b.225 (66.a.b.225) from 66.a.b.236 : 56(84) bytes of data.
64 bytes from 66.a.b.225: icmp_seq=1 ttl=255 time=2.18 ms
64 bytes from 66.a.b.225: icmp_seq=2 ttl=255 time=1.97 ms
64 bytes from 66.a.b.225: icmp_seq=3 ttl=255 time=2.12 ms
64 bytes from 66.a.b.225: icmp_seq=4 ttl=255 time=2.27 ms

--- 66.a.b.225 ping statistics ---
4 packets transmitted, 4 received, 0% loss, time 3030ms
rtt min/avg/max/mdev = 1.976/2.141/2.274/0.118 ms

the ip isn't dhcp.

What is the output from
/usr/sbin/traceroute -n 216.239.53.101?

# /usr/sbin/traceroute -n 216.239.53.101
traceroute to 216.239.53.101 (216.239.53.101), 30 hops max, 38 byte packets
 1  66.a.b.225  4.260 ms  3.426 ms  3.510 ms
 2  66.a.b.225  3.318 ms !X *  1.251 ms !X

0
 
LVL 20

Expert Comment

by:Gns
ID: 8121056
The traceroute shows that you have some sort of connectivity (connectivity problem:-).
This is from the traceroute manpage: !X (communica­tion administratively prohibited)

So the gateway is stopping icmp Echo (traceroute and ping) for you. This is not uncommon.

Redo the nslookup, but start with an explicit
server <DNS server IP><Enter>

to explicitly use that server address. If it fails, I think we can bank on the gateway just letting a very limited subset of addresses through for DNS lookups, and your IP not being one of them.

Something is fishy about the whole setup... The _working_ clients setup would be crucial (to compare).

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8121105

# nslookup -sil
> server 205.152.0.8
Default server: 205.152.0.8
Address: 205.152.0.8#53
>google.com
;; connection timed out; no servers could be reached



0
 
LVL 20

Expert Comment

by:Gns
ID: 8121205
Which shows that you are not getting through, sort of.
Can you "telnet 205.152.0.8 53"?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8121228
...or can you
lynx http://216.239.53.101 
or similar?

-- Glenn
0
 

Author Comment

by:zeus11
ID: 8121293
Which shows that you are not getting through, sort of.
Can you "telnet 205.152.0.8 53"?

#telnet 205.152.0.8 53
Trying 205.152.0.8...
telnet: connect to address 205.152.0.8: No route to host

my boss has his laptop connected to the same hub and his is working, but he is using win2000.
0
 

Author Comment

by:zeus11
ID: 8121300
lynx isn't installed is there another similar one?
0
 
LVL 20

Expert Comment

by:Gns
ID: 8121337
links, mozilla, netscape ...
But we can expect it to behave similarily to telnet on port 53.

Run
ipconfig /all
on the w2k. The OS isn't that important here... this is purely IP problem:-).

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8121670
Well actually the traceroute command shiped with most linux distributions use UDP packets. To use ICMP ECHO you need to use the -I switch to traceroute.
At least the router returns ICMP packets to say your traffic is prohibited...

Btw, it is possible that the gateway (maybe with an old cisco with firewall IOS) blocks packets with the ECN flag set (explicit congestion notification) since it don't know what it is.. (Windows does not until possibly in XP!?)
To check if you have ECN enabled type;
cat /proc/sys/net/ipv4/tcp_ecn
If enabled you will get "1" displayed on your terminal, else "0".

(I'll let Gns guide you with the long trouble shooting, and poke in the more odd scenarious like the above when they spring to mind ;-))

/b
0
 

Author Comment

by:zeus11
ID: 8121951
#cat /proc/sys/net/ipv4/tcp_ecn

got "no route to host" from links.
0
 

Author Comment

by:zeus11
ID: 8122249
ok new info.  i got a friend to try to ssh to my machine from his.  it can't find that ip.  so the reason why i can get the web page and ssh to it, is because i go through the fw which is on the same hub.  What does it sound like now?
0
 

Author Comment

by:zeus11
ID: 8122798
cat /proc/sys/net/ipv4/tcp_ecn
0
0
 
LVL 20

Expert Comment

by:Gns
ID: 8123686
Was it jdfox "carping" about showing his age last time around... Well, now I'm showing mine:-), in the olden days traceroute relied on ICMP packets and TTL. Of course your right, bummerlord.

Do you buy your addresses by subnet or explicit assresses?
How do you generally assign them? DHCP or manual?

And I really need the "secret info" from the w2k to make heads or tails of this.

I'm guessing, but perhaps you are buying "so and so many" addresses, and ... well ... yours is simply not one of them.
Could you convice your boss to temporarily let you use the IP address of his laptop for a short while (you have to disconnect the laptop from the network, to prevent a duplicate IP problem).
If this theory holds, you should be fine mimicing his machines setup.

-- Glenn
PS. Don't sit this one out bummerlord. If nothing else we'll complement one anothers ideas. Join the fun:-). DS
0
 
LVL 20

Expert Comment

by:Gns
ID: 8123824
I had a really similar problem resolved today.

Quoting "there was a violation in the switch from my isp side. They had that cleared today and it is all dandy."

See where I'm leaning now:-).

(Warning: If you try to follow my leanings and listing (in the shipboard term of the phrase), there is a distinct possibility of seasickness;-).

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8126094
Glenn,

Ok, but I really have nothing to add now ;-)
I was thinking "limited addresses/devices per port" previously, but then I though "why the **** would they assign a 27 bit subnet if not allowing 30 hosts to be used!?"

Zeus11, how do you know you(your friend) pass through the firewall on the same hub? Is he/she on the same subnet, or is he/she on a LAN/subnet behind the firewall?

What type of connection do you have towards your ISP?
How many hosts are active on your network?
(your boss PC, The linux firewall, and what else?)

At home I have a DSL connection. In my end I have a DSL modem that doesn't do any routing (a bridge), and at the ISP end there is a DCHP server assigning addresses to me. I  only get 1 address, and if I setup other addresses in the same subnet manually, they are not allowed get passed the ISP gateway (the only thing I can reach is the gateway - that is also the DHCP server).
My ISP also requires me to login using a webpage before I can get through to the Internet.
I just mention this as an example of how some ISPs restrict usage (the idea being to control limited resources such as IPv4 addresses, and to "protect" normal people from exposing printservers etc that sometimes try DHCP by default, on the Internet (if they connect their LAN without a NATing firewall etc etc))

I think the limitation is at your ISPs, possibly you need to allocate the address using DHCP before the gateway will allow your traffic...
Did you get some other info from your ISP besides the address range and DNS servers to use?
It would be unecessary to tell you the address range if you were required to use DHCP, but it may be worth trying it..

as root;
# dhcpcd eth0
When the prompt returns check that you got an address
# ifconfig eth0

If no address for eth0 that's not it :-)
If you already know the ISP don't provide DHCP services for the subnet there is no need to try at all.
You could look at the w2k machine and see if it's already using DHCP by looking in the network properties (won't show with "ipconfig /all" I think)

/b
0
 
LVL 20

Expert Comment

by:Gns
ID: 8127025
> ... I though "why the **** would they assign a 27 bit subnet if not allowing 30 hosts to be used!?"
We all do misstakes... even I... and most certainly all the ISPs of the world:-).

> At home I have a DSL connection...
This sounds suspiciously like the Telia abomination... You in sweden bummerlord?
Anyway, I told you we'd complement ideas;-). You're complementing me by being more explicit.
This is also why I've been asking about the *working* clients, and how they generally aquire their addresses.
Even if DHCP doesn't come into play, I'm thinking this is purely at the "other end" (ie. at the ISPs end;).

ipconfig /all will tell the lease time, so it does show whether DHCP is used or not;-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8127055
Just to show that I do do misstakes (however a rather slight one), ipconfig also tells which IP address is the DHCP server... might be seen as a better indicator on the use of DHCP than the lease time:-).

I realise there is a grammatical error (yeah, right ... one:-), but I'm to tired to weed it out (as you might suspect I'm not native to english:-). You're smart people, you'll figure out what I'm trying to say;-).

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8127796
You said abomination not I .-) Anyway Telia operates in all the Nordic contries and perhaps all of Europe don't they? I won't expose my ISP's name now that I've just proclaimed it to be of the most user unfriendly ISP's on earth ;-)

Thanks for the ipconfig hint... I'll remember it the next time I'm in front of a Windows polluted environment.
(Cheers to all native Unix people!)

zeus11, are you still with us?
0
 

Author Comment

by:zeus11
ID: 8128018
changed ip to laptop ip and it is working now, so i think my boss will be giving bellsouth a call this morning about the other 26 ip's not working, also how do i grant points and can i split them between you guys or can i just pick one.
0
 
LVL 20

Accepted Solution

by:
Gns earned 1200 total points
ID: 8128235
Yes, telia operates on many markets... But it is the old swedish telephony works (televerket), and is most spread (like a virus:-) here. Simply because they own the access networks... they dominate the DSL market. The abomination part is because they use private addresses for the DHCP, GW and DNS services (10.0.0.?). On a "Public" network. Sigh.

I can help your boss inventing invectives to use in that conversation zeus11, just so that he gets past the support "first line of defense";-). I've found that kindness is OK in many situations, but well-expressed miffed-ness is equally effective:-):-).

Splitting points is usually done by setting the points to what you feel is appropriate, accepting one answer, then post questions on the form "Points for XXX", where XXX is the callsign of the recipient, in the same TA. If you do so, please post a comment to that effect here so that we "see" it easily.
But you are fully in charge of your question. If you feel like just accepting one comment as answer, you're entiteled to do so.

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8128528
Hope you get access to all the IP's...
Sometimes ISP's wan't a description of the network describing why you need that many IP addresses. That's usually when registering though.

If you don't however, you do have Linux to the rescue! Just put your LAN behind the firewall and use NAT (or MASQUERADING ("linux" term for All to one NAT))
Setup private IP addresses (e.g. 192.168.x.y) on the LAN. Setup a dhcp server, caching name server, transparent proxy server (squid + iptables) VPN(ipsec) gateway, traffic control (QoS) to manage the bandwidth etc etc and more...
Linux manages it all! ;-)


About spliting points;
I think you can lower the points on this Q (say 150) accept one comment as answer, then post another question worth 150 points entitled "points for xxxxx", and once a comment is posted you can accept it as the answer.

Gns has been around here longer than I, he probably knows the exact drill ;-)

/b

0
 

Author Comment

by:zeus11
ID: 8128588
it would not let me lower the points
0
 

Author Comment

by:zeus11
ID: 8128594
theres a question points for bummerlord, go find it and i'll give you points as well
0
 
LVL 20

Expert Comment

by:Gns
ID: 8128624
It didn't? The only time I've actually tested the "question side" of EE it did.
If you feel that you would like to have points refunded, you can contact Community Support (Just pose a 0 point question there) and they should be able to clear things up.

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8128773
Gns, I see.. so if you'd like to use, or are already using 10.x.x.x in your own network you're not welcome!? ;-)

They probably feel "safe" using private addresses (or it's cheap to be able to print the same instructions to every user regardless of location?!)
.. what if any Telia DSL customer with Linux firewalls were to enter
iptables -t nat -I PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.x
(he/she probably already have "iptables -t nat -I POSTROUTING -o eth0 -j MASQ")

Then post "My host is unbreakable!" to a few mailinglists :-)

That would be dumb though since the user is dependent of these services most likely..

0
 
LVL 20

Expert Comment

by:Gns
ID: 8128922
Right you are bummer. As I said, an abomination. Stupid "safe, and cheap, yeah that fits the bill;-).

Yes, but if the "user" was in fact employed by one of the other ISPs...:-):-).

'Nuff telia-bashing. They've got lawyers too:-).
And god forbid that someone actually did smething like that, and the trustworthy "IT-aware" police would start searching the net... finding this;-)...

But this do shine a light on the problem with private addresses. Since there is no registrar or arbitrater, things can get ugly fast when trying to interconnect several private networks.
Thank God for NAT.

-- Glenn
0

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month8 days, 1 hour left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question