• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

sending mail from behind a firewall

I'm trying to use a php form to send email messages, but there is a firewall stopping it.
The firewall uses iptables, and squid proxy.  How do I set up the firewall to allow the email message through?  And if the firewall isn't stopping the messages then what is?  Do I need to have some kind of DNS server set up?

zeus11
0
zeus11
Asked:
zeus11
  • 24
  • 18
  • 13
  • +2
1 Solution
 
majorwooCommented:
well a little more information.

You have stated you think the firewall is blocking it, why do you say that?

What error message do you get?

Most firewalls allow anything out so i doubt that is the problem, however as root run:

/sbin/iptables -L

on the firewall, and you will get  alisting of the rules, (paste them here if you cant decipher them yourself)

A DNS server is not needed, however access to one is -> you can use your ISP's or whatever.  Can you send mail from any other machines behind the firewall?
0
 
bummerlordCommented:
If your FW rules are good (leting traffic out towards TCP port 25), it could be the receiving mail transfer agent rejects the mail due to bad sender address (usually composed from the local username and machine+domain name as specified in the network setings). Usually cause your "protected" machine name does not resolv in the public DNS name space (and it shouldn't).
If that is the case, I think I've seen a similar quesiton here on EE earlier...
The solution is/was either to specify sender address as the 5:th (or was it 4:th) argument to the PHP mail() function, or simply call sendmail with the -f switch using the system() function. (The later may mean a bit of rewrite to your PHP script)
Another option may be to use a relay server that does masquerading, or setup the local MTA to masquerade as yourdomain.tld.

If FW rules really are the problem you could add rules to allow outbound traffic towards port 25/TCP.

From your internal machine try "telnet mail.somedomain.tld 25" and you should see the remote MTA's greeting message.
(type QUIT+<ENTER> to return to the prompt)
If you do, there is nothing that block your outbound SMTP traffic.
If you need to add FW rules, the exact command switches may vary slightly depending on what rules and policy that already exist.

/bummer
0
 
zeus11Author Commented:
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
majorwooCommented:
if you are using your ISP server all you do is enter it in /etc/resolv.conf

nameserver 192.168.2.1

(it's ip there instead)

most firewalls do not check outbount traffic, but you can check with

/sbin/iptables -L
o
/sbin/ipchains -L

(only one will work, ipchains is older then iptables)
0
 
zeus11Author Commented:
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
 
zeus11Author Commented:
i do not have a rule allowing outbound traffic on port 25 on the firewall so do you, think this is the problem?  and how to i set up the dns server.  I'll be using one from our isp, and i have the ip address of it.
0
 
GnsCommented:
What sendmail needs is to be able to _resolve: names. You do not need to setup a DNS server for that, only configure the resolver library with DNS servers it can reach (we're back to the firewalling bit there).
You've had several excellent suggestions from the experts so far, lets regurgitate them:-):

1). Configure your local mailer (MTA), so that it can send messages. Usually this is as simple as setting up /etc/resolv.conf to contain a few "nameserver ...." entries (as per majorwoos suggestion). Test it with tools like "nslookup", "dig" or "host". Also test mailing with a really simple mailer like "mail foo@bar.com<Enter>".

Also note the comment by bummerlord... It is the 5:th argument, and it can be used as:
mail("nobody@aol.com", "the subject", $message,
     "From: webmaster@$SERVER_NAME", "-fwebmaster@$SERVERNAME");

2) Test with telnet that you can actually go through the firewall on the SMTP port:
telnet anypublicmailserver.anywhere.net 25
You should be greeted by a "Banner string" informing you that you have reached a SMTP server...
EHLO<Enter>
should produce some output
QUIT<Enter>
is selfexplanatory:-). As per bummerlords suggestion.

Now, what is needed to move this further is relevant test-results from you zeus11. And perhaps a bit more (or rather clear) descriptions of your network topology.

-- Glenn
0
 
zeus11Author Commented:
i edited the resolv.conf file, then tried the nslookup method and it gave me an error message about unable to reach network.  I also tried mail which did not work.  and i could not telnet through the firewall because it said unable ot reach network also.  But i can view the web pages on the machine from other pc's so i know the ip and that it is accessable from internally.

now what do I do? is something wrong with the /etc/resolv.conf file
it looks like this
nameserver 1.1.1.1
nameserver 2.2.2.2
nameserver 3.3.3.3
because our ip gave us three ip's for dns
0
 
GnsCommented:
That is just fine.

That you can reach (and can be reached) on the local network is unsurprising, since you will always be able to reach addresses on the same network...

If you check your routing table, I'd bet you don't have a default router setup, so the linux box cannot determine where to send packages on "remote" networks. Or the default route is just plain wrong;-).

/sbin/route -n<Enter>
should reveal if there is a correct route for 0.0.0.0
It is easy to add
route add default gw <gateways IP address>

The default route should be setup to point to the same IP address as all the other clients on the same LAN.

-- Glenn
0
 
zeus11Author Commented:
when i type route -n i get:

Destination     Gateway       Genmask   ...
<my ip>         0.0.0.0       255.255.255.192  ...
127.0.0.0       0.0.0.0       255.0.0.0  ...
0.0.0.0         <gatewayip>   0.0.0.0 ...

so it looks like it is set up correctly.
when i tried the
route add default gw <gatewayip>
i get SIOCADDRT:File exists

now what?
0
 
bummerlordCommented:
Do your ISP really use those addresses for the DNS servers??

Anyway, are you able to reach anything on the internet (surfing the web for instance)?

Did you setup this firewall yourself, or is that one of those "firewall distributions"?
Perhaps it's configure as a proxy only firewall!?
In the proxy only case the firewall probably has ip forwarding disabled (thus won't do any routing from your network). In this case the only iptables rules you will see are to block/log inbound packets and to do redirects on your internal interface to do transparent proxying.

Try these commands on the firewall to enable forwarding and masquerade your outbound packets towards 25/tcp;

firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j MASQ
firewall# iptables -I OUTPUT -o <externalNIC> -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -I POSTROUTING -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j MASQ
firewall# echo 1 > /proc/sys/net/ipv4/ip_forward

Depending on the current configuration, some of the above may be unecessary and possibly even make the firewall less secure, so don't blame me if anything burns up!
It is also possible that you need even more rules (in the mangle table for one) if the policy for all tables has been set to REJECT or DENY.

Replace <internalNIC> with your internal interface name (eth1 perhaps).
Replace <externalNIC> with your external interface name (eth0 perhaps).


Then try this on your inside machine;

inside# telnet 65.54.253.230 25
Escape character is '^]'.
220 mc8-f24.law1.hotmail.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5600 ready at  Mon, 10 Mar 2003 11:32:00 -0800
QUIT
inside#

Also regarding DNS, you probably need firewall rules to allow DNS queries towards your ISP DNS as well.
DNS uses port 53 UDP as well as TCP (depending on the size of the query/answer)

If you have done the above, and telnet to port 25 works as the example above, then add rules to allow outbound DNS queries;

firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I FORWARD -i <internalNIC> -o <externalNIC> -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I OUTPUT -o <externalNIC> -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -I OUTPUT -o <externalNIC> -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
firewall# iptables -t nat -I POSTROUTING -o <externalNIC> -p udp --dport 53 -j MASQ
firewall# iptables -t nat -I POSTROUTING -o <externalNIC> -p tcp --dport 53 -j MASQ


On the other hand, if you are running a concept firewall distribution, you could probably get some hints its documentation?? Perhaps there is a DNS and SMTP proxy for you to enable with a click?! ;-)

/b
0
 
bummerlordCommented:
(sorry for the duplicate -t nat rules for SMTP :-))
0
 
zeus11Author Commented:
i still can't get anything and i've removed the linux box from the internal lan now, and i've got a direct connection to the internet through a hub.
examples:
the gateway ip is 1.1.1.225
the subnet ip is 255.255.255.224
the dns server ip is 2.2.0.8
the linux box ip is 1.1.1.236

when i type route -n i get:
Destination     Gateway       Genmask   ...
1.1.1.224       0.0.0.0       255.255.255.224  ...
127.0.0.0       0.0.0.0       255.0.0.0  ...
0.0.0.0         1.1.1.225     0.0.0.0 ...

does this look correct?
I've tried the telnet thing and i get nothing
I've tried surfing the web with mozilla and i get unable to resolve host

oh what to do next?
0
 
zeus11Author Commented:
i can access the web pages on the machine from any other pc, but i cannot access anything from it.  I've checked the firewall's dns settings and stuff which is also on the same switch, and i've tried to mimic those settings on mine, but it still doesn't act right.
i've got the same dns server configured
i've got the same gateway configured
i've got the same subnet mask configured
and it still doesn't want to work right.  From the firewall i can do nslookup, telnet, ping, mail, all of the things you guys have said.  does anyone have any clue what's wrong?
0
 
bummerlordCommented:
Where do you get the IP address from?
To me it doesn't look like that address space (1.1.1.0) is registered to be routed on the Internet (yet?)
--
% ARIN Internet Routing Registry Whois Interface

% No entries found in ANS, ARCSTAR, ARIN, BCONNEX,
% BELL, CANET, CW, FGC, KOREN, LEVEL3, POC, RADB, RIPE and VERIO database.

---
Anyway, your ISP may be using the 1.1.1.0 network in their local network. (I see no reason why, but they might think it's cool!?)

I'm not sure I have a clear view of your network setup..
Can you describe it in a bit more detail?
Sort of just like what is connected to what?
What IP addresses, subnetmask and default gateway each machine uses.

For instance:
- ISP connection connected to firewall external interface.
External firewall interface configured via DHCP (1.1.1.235/255.255.255.224 gw 1.1.1.225)
Internal firewall interface statically configured (192.168.0.1/255.255.255.0)
- Firewall internal interface connected to layer 2 switch
- Intel PC (linux) connected to layer 2 switch
(192.168.0.2/255.255.255.0 gw 192.168.0.1)
- Intel PC (QNX) connected to layer 2 switch
(192.168.0.3/255.255.255.0 gw 192.168.0.1)
- Sparc ultra 1 (Soliars) connected to layer 2 switch.
(192.168.0.4/255.255.255.0 gw 192.168.0.1)

... and so on.

The fact that your other local machines can connect to your "problem" machine, but not the other way around sounds like a subnet mask problem.


/b
0
 
arvindCommented:
do simple thing ..


From any window client -- confgiured browser to use ur Squid Proxy and try to browse some site. let me know the result...


Did u enabled IP masqurading on ur firewall machine -- if u donot want use proxy...




0
 
zeus11Author Commented:
bell is my isp.  those are not the real ip addresses though, but i am using the dns ip's they gave us, the gateway ip, and the subnet ip they gave us as well.  Again the other linux box(the firewall which i am not using anymore) is connected to the same hub, so I am using the same subnet mask as it, the same gateway ip as it, and the same dns servers as it.  I am suppose to be using the same ones aren't I????

subnet 255.255.255.224
gateway 66.*.*.224
myip 66.*.*.236
dns 205.152.0.8
     205.152.16.8
      205.152.32.8

I can browse the internet through the proxy though, because that is how i am getting to this site from this machine.  

In my resolv.conf file do i need an entry that says
 "search foobar.com" on the first line or is that unneccessary.
0
 
GnsCommented:
The search line just tell the resolver in which domain to search for unqualified names. It's so that you could do
ping machine_next_to_me
instead of
ping machine_next_to_me.my_local.domain
if you have
search my_local.domain
IOW, it's sometimes nice, but not really needed.

Your seeming "local machine" rpoblem seems more and more to be solely FW-related, now doesn't it.

I'm not to sure I get your topology exactly, so could you please repeat it in as verbose detail as you feel comfortable with?

-- Glenn
0
 
bummerlordCommented:
Unless you made a typo above the default gateway IP is your problem.
Try gateway 66.b.c.225

With 27 bit netmask "usable" IP addresses range from 225 to 254 (224 is the subnet, and 255 is the broadcast address)

/b

0
 
GnsCommented:
I assume zeus11 made a typo, since s/he gave it as 1.1.1.225 in the "edited" example previously.

If zeus11 trusts the firewall, it shouldn't be a _huge_ risk in divulging the address space behind the FW. Especially if no NAT or similar is in effect. Perhaps best to be cautious though:-)

-- Glenn
0
 
zeus11Author Commented:
i would give the exact addresses, except that my boss knows my user name and is also a member.  He also told me not to post that info, and there is NAT in the iptables script.

also, the problem isn;t the firewall anymore, because the machine is not going through it anymore.  it is directly connected to the net now. the problem seems as someone stated earlier, that it could be a subnet mask problem.  should two machines on the same hub have the same subnet mask?  Or should they be different?

but i did make a typo on the gateway it is 225 instead of 224.  if you guys want to email me, it is dsteed@miskellys.com.  And i will still assign the points to you if you help me solve the problem, but i can't post too much detail over the net.  
0
 
bummerlordCommented:
ok :-)

So we have a single machine (no firewall, NAT, ,etc) that cannot comminicate on the Internet, but can communicate to it's next neighbour (on the same subnet, even the same HUB).
IP configuration is assumed to be correct.

Before I give up...
A few more questions for zeus11;

Is iptables configured on this machine as well?
(if so flush the rules; iptables -F ; iptables -t nat -F ; iptables -P INPUT ACCEPT ; iptables -P OUTPUT ACCEPT )

Can you ping default gateway?

Is there a arp entry for your default gateway?
# netstat -pn
or
# arp -an

Can you paste the output from "ifconfig -a" and "netstat -rn" here (the above 'route -n' didn't show the interface names)?
(...with or without the real IP addresses)

/b
0
 
bummerlordCommented:
Machines on the same hub/switch does not have to be on the same subnet. Though to be able to talk (ip) to each other there has to be a router forwarding the packets (the router has know about both subnets of course)

/b
0
 
GnsCommented:
What type of GW is that? Some access router owned by the ISP?

If you have connected your machine between the router/gateway and your company firewall (which does NAT for you), I assume you've assigned your box a public IP address suitable for the "mini-LAN" between the router/gw and the fw... right?

-- Glenn
0
 
GnsCommented:
If you like, mail as detailed info as possible (linux box, firewall IFs, router ... IP addresses/netmasks, routing tables etc) to glennsteen<at>netscape.net

If you do, post comment here... I don't monitor that mailbox to frequently:-).

-- Glenn
0
 
zeus11Author Commented:
i can ping the default gateway.
i get this from arp -an
? (66.a.b.225) at 00:05:32:81:5F:60 [ether] on eth0
netstat -pn gives alot of stuff but here it is
ctive Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 66.a.b.236:22         66.a.b.227:47746      ESTABLISHED 1069/sshd
udp        0      0 66.a.b.236:32890      205.152.0.8:53          ESTABLISHED 877/h2AEsjR01343: f
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  9      [ ]         DGRAM                    903    548/syslogd         /dev/log
unix  3      [ ]         STREAM     CONNECTED     1593   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1592   1068/xsri
unix  3      [ ]         STREAM     CONNECTED     1590   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1589   1067/gdmlogin
unix  3      [ ]         STREAM     CONNECTED     1584   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1583   1067/gdmlogin
unix  3      [ ]         STREAM     CONNECTED     1568   994/xfs             /tmp/.font-unix/fs7100
unix  3      [ ]         STREAM     CONNECTED     1567   1061/X
unix  3      [ ]         STREAM     CONNECTED     1570   1061/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     1560   1060/gdm
unix  2      [ ]         DGRAM                    1530   1042/perl
unix  2      [ ]         DGRAM                    1456   994/xfs
unix  2      [ ]         DGRAM                    1393   934/crond
unix  2      [ ]         DGRAM                    1317   873/sendmail: accep
unix  2      [ ]         DGRAM                    1192   784/xinetd
unix  2      [ ]         DGRAM                    969    601/rpc.statd
unix  2      [ ]         DGRAM                    914    553/klogd
0
 
zeus11Author Commented:
also there are no iptable rules listed when i do
iptables -L
the ip address of the machine is one assigned by the isp
gateway 66.a.b.225
subnet 66.a.b.224
fw ip 66.a.b.227
my ip 66.a.b.236

i read somewhere that once a dns server fails, the machine will go to the next and never use that one again.  I do I get back to using the first one instead of the third one?  Just delete the 2nd and 3rd entry?
0
 
zeus11Author Commented:
also there are no iptable rules listed when i do
iptables -L
the ip address of the machine is one assigned by the isp
gateway 66.a.b.225
subnet 66.a.b.224
fw ip 66.a.b.227
my ip 66.a.b.236

i read somewhere that once a dns server fails, the machine will go to the next and never use that one again.  I do I get back to using the first one instead of the third one?  Just delete the 2nd and 3rd entry?
0
 
zeus11Author Commented:
How do i get back , not I do I get? sorry about the typo.
0
 
zeus11Author Commented:
How do i get back , not I do I get? sorry about the typo.
0
 
GnsCommented:
No, a "failed attempt" will just timeout and the query move to the next server.
Upon a subsequent query you will start by trying the first DNS server again, if that fails ...

The "reshuffling" of DNS servers is known to play havoc on windoze systems (2k/xp), not Linux. Also note that on windoze it is the order in which they are used that can be affected.

On the "working" client machines, what DNS source do they use. A local DNS? It might be we're barking up the wrong tree here:-). There could feasibly be filters for DNS in the GW.

-- Glenn
0
 
bummerlordCommented:
Ok you've received arp replies from your default gateway.. that's good :-)
Your machine also thinks there is a connection towards 205.152.0.8:53... could be good. There is usually no 'state' used with UDP, but since you have iptables enabled kernel this may indicate that the kernel has seen UDP packets for this session in both directions. I've never seen ESTABLISHED for a UDP "connection" before though.

Do you still get "network unreachable" when trying to connect outside your subnet?

Can you ping the default gateway IP?

By "assigned by the isp", do you mean by using DHCP?

What is the output from
/usr/sbin/traceroute -n 216.239.53.101
(it's the IP for www.google.com)

/b
0
 
zeus11Author Commented:

Do you still get "network unreachable" when trying to connect outside your subnet?
#nslookup
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
www.google.com
;; connection timed out; no servers could be reached
>
Can you ping the default gateway IP?
#ping 66.a.b.225
PING 66.a.b.225 (66.a.b.225) from 66.a.b.236 : 56(84) bytes of data.
64 bytes from 66.a.b.225: icmp_seq=1 ttl=255 time=2.18 ms
64 bytes from 66.a.b.225: icmp_seq=2 ttl=255 time=1.97 ms
64 bytes from 66.a.b.225: icmp_seq=3 ttl=255 time=2.12 ms
64 bytes from 66.a.b.225: icmp_seq=4 ttl=255 time=2.27 ms

--- 66.a.b.225 ping statistics ---
4 packets transmitted, 4 received, 0% loss, time 3030ms
rtt min/avg/max/mdev = 1.976/2.141/2.274/0.118 ms

the ip isn't dhcp.

What is the output from
/usr/sbin/traceroute -n 216.239.53.101?

# /usr/sbin/traceroute -n 216.239.53.101
traceroute to 216.239.53.101 (216.239.53.101), 30 hops max, 38 byte packets
 1  66.a.b.225  4.260 ms  3.426 ms  3.510 ms
 2  66.a.b.225  3.318 ms !X *  1.251 ms !X

0
 
GnsCommented:
The traceroute shows that you have some sort of connectivity (connectivity problem:-).
This is from the traceroute manpage: !X (communica­tion administratively prohibited)

So the gateway is stopping icmp Echo (traceroute and ping) for you. This is not uncommon.

Redo the nslookup, but start with an explicit
server <DNS server IP><Enter>

to explicitly use that server address. If it fails, I think we can bank on the gateway just letting a very limited subset of addresses through for DNS lookups, and your IP not being one of them.

Something is fishy about the whole setup... The _working_ clients setup would be crucial (to compare).

-- Glenn
0
 
zeus11Author Commented:

# nslookup -sil
> server 205.152.0.8
Default server: 205.152.0.8
Address: 205.152.0.8#53
>google.com
;; connection timed out; no servers could be reached



0
 
GnsCommented:
Which shows that you are not getting through, sort of.
Can you "telnet 205.152.0.8 53"?

-- Glenn
0
 
GnsCommented:
...or can you
lynx http://216.239.53.101 
or similar?

-- Glenn
0
 
zeus11Author Commented:
Which shows that you are not getting through, sort of.
Can you "telnet 205.152.0.8 53"?

#telnet 205.152.0.8 53
Trying 205.152.0.8...
telnet: connect to address 205.152.0.8: No route to host

my boss has his laptop connected to the same hub and his is working, but he is using win2000.
0
 
zeus11Author Commented:
lynx isn't installed is there another similar one?
0
 
GnsCommented:
links, mozilla, netscape ...
But we can expect it to behave similarily to telnet on port 53.

Run
ipconfig /all
on the w2k. The OS isn't that important here... this is purely IP problem:-).

-- Glenn
0
 
bummerlordCommented:
Well actually the traceroute command shiped with most linux distributions use UDP packets. To use ICMP ECHO you need to use the -I switch to traceroute.
At least the router returns ICMP packets to say your traffic is prohibited...

Btw, it is possible that the gateway (maybe with an old cisco with firewall IOS) blocks packets with the ECN flag set (explicit congestion notification) since it don't know what it is.. (Windows does not until possibly in XP!?)
To check if you have ECN enabled type;
cat /proc/sys/net/ipv4/tcp_ecn
If enabled you will get "1" displayed on your terminal, else "0".

(I'll let Gns guide you with the long trouble shooting, and poke in the more odd scenarious like the above when they spring to mind ;-))

/b
0
 
zeus11Author Commented:
#cat /proc/sys/net/ipv4/tcp_ecn

got "no route to host" from links.
0
 
zeus11Author Commented:
ok new info.  i got a friend to try to ssh to my machine from his.  it can't find that ip.  so the reason why i can get the web page and ssh to it, is because i go through the fw which is on the same hub.  What does it sound like now?
0
 
zeus11Author Commented:
cat /proc/sys/net/ipv4/tcp_ecn
0
0
 
GnsCommented:
Was it jdfox "carping" about showing his age last time around... Well, now I'm showing mine:-), in the olden days traceroute relied on ICMP packets and TTL. Of course your right, bummerlord.

Do you buy your addresses by subnet or explicit assresses?
How do you generally assign them? DHCP or manual?

And I really need the "secret info" from the w2k to make heads or tails of this.

I'm guessing, but perhaps you are buying "so and so many" addresses, and ... well ... yours is simply not one of them.
Could you convice your boss to temporarily let you use the IP address of his laptop for a short while (you have to disconnect the laptop from the network, to prevent a duplicate IP problem).
If this theory holds, you should be fine mimicing his machines setup.

-- Glenn
PS. Don't sit this one out bummerlord. If nothing else we'll complement one anothers ideas. Join the fun:-). DS
0
 
GnsCommented:
I had a really similar problem resolved today.

Quoting "there was a violation in the switch from my isp side. They had that cleared today and it is all dandy."

See where I'm leaning now:-).

(Warning: If you try to follow my leanings and listing (in the shipboard term of the phrase), there is a distinct possibility of seasickness;-).

-- Glenn
0
 
bummerlordCommented:
Glenn,

Ok, but I really have nothing to add now ;-)
I was thinking "limited addresses/devices per port" previously, but then I though "why the **** would they assign a 27 bit subnet if not allowing 30 hosts to be used!?"

Zeus11, how do you know you(your friend) pass through the firewall on the same hub? Is he/she on the same subnet, or is he/she on a LAN/subnet behind the firewall?

What type of connection do you have towards your ISP?
How many hosts are active on your network?
(your boss PC, The linux firewall, and what else?)

At home I have a DSL connection. In my end I have a DSL modem that doesn't do any routing (a bridge), and at the ISP end there is a DCHP server assigning addresses to me. I  only get 1 address, and if I setup other addresses in the same subnet manually, they are not allowed get passed the ISP gateway (the only thing I can reach is the gateway - that is also the DHCP server).
My ISP also requires me to login using a webpage before I can get through to the Internet.
I just mention this as an example of how some ISPs restrict usage (the idea being to control limited resources such as IPv4 addresses, and to "protect" normal people from exposing printservers etc that sometimes try DHCP by default, on the Internet (if they connect their LAN without a NATing firewall etc etc))

I think the limitation is at your ISPs, possibly you need to allocate the address using DHCP before the gateway will allow your traffic...
Did you get some other info from your ISP besides the address range and DNS servers to use?
It would be unecessary to tell you the address range if you were required to use DHCP, but it may be worth trying it..

as root;
# dhcpcd eth0
When the prompt returns check that you got an address
# ifconfig eth0

If no address for eth0 that's not it :-)
If you already know the ISP don't provide DHCP services for the subnet there is no need to try at all.
You could look at the w2k machine and see if it's already using DHCP by looking in the network properties (won't show with "ipconfig /all" I think)

/b
0
 
GnsCommented:
> ... I though "why the **** would they assign a 27 bit subnet if not allowing 30 hosts to be used!?"
We all do misstakes... even I... and most certainly all the ISPs of the world:-).

> At home I have a DSL connection...
This sounds suspiciously like the Telia abomination... You in sweden bummerlord?
Anyway, I told you we'd complement ideas;-). You're complementing me by being more explicit.
This is also why I've been asking about the *working* clients, and how they generally aquire their addresses.
Even if DHCP doesn't come into play, I'm thinking this is purely at the "other end" (ie. at the ISPs end;).

ipconfig /all will tell the lease time, so it does show whether DHCP is used or not;-).

-- Glenn
0
 
GnsCommented:
Just to show that I do do misstakes (however a rather slight one), ipconfig also tells which IP address is the DHCP server... might be seen as a better indicator on the use of DHCP than the lease time:-).

I realise there is a grammatical error (yeah, right ... one:-), but I'm to tired to weed it out (as you might suspect I'm not native to english:-). You're smart people, you'll figure out what I'm trying to say;-).

-- Glenn
0
 
bummerlordCommented:
You said abomination not I .-) Anyway Telia operates in all the Nordic contries and perhaps all of Europe don't they? I won't expose my ISP's name now that I've just proclaimed it to be of the most user unfriendly ISP's on earth ;-)

Thanks for the ipconfig hint... I'll remember it the next time I'm in front of a Windows polluted environment.
(Cheers to all native Unix people!)

zeus11, are you still with us?
0
 
zeus11Author Commented:
changed ip to laptop ip and it is working now, so i think my boss will be giving bellsouth a call this morning about the other 26 ip's not working, also how do i grant points and can i split them between you guys or can i just pick one.
0
 
GnsCommented:
Yes, telia operates on many markets... But it is the old swedish telephony works (televerket), and is most spread (like a virus:-) here. Simply because they own the access networks... they dominate the DSL market. The abomination part is because they use private addresses for the DHCP, GW and DNS services (10.0.0.?). On a "Public" network. Sigh.

I can help your boss inventing invectives to use in that conversation zeus11, just so that he gets past the support "first line of defense";-). I've found that kindness is OK in many situations, but well-expressed miffed-ness is equally effective:-):-).

Splitting points is usually done by setting the points to what you feel is appropriate, accepting one answer, then post questions on the form "Points for XXX", where XXX is the callsign of the recipient, in the same TA. If you do so, please post a comment to that effect here so that we "see" it easily.
But you are fully in charge of your question. If you feel like just accepting one comment as answer, you're entiteled to do so.

-- Glenn
0
 
bummerlordCommented:
Hope you get access to all the IP's...
Sometimes ISP's wan't a description of the network describing why you need that many IP addresses. That's usually when registering though.

If you don't however, you do have Linux to the rescue! Just put your LAN behind the firewall and use NAT (or MASQUERADING ("linux" term for All to one NAT))
Setup private IP addresses (e.g. 192.168.x.y) on the LAN. Setup a dhcp server, caching name server, transparent proxy server (squid + iptables) VPN(ipsec) gateway, traffic control (QoS) to manage the bandwidth etc etc and more...
Linux manages it all! ;-)


About spliting points;
I think you can lower the points on this Q (say 150) accept one comment as answer, then post another question worth 150 points entitled "points for xxxxx", and once a comment is posted you can accept it as the answer.

Gns has been around here longer than I, he probably knows the exact drill ;-)

/b

0
 
zeus11Author Commented:
it would not let me lower the points
0
 
zeus11Author Commented:
theres a question points for bummerlord, go find it and i'll give you points as well
0
 
GnsCommented:
It didn't? The only time I've actually tested the "question side" of EE it did.
If you feel that you would like to have points refunded, you can contact Community Support (Just pose a 0 point question there) and they should be able to clear things up.

-- Glenn
0
 
bummerlordCommented:
Gns, I see.. so if you'd like to use, or are already using 10.x.x.x in your own network you're not welcome!? ;-)

They probably feel "safe" using private addresses (or it's cheap to be able to print the same instructions to every user regardless of location?!)
.. what if any Telia DSL customer with Linux firewalls were to enter
iptables -t nat -I PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.x
(he/she probably already have "iptables -t nat -I POSTROUTING -o eth0 -j MASQ")

Then post "My host is unbreakable!" to a few mailinglists :-)

That would be dumb though since the user is dependent of these services most likely..

0
 
GnsCommented:
Right you are bummer. As I said, an abomination. Stupid "safe, and cheap, yeah that fits the bill;-).

Yes, but if the "user" was in fact employed by one of the other ISPs...:-):-).

'Nuff telia-bashing. They've got lawyers too:-).
And god forbid that someone actually did smething like that, and the trustworthy "IT-aware" police would start searching the net... finding this;-)...

But this do shine a light on the problem with private addresses. Since there is no registrar or arbitrater, things can get ugly fast when trying to interconnect several private networks.
Thank God for NAT.

-- Glenn
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 24
  • 18
  • 13
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now