[nos-bbs] HTTP server restriction maybe

Jay Nugent jjn at nuge.com
Tue Apr 17 15:03:32 EDT 2007

Greetings Skip (et al),

On Tue, 17 Apr 2007, (Skip) K8RRA wrote:

> On Tue, 2007-04-17 at 12:08 -0500, Barry Siegfried wrote:
> > ["(Skip) K8RRA" <k8rra at ameritech.net> wrote]:
> > 
> > > Try this model:
> > > Site A (me):
> > >    Host A1 / Linux: static IP + jnos
> > >    LAN to Internet bridge appliance: LAN IP + WAN IP 24...
> > >    dynamic Host A2 / any O/S: dynamic LAN IP 192...
> > 
> > And don't you also have a 44-net IP address on the Linux side of
> > the TUN device to JNOS?
> Oh no - the host stack only has a route to 44... network - there is no
> 44 IP on the host.
> > <<SNIP>>- the primary issue is that the FROM IP is NOT 44....
> > 
> > Well it should be.  Why isn't it?
> No - it should not be - network rules are being accurately followed
> here. The only way to get to 44... as a FROM IP (without re-writing jnos 
> to share the host stack) is thru NAT as far as I know.

   Nada.  No way.  Uh uh. No sirie!  NAT, cough gag hurl!

   The "source" address of an outgoing packet is determined by the
*interface* address used.  And which *interface* is determined by the
destination address you are trying to reach, and what *interface* the
*route table* says you must use to get to the desired destination.

   That's alot to chew on.  Let me explain...

   I have a Linux box here.  It's address is  However, I 
would like this box to also be able to reach the HTTP webpages at 
wb8rcr.ampr.org.  To do this I added an additional *interface* to this box 
along with the supporting *route* entry, as follows:

   ifconfig eth0:44

   route add -net gw

   So at this point I now have a Linux box that will send ALL it's traffic
out onto my ethernet as *UNLESS* it happens to be going to
anything in the AMPRnet (44/8).  In which case it flows out onto my
ethernet addressesd FROM and GATEWAYED through
(which happens to be my JNOS/Hamgate on that very same ethernet).

   Now, remember what I said about "Think like a Packet" the other day.  
What's missing?  ...a return route!!!

   So on the JNOS/Hamgate I have to add a route that will send any packets
it receives *for* *back* to the Linux box on the ethernet.  
So on the JNOS/Hamgate I have added this route:

   route add eth0

   BINGO!!!  Now when I point my browser to http://wb8rcr.ampr.org, my
packets to out addressed TO, addressed FROM  
They are 'GW'ayed to the JNOS/Hamgate, who then passes them
through the normal AMPRnet routing to get to wb8rcr.ampr.org's web server.

   When the wb8rcr.ampr.org web server responds, it returns packets
addressed to my FROM address of  Following the normal
AMPRnet network routing that says send all 44.102.1/24 to
Hamgate.Washtenaw.AMPR.org (

   Normally, Hamgate.Washtenaw sends all 44.102.1/24 traffic out its RF
port, but remember we put in a /32 route stipulating we are to send out the ethernet.  So "Thinking like a Packet" we do just
that and the web content reaches my Linux box and my browser dislays the
webpage :)

   Forget NAT (it's almost as evil as firewalls are).  We have enough
44-net addresses to go around so there is NO need to use NAT anywhere.  
If you want more 44-et addresses Skip, fill out the application on the
MI-DRG.org website and get a few more assigned to you.  Also, there is
nothing "magical" about the 44-net addresses.  ANY ip address *can* be
routed over the RF network.  We *could* be using 192.168.x.y if we wanted.  
Just so long as the ROUTING TABLES on every node that needs to pass such
traffic knows how to send them.  They are *just numbers*.

   Skip, I believe you will be attending this Saturday's DRG meeting?  In
my training session I'll be going over static routing and how to "Think
like a Packet".  Hope to see you there!  And hope that we can help clear
up any misconceptions and help lift the fog a little.  I'll bring an empty
V8 juice can with me so you can smack it into your forehead when this all
comes clear for you ;-)  See you there!

      --- Jay Nugent  WB8TKL
"Getting rid of terrorism is like getting rid of dandruff.  It cannot
 be done completely no matter how hard you try." -- Gore Vidal
| Jay Nugent   jjn at nuge.com    (734)484-5105    (734)544-4326/Fax        |
| Nugent Telecommunications  [www.nuge.com]     (734)649-0851/Cell       |
|   Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller |
| ISP Monitoring [www.ispmonitor.net] ISP & Modem Performance Monitoring |
| Web-Pegasus    [www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts|
| LinuxNIC, Inc. [www.linuxnic.net]   Registrar of the .linux TLD        |
  2:01pm  up 37 days,  9:47,  5 users,  load average: 0.09, 0.06, 0.07
-------------- next part --------------
nos-bbs mailing list
nos-bbs at lists.tapr.org

More information about the nos-bbs mailing list