[nos-bbs] HTTP server restriction maybe

Jay Nugent jjn at nuge.com
Tue Apr 17 15:03:32 EDT 2007


Greetings Skip (et al),

On Tue, 17 Apr 2007, (Skip) K8RRA wrote:

> On Tue, 2007-04-17 at 12:08 -0500, Barry Siegfried wrote:
> 
> > ["(Skip) K8RRA" <k8rra at ameritech.net> wrote]:
> > 
> > > Try this model:
> > > Site A (me):
> > >    Host A1 / Linux: static 192.168.1.32 IP + jnos 44.102.132.20
> > >    LAN to Internet bridge appliance: LAN IP 192.168.1.254 + WAN IP 24...
> > >    dynamic Host A2 / any O/S: dynamic LAN IP 192...
> > 
> > And don't you also have a 44-net IP address on the Linux side of
> > the TUN device to JNOS?
> 
> Oh no - the host stack only has a route to 44... network - there is no
> 44 IP on the host.
> 
> > <<SNIP>>- the primary issue is that the FROM IP is NOT 44....
> > 
> > Well it should be.  Why isn't it?
> 
> No - it should not be - network rules are being accurately followed
> here. The only way to get to 44... as a FROM IP (without re-writing jnos 
> to share the host stack) is thru NAT as far as I know.

   Nada.  No way.  Uh uh. No sirie!  NAT, cough gag hurl!

   The "source" address of an outgoing packet is determined by the
*interface* address used.  And which *interface* is determined by the
destination address you are trying to reach, and what *interface* the
*route table* says you must use to get to the desired destination.

   That's alot to chew on.  Let me explain...

   I have a Linux box here.  It's address is 216.144.208.6.  However, I 
would like this box to also be able to reach the HTTP webpages at 
wb8rcr.ampr.org.  To do this I added an additional *interface* to this box 
along with the supporting *route* entry, as follows:

   ifconfig eth0:44 44.102.1.239

   route add -net 44.0.0.0/8 gw 44.102.1.1


   So at this point I now have a Linux box that will send ALL it's traffic
out onto my ethernet as 216.144.208.6 *UNLESS* it happens to be going to
anything in the AMPRnet (44/8).  In which case it flows out onto my
ethernet addressesd FROM 44.102.1.239 and GATEWAYED through 44.102.1.1
(which happens to be my JNOS/Hamgate on that very same ethernet).

   Now, remember what I said about "Think like a Packet" the other day.  
What's missing?  ...a return route!!!

   So on the JNOS/Hamgate I have to add a route that will send any packets
it receives *for* 44.102.1.239 *back* to the Linux box on the ethernet.  
So on the JNOS/Hamgate I have added this route:

   route add 44.102.1.239 eth0


   BINGO!!!  Now when I point my browser to http://wb8rcr.ampr.org, my
packets to out addressed TO 44.102.200.17, addressed FROM 44.102.1.239.  
They are 'GW'ayed to the JNOS/Hamgate 44.102.1.1, who then passes them
through the normal AMPRnet routing to get to wb8rcr.ampr.org's web server.

   When the wb8rcr.ampr.org web server responds, it returns packets
addressed to my FROM address of 44.102.1.239.  Following the normal
AMPRnet network routing that says send all 44.102.1/24 to
Hamgate.Washtenaw.AMPR.org (44.102.1.1).

   Normally, Hamgate.Washtenaw sends all 44.102.1/24 traffic out its RF
port, but remember we put in a /32 route stipulating we are to send
44.102.1.239 out the ethernet.  So "Thinking like a Packet" we do just
that and the web content reaches my Linux box and my browser dislays the
webpage :)

   Forget NAT (it's almost as evil as firewalls are).  We have enough
44-net addresses to go around so there is NO need to use NAT anywhere.  
If you want more 44-et addresses Skip, fill out the application on the
MI-DRG.org website and get a few more assigned to you.  Also, there is
nothing "magical" about the 44-net addresses.  ANY ip address *can* be
routed over the RF network.  We *could* be using 192.168.x.y if we wanted.  
Just so long as the ROUTING TABLES on every node that needs to pass such
traffic knows how to send them.  They are *just numbers*.

   Skip, I believe you will be attending this Saturday's DRG meeting?  In
my training session I'll be going over static routing and how to "Think
like a Packet".  Hope to see you there!  And hope that we can help clear
up any misconceptions and help lift the fog a little.  I'll bring an empty
V8 juice can with me so you can smack it into your forehead when this all
comes clear for you ;-)  See you there!

      --- Jay Nugent  WB8TKL
 
"Getting rid of terrorism is like getting rid of dandruff.  It cannot
 be done completely no matter how hard you try." -- Gore Vidal
+------------------------------------------------------------------------+
| Jay Nugent   jjn at nuge.com    (734)484-5105    (734)544-4326/Fax        |
| Nugent Telecommunications  [www.nuge.com]     (734)649-0851/Cell       |
|   Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller |
| ISP Monitoring [www.ispmonitor.net] ISP & Modem Performance Monitoring |
| Web-Pegasus    [www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts|
| LinuxNIC, Inc. [www.linuxnic.net]   Registrar of the .linux TLD        |
+------------------------------------------------------------------------+
  2:01pm  up 37 days,  9:47,  5 users,  load average: 0.09, 0.06, 0.07
-------------- next part --------------
_______________________________________________
nos-bbs mailing list
nos-bbs at lists.tapr.org
https://lists.tapr.org/cgi-bin/mailman/listinfo/nos-bbs


More information about the nos-bbs mailing list