Re: [Shorewall-users] Problem accesing from outside

Mon, 30 Oct 2017 11:17:11 -0700



El oct. 30, 2017 12:03 PM, Simon Hobson <li...@thehobsons.co.uk> escribiĆ³:

Rommel Rodriguez Toirac <romme...@nauta.cu> wrote:

> First, I live in Cuba and here the access to Internet is a little different that in the rest of the world. Let say just different.
>  My ISP (in my case the national network level) give the ranges 172.16.120.0/24 to my network and from 172.16.121.0/29 to the rest of my 10 municipal networks.
>  The IP given to my router is 172.16.120.254 and all other routeres in my municipal networks are in 172.16.#.# range too.
>  OK 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 are PRIVATE network address but I don not have any PUBLIC address.
>  Our network work like this way, just in PRIVATE network address and our routers are configured to use this.

Well then, in that case you cannot have any services accessible from the internet - UNLESS the ISP allows you to configure port forwarding rules in their system to allow connections to a public IP to be forwarded to one of your systems.

>  Why I can make possible the communication using just IP address and why not using PCs names or alias?

OK, more DNS issues here.
For a device to get an IP address from a name, it must ask a resolver that either knows the answer, or knows how to find the answer. If your systems are configured to use your own server (and nothing else) for DNS resolution, then they should be able to find systems by name. But that doesn't scale if you are wanting to access these systems from outside of your own network.

When I do a simple test, I find that gob.cu doesn't appear to be a valid domain :

> $ dig +trace ftp.gtm.onat.gob.cu
>
> ; <<>> DiG 9.8.5-P1 <<>> +trace ftp.gtm.onat.gob.cu
> ;; global options: +cmd
> . 3600 IN NS FWDR-9.FWDR-6.FWDR-159.FWDR-212.
> . 3600 IN NS FWDR-10.FWDR-6.FWDR-159.FWDR-212.
> ;; Received 177 bytes from 192.168.1.254#53(192.168.1.254) in 26 ms
>
> cu. 584 IN NS cu.cctld.authdns.ripe.net.
> cu. 584 IN NS ns2.ceniai.net.cu.
> cu. 584 IN NS ns.dns.br.
> cu. 584 IN NS rip.psg.com.
> cu. 584 IN NS ns.ceniai.net.cu.
> cu. 584 IN NS ns2.gip.net.
> ;; Received 428 bytes from 212.159.6.9#53(FWDR-9.FWDR-6.FWDR-159.FWDR-212) in 996 ms
>
> cu. 3600 IN SOA ns.ceniai.net.cu. cu-tech.ceniai.inf.cu. 2017102701 3600 1800 1209600 3600
> ;; Received 106 bytes from 204.59.1.222#53(ns2.gip.net) in 22 ms


What this means is that my resolver went to the root servers and asked the question "what's the IP for ftp.gtm.onat.gob.cu ?" - and got the answer : "I don't know, but I can tell you that these DNS servers handle the .cu zone".
My resolver then went to one of these servers and asked the same question - and got the answer "we don't know anything about it". As a result, it's impossible to resolve anything ending in gob.cu because the DNS servers for .cu don't seem to know anything about it.

Thus, nothing will be able to resolve addresses unless they've been configured to use your DNS server.


>  See the test maded from a municipal server.
>  When I try to connect to FTP server on my network using IP number the connection are success, but when I use the alias ftp.gtm.onat.gob.cu never connect.
>
> C:\Windows\system32>ftp
> ftp> open 172.16.120.1
> Conectado a 172.16.120.1.
> 220 ONAT Guantanamo, FTP.
> Usuario (172.16.120.1:(none)): anonymous
> 331 Please specify the password.
> ContraseƱa:
> 230 Login successful.
> ftp>
>
> C:\Windows\system32>ftp
> ftp> open ftp.gtm.onat.gob.cu
> ftp>

OK, that's consistent with not being able to look up and address (I think, I'm not that familiar with Windows).

>  I try a nslookup and (I guess) the answer are good.
>
> C:\Windows\system32>nslookup ftp.gtm.onat.gob.cu
> Servidor:  gtm08.cai.gtm.onat.gob.cu
> Address:  172.16.123.11
>
> Respuesta no autoritativa:
> Nombre:  gtmft.gtm.onat.gob.cu
> Address:  172.16.120.7
> Aliases:  ftp.gtm.onat.gob.cu

Bear in mind that nslookup may use different servers to what other components of the system are using - and hence may give different results. This is an area of Windows that I don't know much about.


 I know is hard to belive, but I have not access from Internet or to Internet from my job. All my network is in a Private range of 172.16.x.x IPs
 Any computer out of this range will access to my network. For example the municipal network of X is in subnetwork 172.16.123.0/26 the municipal network for Y is in subnetwork 172.16.123.64/26 and so on.
  Is posible to use shorewall firewall with this, just with Private IPs? No access from  or to Public IPs.
 My network are in 192.168.41.0/24, the DMZ are in 192.168.14.0/24, the IP of the outside interface is 172.16.120.1, the router IP is 172.6.120.254 and all the network that going to access to my services are between of 172.16.121.0/26 and 172.16.123.64/26 subnetworks.
 I configure a DMZ using Shorewall and will serve just to PCs that are using Private IPs but in different subnetworks. I have  bind with views for DNS. When  PCs that  are out of my network (192.164.41.0/24) try to access some services using name or alias is unsuccessfull the comunication, but if they try using IP the communication is successfull.

Rommel

  

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to