Search This Blog

Thursday, October 20, 2005

Re: Subnets in Subnet

Lars wrote on 16/10/2005 16:21:
> Matthew Palmer wrote:
>
>>>Works Fine For Me. Lots of things can cause various problems, though, but
>>>you really need to describe a lot better what you're trying to do, and what
>>>"isn't working" means in this context if you want useful help.
>
>
> My 2nd NIC has 3 ip's, 2 in the same net and the last net is for
> printerserver. I skipped the 172.16.0.32/30-net, because experiences in
> the past, tells me debian doesn't work well with the first...

Still seems that you did something wrong then. It always worked as
expected for me.

> ----- /etc/network/interfaces --------------
> # ETH2 - proxy (172.16.0.0/27)
> iface eth2 inet static
> address 172.16.0.1
> netmask 255.255.255.224
> network 172.16.0.0
> broadcast 172.16.0.31
>
>
> # ETH2:1 - dns (172.16.0.0/27)
> iface eth2:1 inet static
> address 172.16.0.2
> netmask 255.255.255.224
> network 172.16.0.0
> broadcast 172.16.0.31
>
> # ETH2 - print (172.16.0.36/30)
> iface eth2:2 inet static
> address 172.16.0.37
> netmask 255.255.255.252
> network 172.16.0.36
> broadcast 172.16.0.39
> ----------------------------------------------
>
> The print-server needs port 8000 and it open, i even tried to set the
> FireWall complete open.
>
> fw:~# iptables -L | grep '172.16.0.36/30'
> ACCEPT tcp -- 172.16.0.36/30 anywhere tcp dpt:domain
> ACCEPT tcp -- 172.16.0.36/30 anywhere tcp dpt:8000

I assume these are comming from the output chain?

> I have of course checked cabels and etc...

You still didn't mention what exactly isn't working.

With the above, if you have some ACCEPT rule for established and related
connections, you should be able to connect to port 8000 of your
printserver from your Debian machine. You would however not be able to
connect to it from other machines in your network unless they have a
network route for 172.16.0.36/30 set to the Debian machine and the
latter has IP forwarding enabled and you have matching accept rules in
the forward chain.
Also, for debugging, I always find it useful to allow ping packets to go
through.
And finally, are you sure you want tcp for the domain port? Normal DNS
lookups are done via udp packets to the same port.

cu,
sven

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)