(?) A LAN Question

From santyx

Answered By Ben Okopnik, Karl-Heinz Herrman, John Karns, Jim Dennis, Matthias Posseldt

Hello Gang!!! Thanks and congratulations for your good work!!!

I'm Santiago (santyx), from San Rafael-Mendoza-Argentina. I don't speak English very well, but I hope you understand my question. I'm working in a LAN in my University and I've installed a Red Hat Linux 7.1 in my work station (puesto17). The LAN looks like this:

See attached map-university-network.txt

Where SANRAFAEL is a WINDOWS NT server for the 192.168.2.X subnet and CHARLY

is a SuSE LINUX server for the 192.168.1.X subnet. SANRAFAEL is connected to the Internet, and allowing all the work stations in the network to connect to the Internet too, with a proxy software. As you see, I don't have a direct connection to the Internet from puesto17. I can do "ping" to 192.168.1.X or 192.168.2.X, but I can't do "ping", for example, to http://www.argentina.com if I want. I can do "traceroute" to 192.168.1.X or 192.168.2.X, but I can't do "traceroute", for example, to http://www.hotmail.com if I want. I can do "ftp" to 192.168.1.X or 192.168.2.X, but I can't do "ftp", for example, to my ISP to upload web pages if I want. I can't connect to the News Servers in the Internet and I can't use my pop3 mail server from my work station. I can't go out of my network!!!

Which is the best way to change this? Can I change this from my Linux box? Or the only way is changing the things in the SANRAFAEL Server?

I really need a solution, specially for the FTP, since I'm working in a web site for my University.

Thanks in advance!!!. Santyx.

(!) [Ben] Hi, Santyx -
It sounds like SANRAFAEL is running a firewall that's blocking (at least) ports 7 (echo), 21 (ftp), 110 (pop), and 119 (nntp). Your system administrator would have to open those for you.
Another possibility, depending on how your proxy is set up, is that you might also be able to get out through that proxy. To do that, you'd have to define some environment variables:
# Most programs want this in lowercase, but there are some that want it
# capitalized!
export http_proxy=http://x.x.x.x:y
export HTTP_PROXY=http://x.x.x.x:y
export ftp_proxy=http://x.x.x.x:y
export FTP_PROXY=http://x.x.x.x:y
'x.x.x.x' is the IP address of the proxy; 'y' is the proxy port.
Note that the "http://" part of the proxy location stays the same even when you're defining an FTP proxy. Strange, but that's how it works.
Again, this is only a possibility; you'd have to discuss the setup with your system administrator to be sure.
(!) [K.-H.] If that NT box is only running a proxy service for http that's all you get. If on the other hand machines off sanrafael (IP probably 192.168.2.X ) have full access (including ping, outside pop accounts, ftp,...) the NT box seems to run a port-forwarding firewall ... or maybe merely ip masquerading... and you should basically be able to do the same -- IF the NT box is offering the service for 192.168.1.X.
What happens if you do all your tests from Charly? Charly probably also has no internet connection (besides the http proxy).
Also for ftp through firewall make sure you run ftp in "passive" mode. For ftp originally the server was opening a connection back to your client on a different port -- which usually fails for through firewalls (so might not fail with recent firewall port masquerading). On a "recent" *nix ftp client typing "passive" before trying to "ls" or get/put will do.
But I guess (like Ben) that the NT box is blocking you.
(!) [John K.] Do you have DNS referencing (i.e., etc/resolve.conf) setup on CHARLY? As K-H mentioned, it would seem that IP masquerading should be set up on CHARLY if it isn't already. You need to have the packets from the 192.168.2 subnet appear as 192.168.1 subnet packets to get the same treatment from the NT server for the .2 subnet as it gives to the .1 subnet.

(?) Hello Gang!!! Santyx again. Thanks for your answers about "A LAN Question" The net admin of my University made the changes in the sanrafael server, and now I can do telnet from my work station, but I can't do FTP. When I connect to sanrafael doing FTP from Linux the proxy answer well, the connection is done. But the commands don't answer and I got to kill the connection from another console. It doesn't happens from windows.

(!) [JimD] Try the same FTP connection using a web browser (even lynx, the venerable text-mode curses or w3m, a newer curses mode browser).
If that works than you probably have a problem with your firewall (or packet filters) that rejects "active" mode FTP connections.
In FTP the session you establish is a control channel, it's used to send your FTP client's commands (you say "get" and your client changes that to RETR, you say "ls" and your client sends 'LIST' or 'NLIST', or whatever). The response codes (numeric and text) are also returned on this control channel (which is on destination port 21 on the server from some unprivileged port on your client host).
In active FTP the FTP server attempts to create a data connection for each stream of data that you get. That includes each file that you fetch, of course. However it also includes connections for directory listings. The problem is that most firewalls and packet filters block inbound connections (from the FTP server back towards your client) on low numbered (privileged) ports.
With passive FTP the client specifies a non-privileged port (greater than 1024) for the data channels. The back channel is still inbound from the server back to the client. The difference is that the client specificies an available port (by sending a PORT command over the control connection). That works with most packet filter configurations and firewalls. However, it won't necessarily work with all of them.
In most FTP clients you can set passive mode by typing a command like "quote pasv" (in ncftp you can use the command "set passive").
If a web browser works using an ftp://.... url, then passive mode from your FTP client should work as well. Most web browsers default to passive mode. If passive mode doesn't work, then you may need to use a proxy system. I won't go into details on those --- you'd be best checking with your local system/network administrator if you think you need that.
Occasionally I've found other causes for the situation you describe. However, they are much less likely. In one case I found that it was related to MTU (maximum transmission units). Web and other traffic would work, but FTP data connections would fail (apparently because it was more likely to use maximum sized packets --- due to its socket options).
I doubt you'll encounter this sort of problem.

(?) I got another question. It's about GNU Grub. I've installed the 0.92 version to load win98 and Red Hat Linux 7.1 Everithing goes O.K, but I want to make a graphic menu and I can't. I put the following line in the menu.lst to show a graphic file


Where (hd0,1) is the Linux partition and /boot/grub/fun.xpm.gz is the path of the graphic file. The image is 640x480, 4 colors.

But nothig happens. How can I make my own menu for Grub?

Thanks again. santyx

(!) [Matthias] RedHat'S GRUB version has a splashimage patch applied. It can read XPM's and display them. The patch and a vga-16 patch are available on the net for GRUB 0.91, but not part of the standard GRUB package. So you have to hunt down a patch for 0.92, apply and rebuild.

Copyright © 2002
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 83 of Linux Gazette, October 2002

[ Table Of Contents ][ Answer Guy Current Index ] greetings   Meet the Gang   1   2   3   4   5   6 [ Index of Past Answers ]