From: orcunyucel@phpmygallery.com
Date: Sat 29 Oct 2005 - 11:12:11 EEST
Merhaba,
Su an KKTC´de bir sirkette Linux ve Ag Yonetimi uzerine egitim aliyorum ve
bir sorunum var. Benim DNS server isim cozmede yanlis biseyler yapiyor
sanirim. Ornegin sirketteki bir abinin bilgisayari firewall´u gecip
rahatlikla web server ile calisan webmail´e ulasip maillerini okuyup ve
yazabiliyorken, outlook erisemiyor. Ama internet explorer´den ip´yi
kullaniyor webmail´e erismek icin. Ayrica outlook´a da ip yazinca mailleri
aliyor. Firewall´un arkasindaki web,dns ve mail serverin ip´si
192.168.0.100. Normalde ise sirkette 172.22.0.0/16 subnetini kullaniyoruz.
Benim firewallun ip´si 172.22.2.61. Iptables´daki NAT ise su sekilde:
#//NAT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 172.22.2.61 -j DNAT
--to-destination 192.168.0.100:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -d 172.22.2.61 -j DNAT
--to-destination 192.168.0.100:53
$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -d 172.22.2.61 -j DNAT
--to-destination 192.168.0.100:25
$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -d 172.22.2.61 -j DNAT
--to-destination 192.168.0.100:110
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.100 -j SNAT --to-source
172.22.2.61
Ayrica loglari inceledigimde hicbirsey drop edilmiyor cunku drop edilecek
paketleri de loglanacak bicimde ayarladim iptables´da. Birde tcpdump
ciktisi soyle:
[root@OrcunFireWall /]# tcpdump host 172.22.2.61 and 172.22.2.172
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:53:44.750944 IP 172.22.2.172.1360 > 172.22.2.61.pop3: S
2989890782:2989890782(0) win 65535 <mss 1460,nop,nop,sackOK>
10:53:44.751869 arp who-has 172.22.2.172 tell 172.22.2.61
10:53:44.751965 arp reply 172.22.2.172 is-at 00:11:5b:7a:6f:29
10:53:44.751983 IP 172.22.2.61.pop3 > 172.22.2.172.1360: S
3936781303:3936781303(0) ack 2989890783 win 5840 <mss 1460,nop,nop,sackOK>
10:53:44.752095 IP 172.22.2.172.1360 > 172.22.2.61.pop3: . ack 1 win 65535
10:53:44.752540 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 1:19(18) ack 1
win 5840
10:53:44.965606 IP 172.22.2.172.1360 > 172.22.2.61.pop3: . ack 19 win 65517
10:53:44.965758 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 19:21(2) ack 1
win 5840
10:53:44.966733 IP 172.22.2.172.1360 > 172.22.2.61.pop3: P 1:16(15) ack 21
win 65515
10:53:44.966824 IP 172.22.2.61.pop3 > 172.22.2.172.1360: . ack 16 win 5840
10:53:44.966876 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 21:26(5) ack 16
win 5840
10:53:44.967273 IP 172.22.2.172.1360 > 172.22.2.61.pop3: P 16:29(13) ack
26 win 65510
10:53:44.971419 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 26:40(14) ack
29 win 5840
10:53:45.184332 IP 172.22.2.172.1360 > 172.22.2.61.pop3: . ack 40 win 65496
10:53:45.184484 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 40:42(2) ack 29
win 5840
10:53:45.185049 IP 172.22.2.172.1360 > 172.22.2.61.pop3: P 29:35(6) ack 42
win 65494
10:53:45.185191 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 42:51(9) ack 35
win 5840
10:53:45.186455 IP 172.22.2.172.1360 > 172.22.2.61.pop3: P 35:41(6) ack 51
win 65485
10:53:45.186551 IP 172.22.2.61.pop3 > 172.22.2.172.1360: P 51:69(18) ack
41 win 5840
10:53:45.186677 IP 172.22.2.61.pop3 > 172.22.2.172.1360: F 69:69(0) ack 41
win 5840
10:53:45.186690 IP 172.22.2.172.1360 > 172.22.2.61.pop3: F 41:41(0) ack 69
win 65467
10:53:45.186797 IP 172.22.2.172.1360 > 172.22.2.61.pop3: . ack 70 win 65467
10:53:45.186827 IP 172.22.2.61.pop3 > 172.22.2.172.1360: . ack 42 win 5840
11:03:36.001710 IP 172.22.2.172.1026 > 172.22.2.61.domain: 12776+ A?
media.fastclick.net. (37)
11:03:36.001975 arp who-has 172.22.2.172 tell 172.22.2.61
11:03:36.002058 arp reply 172.22.2.172 is-at 00:11:5b:7a:6f:29
11:03:36.002072 IP 172.22.2.61 > 172.22.2.172: icmp 73: 172.22.2.61 udp
port domain unreachable
172.22.2.61 benim firewall´un ip´si, 172.22.2.172 ise outlookla maillerini
almak isteyen sirketteki bir abinin ip´si. Sorun su ki ben DNS serverimde
kaydettigim mail.domain.dom ve domain.dom alan adlarini iletemiyorum.
Yardimci olursaniz sevinirim.
Saygilar,
Orcun Yucel
_______________________________________________
Linux-sunucu mailing list
Linux-sunucu@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-sunucu