• Subject: RE: Overlays and page segments
  • From: "Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx>
  • Date: Sun, 21 Jan 2001 12:06:39 -0600
  • Importance: Normal

This is a cross-post.  I've posted it in a couple of other places, mostly
because I am completely baffled and have no idea where to turn.

Here's the issue:

I've got an AS/400 sitting behind a router. The router performs NAT for me,
but also does some port forwarding if I ask it nicely. For example, requests
to my realworld IP address on port 25 go to my Linux machine, which has an
internal address. I have a Linux box, a W2K workstation and an AS/400, all
sitting behind a router.

Let's say my addresses look like this:

Realworld IP: 63.64.65.66

Router: 10.10.10.101
Linux: 10.10.10.102
AS/400: 10.10.10.103
W2K WS: 10.10.10.104

Now, if I forward port 80 to the Linux box it works just fine. I do an HTTP
GET to my realworld IP, and up comes the welcome page from my Linux machine.
This is way cool. However, I can't seem to get it to map to the AS/400. I
can access the AS/400's HTTP server INTERNALLY just fine, by using my 10.
addressing. But it won't listen to the mapped request.

So I did a little sniffing, and found out something interesting. When my W2K
machine makes a request using the realworld IP, the following occurs on my
network:

10.10.10.104 --> 63.64.65.66 (initial request)
63.64.65.66 --> 10.10.10.102 (request forwarded to Linux box!)
10.10.10.102 --> 63.64.65.66 (response from Linux box to router)
63.64.65.66 --> 10.10.10.104 (response finally returned to me)

Notice how the router handles the port forwarding... it sends a request to
the destination device, but only after spoofing the source address to be the
realworld address of the router! I don't have the time to sit and think it
through; I'd think you would just leave the real source address in place, or
else pass the WAN address of the router (not the realworld address). I tried
picturing the possible combinations of multiple requests forwarded to
multiple devices through multiple IP addresses, and I started to get ill.

And regardless of the WHY, this is how it works. So, rather than try to
figure it out, I decided to go the next step. And that next step is to try
and figure out why the AS/400 wasn't responding. And pure and simple, the
AS/400 was ignoring those packets. Here's the trace:

10.10.10.104 --> 63.64.65.66 (initial request)
63.64.65.66 --> 10.10.10.103 (request forwarded to AS/400)
(delay)
10.10.10.104 --> 63.64.65.66 (initial request)
63.64.65.66 --> 10.10.10.103 (request forwarded to AS/400)
(delay)

That goes on until the browser times out. Remember, communications work fine
on the intranet, and if I watch the communications, it's fine:

10.10.10.104 --> 10.10.10.102 (request)
10.10.10.102 --> 10.10.10.104 (response)

So, the issue seems to be that the AS/400 doesn't want to communicate with
the external address. Now, where in the world is this configured? Due to a
different problem (which I'll outline when I get a chance), I did a
RMVTCPTBL TBL(*ALL), so that should have gotten rid of any latent IP
filtering. So where else is IP filtering defined? In the HTTP configuration?
In the line description? WHERE??!?!?!?

<sigh>

Thanks a million for listening to the frustrations of a beaten man... <wry
grin>.

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].