1

I need help with the following network and router. Under emergency conditions, I received the following network. The router (Ubuntu) has two interfaces and a DNS function. The private address on the external interface (eth0) towards the ISP is 192.168.30.1. On the internal interface (eth1) the public address is 199.19.19.1. A web server, a mail server and a proxy for the LAN, all with public addresses, are connected to the internal interface via a switch. They all work fine and access the Internet. But there is a problem with the router itself. The first is the inability to update the OS, there is a problem with access to the Internet (both by IP and domain names). The second is that when I try to transfer the current configuration to a new server with a new OS, the update also does not work on the router. Still, there are also interruptions in the operation of the mail and web servers. Can you point me in the right direction?

       +------+     +---+ +---------+                     +-------------+                        
       |  +---+-----+--+| |         |                     |     MAIL    |                        
       |  |   |     +--++ |      +--v--+               +->| 199.19.19.3 |     +------+     +---+ 
       +--+---+ ISP    |  |  +---+-----+--+            |  +-------------+     |  +---+-----+--+| 
          |192.168.30.2|<-+  |192.168.30.1|            |  +-------------+     |  |   |     +--++ 
        +-+----+     +-+-+   |   |eth0 |  |     +----+ |  |     WEB     |     +--+---+ LAN    |  
        | |    |     | | |   +---+-----+--+  +->| SW |<+->| 199.19.19.5 |   +--->| 172.16.0.0 |  
        | +----+-----+-+ |   +---+-----+--+  |  +----+ |  +-------------+   |  +-+----+     +-+-+
        +------+     +---+   |199.19.19.1 |  |         |  +-------------+   |  | |    |     | | |
                             |   |eth1 |  |  |         |  |   FW/PROXY  |   |  | +----+-----+-+ |
                             +---+-----+--+  |         +->| 199.19.19.7 |<--+  +------+     +---+
                                 +--^--+     |            | 172.16.0.1  |                        
                                    |        |            +-------------+                        
                                    +--------+

eth0 
        address 192.168.30.1
        netmask 255.255.255.252
        network 192.168.30.0
        broadcast 192.168.30.3
        gateway 192.168.30.2
        
eth1
        address 199.19.19.1
        netmask 255.255.255.0
        network 199.19.19.0
        broadcast 199.19.19.255

net.ipv4.ip_forward = 1

$IPTABLES -t nat -A POSTROUTING -s 192.168.30.1 -p udp -o eth0 -j SNAT --to-source 199.19.19.1:500-32000
$IPTABLES -t nat -A POSTROUTING -s 192.168.30.1 -p tcp -o eth0 -j SNAT --to-source 199.19.19.1:500-32000

user@router:~$ route -n
Kernel IP routing table
Destination         Gateway             Genmask             Flags Metric Ref    Use Iface
0.0.0.0             192.168.30.2        0.0.0.0             UG      0      0    0   eth0
192.168.30.0        0.0.0.0             255.255.255.252     U       0      0    0   eth0
199.19.19.0         0.0.0.0             255.255.255.0       U       0      0    0   eth1

# Generated by iptables-save on Mon May 27 2024
*mangle
:PREROUTING ACCEPT [2132683301:1900993617199]
:INPUT ACCEPT [19422782:2045717234]
:FORWARD ACCEPT [2109778996:1898488943717]
:OUTPUT ACCEPT [20786896:2754611522]
:POSTROUTING ACCEPT [1910723398:1891518653389]
COMMIT
# Completed on Mon May 27 2024
# Generated by iptables-save on Mon May 27 2024
*nat
:PREROUTING ACCEPT [256095110:12779875964]
:INPUT ACCEPT [10302815:662157649]
:OUTPUT ACCEPT [7148261:566268264]
:POSTROUTING ACCEPT [22954184:1960080411]
-A POSTROUTING -s 192.168.30.1/32 -o eth0 -p udp -j SNAT --to-source 199.19.19.1:500-32000
-A POSTROUTING -s 192.168.30.1/32 -o eth0 -p tcp -j SNAT --to-source 199.19.19.1:500-32000
COMMIT
# Completed on Mon May 27 2024
# Generated by iptables-save on Mon May 27 2024
*filter
:INPUT ACCEPT [314:18395]
:FORWARD DROP [5324:224091]
:OUTPUT ACCEPT [663:69713]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 199.19.19.1/32 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -s 199.19.19.1/32 -j ACCEPT
-A FORWARD -d 199.19.19.1/32 -j ACCEPT
-A FORWARD -s 199.19.19.3/32 -j ACCEPT
-A FORWARD -d 199.19.19.3/32 -j ACCEPT
-A FORWARD -s 199.19.19.5/32 -j ACCEPT
-A FORWARD -d 199.19.19.5/32 -j ACCEPT
-A FORWARD -s 199.19.19.7/32 -j ACCEPT
-A FORWARD -d 199.19.19.7/32 -j ACCEPT
-A FORWARD -s 192.168.30.1/32 -j ACCEPT
-A FORWARD -d 192.168.30.1/32 -j ACCEPT

-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 113 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 143 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 3264 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 2802 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 5190 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 24554 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 210 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 2100 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 7500 -j ACCEPT
-A FORWARD -s 199.19.19.0/24 -p tcp -m tcp --dport 4433 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -p udp -m udp --dport 2074 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4000 -j ACCEPT
-A FORWARD -p udp -m udp --dport 7500 -j ACCEPT
-A FORWARD -d 199.19.19.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
COMMIT

Command output: ping, tcptraceroute and mtr to host 1.1.1.1 router

ping and tcptraceroute - fails

mtr 
1. 199.19.142.1 
2. ???

web server

ping and tcptraceroute - destination reached

mtr
1. 199.19.19.5
2. 199.19.142.1 
… 
7. one.one.one.one

Next time i'll use IP address from RFC 5737. Thanks to Chris Davies

Improve this question
1

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .