[JDEV] jabberd behind NAT fails s2s interoperation

Justin Georgeson jgeorgeson at unboundtech.com
Wed Oct 2 16:01:32 CDT 2002 

yes, using the setup below, on a machine behind a NAT firewall, I can 
talk to another jabberd I have outside the NAT firewall. I don't have 
any special statis routes or anything like that. In fact, I have even 
had two jabberd's each behind a NAT firewall, in different data centers, 
talk via s2s. The setup below is what I use on all my jabberd server's, 
some are behind a NAT and some are not. The ones that are have a <host> 
tag which resolves to the public IP of the NAT. The ones that aren't 
have a <host> tag that resolves to the IP address of the server itself. 
I've never had problems, and I can't think of anything else to suggest 
other than verifying the NAT. Have you run tcpdump (or any sniffer) on 
the jabberd to see if packets are being forwarded? Or on the NAT to see 
that packets are reaching it which should go to the NAT? I once (well, 
more than once, truth be told) forgot to enable ipv4 forwarding in the 
kernel, so packets were reaching a box behind a NAT, but they couldn't 
get back out.

Trent Melcher wrote:
> yes c2s behind a NAT firewall works fine, but have you gotten a s2s
> connection to work from behind a NAT firewall??
> 
> Trent
> 
> -----Original Message-----
> From: jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]On Behalf Of
> Justin Georgeson
> Sent: Wednesday, October 02, 2002 2:59 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] jabberd behind NAT fails s2s interoperation
> 
> 
> My server behind a NAT is configured with the public FQDN in the <host>
> tag, and has <alias to='name'> in the c2s section. I don't ever bind to
> a specific IP address (<ip port='5222'/>  binds to all available
> interfaces). The FQDN resolves to the public IP address, and I have port
> 5222, 5223, and 5269 forwarded to the jabber server. I guess the only
> thinkg left I can think of to check is if the NATis actually working.
> For example, try to telnet to goof.com on port 5269 from outside the
> NAT. Also, you can see the public internet form the jabberd box (like
> browse the web and such)?
> 
> matthew c. mead wrote:
> 
>>I've still not been able to get this going.
>>
>>Is anyone else out there running a jabber server behind a nat
>>firewall and getting s2s to work with success?
>>
>>Thanks.
>>
>>
>>
>>-matt
>>
>>On Thu, Sep 26, 2002 at 01:55:20PM -0400, matthew c. mead wrote:
>>
>>
>>>I do not use the -h switch.  I do have the following in
>>>jabber.xml as an element in the <service id="sessions"> element:
>>>
>>><host>goof.com</host>
>>>
>>>
>>>
>>>-matt
>>>
>>>On Thu, Sep 26, 2002 at 12:07:28PM -0500, Justin Georgeson wrote:
>>>
>>>
>>>>No, the receiving server does a dns lookup of the hostname given to find
>>>>the ip address to contact for verification. When you start jabber, do
>>>>you give it a -h flag? If so that value needs to resolve, via DNS to the
>>>>ip of your nat. If not, use the value of the <host> tag right after the
>>>>start of the <service id="sessions"> tag in jabber.xml. From what you
>>>>have said so far, you should be using goof.com as the <host>/-h value.
>>>>
>>>>matthew c. mead wrote:
>>>>
>>>>
>>>>>On Thu, Sep 26, 2002 at 04:58:51PM +0100, Richard Dobson wrote:
>>>>>
>>>>>
>>>>>
>>>>>>>Yeah, I found that one out by trying.  I still don't see what's
>>>>>>>going wrong.
>>>>>>>
>>>>>>>Does dialback require that the ip address specified by the A
>>>>>>>record for the server name have a PTR which points back to the
>>>>>>>server name?
>>>>>>
>>>>>>No you do not need a PTR but the domain your server is claiming to be
>>>>>
> needs
> 
>>>>>>to point to the machine you are trying to use.
>>>>>
>>>>>
>>>>>I have an A record for goof.com that points to a NAT box.  That
>>>>>box forwards packets on the jabber ports to a box on my internal
>>>>>network that runs the jabber server.
>>>>>
>>>>>I do not have a PTR record for the ip address that points to the
>>>>>canonical name "goof.com."
>>>>>
>>>>>Given this, I can't figure out what's wrong.  Does the dialback
>>>>>code pass the IP address of the interface to which it is bound to
>>>>>the remote server?  If so, this could be the problem - in my
>>>>>case, it would be passing the internal ip address, rather than
>>>>>the external.
>>>>>
>>>>>Thanks for helping me eliminate the worry of needing a PTR
>>>>>record.  My guess is what I've described above is happening.
>>>>>
>>>>>
>>>>>
>>>>>-matt
>>>>>
>>>>
>>>>--
>>>>Justin Georgeson
>>>>UnBound Technologies, Inc.
>>>>http://www.unboundtech.com
>>>>Main   713.329.9330
>>>>Fax    713.460.4051
>>>>Mobile 512.789.1962
>>>>
>>>>5295 Hollister Road
>>>>Houston, TX 77040
>>>>Real Applications using Real Wireless Intelligence(tm)
>>>>
>>>>_______________________________________________
>>>>jdev mailing list
>>>>jdev at jabber.org
>>>>http://mailman.jabber.org/listinfo/jdev
>>>>
>>>
>>>--
>>>matthew c. mead
>>>
>>>http://www.goof.com/~mmead/
>>>_______________________________________________
>>>jdev mailing list
>>>jdev at jabber.org
>>>http://mailman.jabber.org/listinfo/jdev
>>>
>>
>>
> 
> --
> Justin Georgeson
> UnBound Technologies, Inc.
> http://www.unboundtech.com
> Main   713.329.9330
> Fax    713.460.4051
> Mobile 512.789.1962
> 
> 5295 Hollister Road
> Houston, TX 77040
> Real Applications using Real Wireless Intelligence(tm)
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

-- 
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)

More information about the JDev mailing list