Hi-

Here's my problem...

I have FC9 running Firefox 3 beta 5.
I have a Motorola DSL modem sitting behind a AirLink 101 wireline five port etherswitch, which hooks together my home network.
The IP address of the ethernet port on the DSL modem is 192.168.1.254 and of course that's my gateway.

I just can't seem to figure out how to get out to the internet through the DSL modem. I have an old RH9 466MHz computer that works okay, and I'm having to ssh -X to that machine to get my email and surf the web. I'm strongly suspecting that it's a firewall issue, and I'm having a tough time handling iptables and so forth.

I checked the following to no good end...
1. Hit the "similar threads" button, came up with 5 leads, all dead ends
2. Googled versions of "Firefox 3 Fedora 9 Address Not Found", all dead ends
3. Browsed the Security and Network tutorials on this web site. Found interesting stuff, but no solution to this.
4. Bought the "Fedora 9 Bible" by Chris Negus, which has tons of useful stuff, but no solution to this.
5. Tried all sorts of iptables web sites and tutorials, got nowhere

I've been fiddling with this for weeks, but no soap.

Before we get started, here, maybe someone can direct me to a really good tutorial that'll let me make some hay on this situation? It would also be really helpful if someone could give me the title of a really good book to buy about iptables and firewall configuration. Unfortunately for all of us, there's miscreants out there and sadly firewalling is a reality for everyone, me too. I need to learn more.

Okay, here's my ifconfig....

eth0 Link encap:Ethernet HWaddr 00:0C:6E:CC:47:B6
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:6eff:fecc:47b6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:757448 errors:0 dropped:0 overruns:0 frame:0
TX packets:546184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:422126496 (402.5 MiB) TX bytes:196887801 (187.7 MiB)
Interrupt:19 Base address:0x8800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5688 errors:0 dropped:0 overruns:0 frame:0
TX packets:5688 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:373875 (365.1 KiB) TX bytes:373875 (365.1 KiB)

virbr0 Link encap:Ethernet HWaddr 16:BF:AB:52:B2:93
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::14bf:abff:fe52:b293/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:8208 (8.0 KiB)

here's my route....
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
link-local * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

here's my iptables dump.....
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT udp -- anywhere anywhere state NEW udp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT udp -- anywhere anywhere state NEW udp dpt:sunrpc
ACCEPT udp -- anywhere anywhere state NEW udp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Given all this, can someone see what I'm doing wrong? I've tried turning off the firewall completely, and it does absolutely nothing for me. I can ping the DSL modem with no difficulty, so I'm able to reach it. I think my network is A-OK, but somehow, I just can't seem to get out onto the web.

Also, perhaps a second question....

I seem not to be able to NFS mount a local directory on any other machines in my home network. I followed the NFS mount tutorial in another part of LinuxQustions.org to the letter, and got the following error on the machine that attempted to mount the directory:

mount: RPC: Program unavailable

Likewise, I've been knocking myself out trying to figure out why this machine won't allow NFS mount, despite the fact that all the appropriate daemons seem to be running (as directed by your excellent tutorial), and the attempting machine is able to mount with other machines on the network.

I'm suspecting another firewall issue, and that's why I'm bringing it up here.

thanks for your consideration. I'm very open to suggestion as far as something to read. I suspect this is something simple that I'm just missing because I'm ignorant.

pjz

So... switch it off completely.

Should there be three gateways there? Compare with the RH9 box.

You just set ACCEPT for everything. But don't forget to flush and zero all chains first. Apart from that - policy ACCEPT is all you need on each chain. You don't need to explicitly set all actions to accept too.

Try the following script:
Though just switching it off will have the same effect.

Perhaps you need to check the router firewall as well. I doubt iptables is your problem.

perhaps RPC service is switched off?

Simon-

Thanks for getting back to me.

Here's what I get when I type ps -aux | grep rpc on the machine that has the directory I'd like to remote mount....

root 1644 0.0 0.0 0 0 ? S< Sep17 0:00 [rpciod/0]
root 1652 0.0 0.0 5884 416 ? Ss Sep17 0:00 rpc.idmapd
rpcuser 27966 0.0 0.1 2028 740 ? Ss 22:06 0:00 rpc.statd
root 27990 0.0 0.0 4104 252 ? Ss 22:06 0:00 rpc.rquotad
root 28004 0.0 0.0 2604 332 ? Ss 22:06 0:00 rpc.mountd
rpc 28881 0.0 0.1 2336 592 ? Ss 22:12 0:00 rpcbind
pjz 28923 0.0 0.1 4124 708 pts/1 S+ 22:16 0:00 grep rpc

it looks like rpc is up and running all right. The odd thing is that when I looked up this sort of failure on the web, it indicated a possible cause would be some problem with the portmap service. Upon further investigation, I've found that on later Fedora releases, portmap is folded into rpcbind. So, rpcbind is running A-OK it seems. Anyway, it seems that things are set up okay, but I still can't mount the directory onto another machine on the network.

BTW, there is no router in my (very) small home network. I've only got an ethernet switch, a couple of computers, and the DSL modem on the netowrk.

I'm going to try the script you sent me. Let's see if it gets me anywhere. I shut down the firewall from a GUI tool that came bundled with FC9. Maybe the tool is buggy?

pjz

In general, if things don't seem to work, don't trust the gui. If only because you don't know what the gui is hiding. If you type in the commands, the results are unambiguous. This is why we use CLI a lot.

Hmmm... DSL modem is on the switch.
If you have no router, then what is doing your NAT?

Hi Simon-

I'm assuming that NAT is done inside the DSL modem. For instance, I'd be shocked if I had a fixed IP address on the PSN side of the modem. But, I've got a fixed (192.168.1.254) address on the "home" side of the DSL modem. This leads me to believe NAT is done inside the DSL modem. It's a Motorola 2210 ADSL modem.

Let me try your script.....

pjz

Simon-

Just tried the script. After I run it, I "/sbin/iptables -L", and here's what I get...


Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Now, when I try to remote mount from the other machine, I get...

[pjz@jupiter ~]$ sudo mount -t nfs earth:/home/pjz /mnt/earth
Password:**************
mount to NFS server 'earth' failed.

obviously, I'm trying to mount a disk on earth to jupiter.

This is a different result than I was getting before, though I'm not home yet. I'm thinking that I might re-engage the firewall line by line to find out where the difference was made.

I don't suppose you might have a suggestion as to what I might try next? I suppose what I could do is disconnect the PSN by unplugging the DSL modem (since my firewall seems to be completely disabled), then again plow through the NFS mount tutorial, just to be sure I'm step-for-step correct. Who knows what got scrambled in the meantime since I last marched that tutorial?

pjz

Simon-

Disconnected the DSL modem (not so sure this had anything to do with anything, except I was hanging out there with no firewall), reran your script stripping out the firewall (just in case), then restarted NFS processes, and mounting worked like a champ. Conclusion: (a) the GUI firewall I/F isn't the best (b) the firewall was, indeed, the problem. Next steps for the mount issue.... put the firewall back together piece by piece until stuff fails, then look closer at it. I have another FC9 system that supports mounting A-OK... I'll probably copy the firewall (ie, iptables setup) from that one and go with it.

Still can't get to the web though. Vexing.
pjz

I thought you wanted internet access?
Have you tried connecting the modem direct to the computer?
Have you tried removing all hosts except the one we're investigating and rebooting everything (including modem)?

(a) I never trust a gui. On CLI you know what's happening.

(b) You can use your modem/router firewall between you and the internet. Do I understand that you want to firewall between LAN-side hosts?

Set policy DROP for all chains, then either open outgoing connections (with only established coming in) or explicitly accept only the ports you want to use.

Hello folks. I have a similar problem with my FC 9 sulphur. I use kppp as a dialer and it connects to the internet seamlessly. The problem is that I can't browse any pages. First of all, Firefox gets every time into offline mode when started. When brought back to the online mode, it doesn't help either. I have stopped iptable(service iptables stop and the result is OK) services, but to no avail. Can anyone of you help plz ? In fact I have another prob, that is of the X-server. It always boots in the 600X400 resolution. I have modified my /etc/X11/xorg.conf and again to no avail. If the video card isn't compatible, it would not have worked absolutely fine with the previous FC 6 installation I had.
I am wondering what might have gone wrong with the FC 9 installation that X is malfunctioning suddenly. Anyway, when I use the system-config-display, it doesn't provide me with a choice other than 600X400 in the drop down menu. So, no question of modifying the resolution from there either. What to do for eliminating this two problems ? I am looking forward eagerly to find some help.

Oh yeah ... try browsing without using firefox. Try w3m or anything else.
This will tell you if it is a firefox3 vs KDE4 problem maybe.
If you installed the gnome version - try that.

You need to put video issues in another thread.
Have a look at /etc/X11/xorg.conf, bet it's empty, and provide vga card line from lspci.

Try using OPERA for linux instad of firefox.

I tried fighting the same issue for days now...

I'm using htc-diamond as a cellular modem, connected to fc9 via bluetooth.
I managed to connect fc9 to the modem of the htc-diamond by adding a modem connection in the Network Device Control.

In the /var/log/messages I saw that everything connects fine, and on the shell, I got pings to any IP I tried, BUT Firefox (3) didn't show any pages and went into offline mode, no matter what I did.

SO, I installed Opera and - magic!! IT WORKS!

Hope this help..

Folks-

Found out what was the problem. Needed to start the named service. Once I did that, everything worked great. Invoked "chkconfig named on" to get it to turn on the DNS server.

I'm an occasional visitor to linuxquestions. The "thanked" option is new to me. I've gotten lots of really great suggestions over the years on this site, and I'd sure like to express my appreciation towards the people that do so. Too late for what's in the past, but going forward I'd sure like to be sure to recognize the very generous people who take the time to respond.

pjz