LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-25-2006, 05:40 PM   #1
elementalvoid
LQ Newbie
 
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3

Rep: Reputation: 0
CentoOS router/firewall prob - local network works but router can't access Internet


Okay, I just replaced an old RHEL3 router/firewall with a CentOS 4.4 machine. I have since been unable to get to the Internet (any host/protocol/etc) with the router/firewall box. All the clients in the local network and the VPN network can get out (via nat).

I run an internal DNS/DHCP server separate from the router/firewall. I also run several web, ftp, external dns, etc servers inside the router that I DNAT/SNAT to the outside world. All of these work fine.

Every machine on the internal/vpn networks can access the outside world. The only machine that cannot is the router. DNS on the router works because it is using the internal DNS server but pings/traceroutes/whatevers don't work. It would seem to me that this is a gateway problem, but from what I see in my routing table everything looks good.

It is important to note that this exact same setup worked fine when running RHEL3.
Any help is appreciated. I would like to be able to download updates for this machine.

Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)

The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.


Now a couple of configs on the router:

/etc/resolv.conf
=====================
search xxxxxxxxxxxxx.com
nameserver 192.168.1.102
nameserver 192.168.1.101

/etc/hosts
===============================
127.0.0.1 localhost.localdomain localhost

ifconfig (trimmed due to length)
=================================
eth0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

eth1
inet addr:xxx.xxx.204.61 Bcast:xxx.xxx.204.63 Mask:255.255.255.248

w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1

ip_forward
================
enabled (i.e. echo "1" > ....)

route
====================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.2 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.209.8 * 255.255.255.252 U 0 0 0 w1g1ppp
xxx.xxx.204.0 * 255.255.255.192 U 0 0 0 w1g1ppp
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.11.0 192.168.11.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default xxx.xxx.209.9 0.0.0.0 UG 0 0 0 w1g1ppp

Last edited by elementalvoid; 10-25-2006 at 05:52 PM.
 
Old 12-08-2006, 05:16 PM   #2
ozymandias
Member
 
Registered: Aug 2005
Location: West Midlands, UK
Posts: 61

Rep: Reputation: 15
Don't know if this'll help - I had a (maybe) similar problem. I could ping external ip addresses, but not get pages to appear on my browser. Try setting your MTU to less than 1500. 1492 seemed to work for me.

Regards,

Oz.
 
Old 12-08-2006, 05:30 PM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Leave the whole thing aside & tell me, Are you able to ping any domain on internet with its ip ?
Like pinging linuxquestion.org with
Code:
ping 64.179.4.146
?

Last edited by amitsharma_26; 12-08-2006 at 05:32 PM.
 
Old 12-11-2006, 10:34 AM   #4
elementalvoid
LQ Newbie
 
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3

Original Poster
Rep: Reputation: 0
ozymandias: Thanks for the thought on switching the MTU. That wasn't the problem.

amitsharma_26: Nope, can't ping anything except the internal addresses. It doesn't matter wether it is by IP or by name (DNS resolution is working because I am using an internal host for that).

Thanks.
 
Old 12-12-2006, 02:00 PM   #5
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by elementalvoid
Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)

The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.


w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1
Add another rule to allow RELATED,ESTABLISHED packets back to YOU.
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 12-12-2006, 03:28 PM   #6
elementalvoid
LQ Newbie
 
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3

Original Poster
Rep: Reputation: 0
AWESOME.

Thanks! I really appreciate your help..
 
Old 12-12-2006, 03:39 PM   #7
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
You are welcome.

Usually the wayout to troubleshoot such problem is to see the iptables packet counters(watch -n1 "iptables -nvL"). You could have noticed that all the packets which are going out would be incrementing the counters of -j DROP rule while they come back; you should have further checkback those packets to see the actual reason.
 
  


Reply

Tags
centos, router


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
router pc problem, internet stopped working, lan works, using rc.firewall glorsplitz Linux - Networking 4 10-09-2007 07:18 PM
Debian Woody: Can't access internet through router, but can access network computers marales314 Linux - Networking 3 06-09-2006 12:33 PM
Linux router/firewall box for shared Internet access from 3 separate LANs? dan.patton Linux - Networking 4 04-15-2006 05:37 PM
using a router with firewall, local firewall waste? Michael_aust Linux - General 1 03-26-2006 08:02 AM
router/firewall can't use local network zoffmann Linux - Networking 13 07-02-2005 01:53 PM


All times are GMT -5. The time now is 04:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration