LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   CentoOS router/firewall prob - local network works but router can't access Internet (http://www.linuxquestions.org/questions/linux-networking-3/centoos-router-firewall-prob-local-network-works-but-router-cant-access-internet-495556/)

elementalvoid 10-25-2006 05:40 PM

CentoOS router/firewall prob - local network works but router can't access Internet
 
Okay, I just replaced an old RHEL3 router/firewall with a CentOS 4.4 machine. I have since been unable to get to the Internet (any host/protocol/etc) with the router/firewall box. All the clients in the local network and the VPN network can get out (via nat).

I run an internal DNS/DHCP server separate from the router/firewall. I also run several web, ftp, external dns, etc servers inside the router that I DNAT/SNAT to the outside world. All of these work fine.

Every machine on the internal/vpn networks can access the outside world. The only machine that cannot is the router. DNS on the router works because it is using the internal DNS server but pings/traceroutes/whatevers don't work. It would seem to me that this is a gateway problem, but from what I see in my routing table everything looks good.

It is important to note that this exact same setup worked fine when running RHEL3.
Any help is appreciated. I would like to be able to download updates for this machine.

Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)

The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.


Now a couple of configs on the router:

/etc/resolv.conf
=====================
search xxxxxxxxxxxxx.com
nameserver 192.168.1.102
nameserver 192.168.1.101

/etc/hosts
===============================
127.0.0.1 localhost.localdomain localhost

ifconfig (trimmed due to length)
=================================
eth0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

eth1
inet addr:xxx.xxx.204.61 Bcast:xxx.xxx.204.63 Mask:255.255.255.248

w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1

ip_forward
================
enabled (i.e. echo "1" > ....)

route
====================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.2 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.209.8 * 255.255.255.252 U 0 0 0 w1g1ppp
xxx.xxx.204.0 * 255.255.255.192 U 0 0 0 w1g1ppp
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.11.0 192.168.11.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default xxx.xxx.209.9 0.0.0.0 UG 0 0 0 w1g1ppp

ozymandias 12-08-2006 05:16 PM

Don't know if this'll help - I had a (maybe) similar problem. I could ping external ip addresses, but not get pages to appear on my browser. Try setting your MTU to less than 1500. 1492 seemed to work for me.

Regards,

Oz.

amitsharma_26 12-08-2006 05:30 PM

Leave the whole thing aside & tell me, Are you able to ping any domain on internet with its ip ?
Like pinging linuxquestion.org with
Code:

ping 64.179.4.146
?

elementalvoid 12-11-2006 10:34 AM

ozymandias: Thanks for the thought on switching the MTU. That wasn't the problem.

amitsharma_26: Nope, can't ping anything except the internal addresses. It doesn't matter wether it is by IP or by name (DNS resolution is working because I am using an internal host for that).

Thanks.

amitsharma_26 12-12-2006 02:00 PM

Quote:

Originally Posted by elementalvoid
Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)

The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.


w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1

Add another rule to allow RELATED,ESTABLISHED packets back to YOU.
Code:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

elementalvoid 12-12-2006 03:28 PM

AWESOME.

Thanks! I really appreciate your help..

amitsharma_26 12-12-2006 03:39 PM

You are welcome.

Usually the wayout to troubleshoot such problem is to see the iptables packet counters(watch -n1 "iptables -nvL"). You could have noticed that all the packets which are going out would be incrementing the counters of -j DROP rule while they come back; you should have further checkback those packets to see the actual reason.


All times are GMT -5. The time now is 06:41 PM.