LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Debian Squeeze NAT not working (http://www.linuxquestions.org/questions/linux-networking-3/debian-squeeze-nat-not-working-936268/)

newbie to linux 03-24-2012 08:43 PM

Debian Squeeze NAT not working
 
I have a small home network with mixed Linux and Windows computers, I am trying to set up a Debian server (HP DL560 G1).

I have the following setup:
eth0: Internal network (10.0.0.1/8)
eth1: Physical interface for ppp0
ppp0: DHCP WAN

uname -a:
Code:

Linux main-server 2.6.32-5-686-bigmem #1 SMP Mon Jan 16 16:42:05 UTC 2012 i686 GNU/Linux
All latest updates installed

I have squidProxy runing on port 3128 and currently providing access to the internet for the network. However there are some issues with a proxy in general that creates problems (Android doesn't support them without rooting, Flash doesn't necessarily support it, Windows won't remember passwords). I have Googled many different variations of 'configure nat debian squeeze' nad tried nearly every tutorial and read through enourmous amounts of documentation, and the server still won't provide NAT services. I use iptables for firewalling purposes, and wrote a script to set it up on every boot. The script is called from a custom init script.

Code:

#!/bin/bash
#Set up iptables for a fully functional server

#The external interface
export WAN="ppp0"

#The internal interface
export LAN="eth0"

#set the IP address of the...
export AdminMachine="10.0.2.1" #Remote Administration Machine
export AdminMachineBackup="10.0.2.60" #Backup machine for remote admin

export LocalMachine="10.0.0.1" #Local Machine

#Empty iptable's rule tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Enable packet forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#allow ssh from admin machine
iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 6011 -j ACCEPT
iptables -A INPUT -s $AdminMachineBackup -d $LocalMachine -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.2.2 -d $LocalMachine -p tcp --dport 22 -j ACCEPT

#set up TCP handshake
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Allow services to run
iptables -A INPUT -d $LocalMachine -p tcp --dport 80 -j ACCEPT  #HTTP/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 81 -j ACCEPT #HTTP/Apache alt
iptables -A INPUT -d $LocalMachine -p tcp --dport 443 -j ACCEPT #SSL/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 25 -j ACCEPT #FTP
iptables -A INPUT -d $LocalMachine -p tcp --dport 3000 -j ACCEPT #ntop

iptables -A INPUT -d $LocalMachine -p tcp --dport 135 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p udp --dport 137:138 -j ACCEPT #Samba/UDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 139 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p tcp --dport 445 -j ACCEPT #Samba TCP

iptables -A INPUT -d $LocalMachine -p tcp --dport 3389 -j ACCEPT #VBox RDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 10000 -j ACCEPT #Webmin

iptables -A INPUT -d $LocalMachine -p tcp --dport 5901 -j ACCEPT #VNC

iptables -A INPUT -d $LocalMachine -p tcp --dport 9091 -j ACCEPT #Transmission
iptables -A INPUT -d $LocalMachine -p tcp --dport 873 -j ACCEPT #Rsync (for backuppc)

iptables -A INPUT -d $LocalMachine -p udp --dport 67 -j ACCEPT #DHCP

iptables -A INPUT -d $LocalMachine -p udp --dport 514 -j ACCEPT #Rsyslog
iptables -A INPUT -d $LocalMachine -p tcp --dport 514 -j ACCEPT #Rsyslog

iptables -A INPUT -d $LocalMachine -p udp --dport 69 -j ACCEPT #TFTPd
iptables -A INPUT -d $LocalMachine -p udp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p tcp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p udp --dport 2049 -j ACCEPT #RPC
iptables -A INPUT -d $LocalMachine -p tcp --dport 2049 -j ACCEPT #RPC

iptables -A INPUT -d $LocalMachine -p tcp --dport 3128 -j ACCEPT #Squid-Proxy

iptables -A INPUT -d $LocalMachine -p tcp --dport 943 -j ACCEPT #OpenVPN

#Allow all traffic from localhost
iptables -A INPUT -d $LocalMachine -s 127.0.0.1 -j ACCEPT

#Set up ip forwarding
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface $WAN -j MASQUERADE

#Block Everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

#End the Script
exit 0

I can access the internet fine through squid, but when I disable the proxy in firefox it can't connect (tested google.ca).

Any ideas, help, or suggestions would be greatly appreciated. If more info is needed just let me know.

tech_soul8 03-25-2012 07:06 AM

Well first of all If you ask me try to disable squid and try to flus all your rules "iptables -F", set INPUT,FORWARD,OUTPUT chains to ACCEPT and add iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE and than try to connect from win hosts to internet. If it doesn't work than check if iptable_nat is loaded in the kernel. To check you can issue following command /sbin/lsmod |grep table. If everything works fine than you should add your rules one by one and see what's causing the problem. I alos recommend that you put in each chain LOG target for all blocked traffic so you can inspect in /var/log/messages and /var/log/syslog which traffic is blocked and than make rules for allowing it if it must pass through.

newbie to linux 03-25-2012 04:47 PM

I tried everything you suggested, iptable_nat is loaded, and using the LOG target doesn't generate anything that (to me anyways) indicates that I'm even trying to access the internet. I also tried shutting down Apache as I wasn't sure if that would cause problems. Anyways, no luck. if the contents of /var/log/syslog would be useful let me know and I'll post it. Also
Code:

cat /var/log/syslog | grep -i E0:CA:94:03:5A:A2 | grep -i ppp0 | wc -l
produced only
Code:

0
which would indicate that my computer E0:CA:94:03:5A:A2 wasn't trying to access the internet, would it not?

tech_soul8 03-26-2012 12:13 AM

post output of iptables -L. You can't access internet from Debian or just from win clients on local lan or both?

nikmit 03-26-2012 04:54 AM

If you are troubleshooting NAT, test it with ping rather than http traffic, to avoid interference of any DNS/proxy errors.
Ping 4.2.2.2 and if it doesn't work do iptables -t nat -L -v and see if the masquerade rule is getting traffic.

Once you have ping connectivity, look at any proxy/dns issues on the client computers (was the proxy transparent?)

newbie to linux 03-27-2012 07:20 PM

OK, I can ping if I give the IP address however, I need to configure DNSmasq to provide DNS lookups (which are currently going to the server, but it is not providing any DNS services). So I am currently doing some research and will post back here soon.

newbie to linux 03-27-2012 09:48 PM

Success! DNSmasq is now successfully configured and I can access the internet without a proxy.

WizadNoNext 03-30-2012 11:31 AM

Obvious mistake.
Server without DNS? It seams to be joke.

I have server with:
BRouter (Bridge + router)
firewall (IP/IP6/ARP/EBtables)
DNS
DHCP
proxy
NTP
NFS
samba
(S)FTP(S) (working only as SFTP or FTPS, no plain FTP supported)
SSH (obvious)
some minor services.

For me this minimal set of services for home server. Actually I have two exactly same servers. One of them simply do not do firewalling, as it is plain bridge. Both have own IEEE802.11 Access Points with specific passphrases for specific MACs. I am planing to turn them into small cluser, but it is not for now.


All times are GMT -5. The time now is 10:18 AM.