LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-24-2012, 08:43 PM   #1
newbie to linux
LQ Newbie
 
Registered: Feb 2009
Location: Kitchener, ON Canada
Distribution: Ubuntu 11.10 with KDE 4.7.4, Debian Squeeze on a server
Posts: 28

Rep: Reputation: 0
Debian Squeeze NAT not working


I have a small home network with mixed Linux and Windows computers, I am trying to set up a Debian server (HP DL560 G1).

I have the following setup:
eth0: Internal network (10.0.0.1/8)
eth1: Physical interface for ppp0
ppp0: DHCP WAN

uname -a:
Code:
Linux main-server 2.6.32-5-686-bigmem #1 SMP Mon Jan 16 16:42:05 UTC 2012 i686 GNU/Linux
All latest updates installed

I have squidProxy runing on port 3128 and currently providing access to the internet for the network. However there are some issues with a proxy in general that creates problems (Android doesn't support them without rooting, Flash doesn't necessarily support it, Windows won't remember passwords). I have Googled many different variations of 'configure nat debian squeeze' nad tried nearly every tutorial and read through enourmous amounts of documentation, and the server still won't provide NAT services. I use iptables for firewalling purposes, and wrote a script to set it up on every boot. The script is called from a custom init script.

Code:
#!/bin/bash
#Set up iptables for a fully functional server

#The external interface
export WAN="ppp0"

#The internal interface
export LAN="eth0"

#set the IP address of the...
export AdminMachine="10.0.2.1" #Remote Administration Machine
export AdminMachineBackup="10.0.2.60" #Backup machine for remote admin

export LocalMachine="10.0.0.1" #Local Machine

#Empty iptable's rule tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Enable packet forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#allow ssh from admin machine
iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -s $AdminMachine -d $LocalMachine -p tcp --dport 6011 -j ACCEPT
iptables -A INPUT -s $AdminMachineBackup -d $LocalMachine -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.2.2 -d $LocalMachine -p tcp --dport 22 -j ACCEPT

#set up TCP handshake
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Allow services to run
iptables -A INPUT -d $LocalMachine -p tcp --dport 80 -j ACCEPT  #HTTP/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 81 -j ACCEPT #HTTP/Apache alt
iptables -A INPUT -d $LocalMachine -p tcp --dport 443 -j ACCEPT #SSL/Apache
iptables -A INPUT -d $LocalMachine -p tcp --dport 25 -j ACCEPT #FTP
iptables -A INPUT -d $LocalMachine -p tcp --dport 3000 -j ACCEPT #ntop

iptables -A INPUT -d $LocalMachine -p tcp --dport 135 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p udp --dport 137:138 -j ACCEPT #Samba/UDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 139 -j ACCEPT #Samba/TCP
iptables -A INPUT -d $LocalMachine -p tcp --dport 445 -j ACCEPT #Samba TCP

iptables -A INPUT -d $LocalMachine -p tcp --dport 3389 -j ACCEPT #VBox RDP
iptables -A INPUT -d $LocalMachine -p tcp --dport 10000 -j ACCEPT #Webmin

iptables -A INPUT -d $LocalMachine -p tcp --dport 5901 -j ACCEPT #VNC

iptables -A INPUT -d $LocalMachine -p tcp --dport 9091 -j ACCEPT #Transmission
iptables -A INPUT -d $LocalMachine -p tcp --dport 873 -j ACCEPT #Rsync (for backuppc)

iptables -A INPUT -d $LocalMachine -p udp --dport 67 -j ACCEPT #DHCP

iptables -A INPUT -d $LocalMachine -p udp --dport 514 -j ACCEPT #Rsyslog
iptables -A INPUT -d $LocalMachine -p tcp --dport 514 -j ACCEPT #Rsyslog

iptables -A INPUT -d $LocalMachine -p udp --dport 69 -j ACCEPT #TFTPd
iptables -A INPUT -d $LocalMachine -p udp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p tcp --dport 111 -j ACCEPT #NFS
iptables -A INPUT -d $LocalMachine -p udp --dport 2049 -j ACCEPT #RPC
iptables -A INPUT -d $LocalMachine -p tcp --dport 2049 -j ACCEPT #RPC

iptables -A INPUT -d $LocalMachine -p tcp --dport 3128 -j ACCEPT #Squid-Proxy

iptables -A INPUT -d $LocalMachine -p tcp --dport 943 -j ACCEPT #OpenVPN

#Allow all traffic from localhost
iptables -A INPUT -d $LocalMachine -s 127.0.0.1 -j ACCEPT

#Set up ip forwarding
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface $WAN -j MASQUERADE

#Block Everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

#End the Script
exit 0
I can access the internet fine through squid, but when I disable the proxy in firefox it can't connect (tested google.ca).

Any ideas, help, or suggestions would be greatly appreciated. If more info is needed just let me know.
 
Old 03-25-2012, 07:06 AM   #2
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Rep: Reputation: Disabled
Well first of all If you ask me try to disable squid and try to flus all your rules "iptables -F", set INPUT,FORWARD,OUTPUT chains to ACCEPT and add iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE and than try to connect from win hosts to internet. If it doesn't work than check if iptable_nat is loaded in the kernel. To check you can issue following command /sbin/lsmod |grep table. If everything works fine than you should add your rules one by one and see what's causing the problem. I alos recommend that you put in each chain LOG target for all blocked traffic so you can inspect in /var/log/messages and /var/log/syslog which traffic is blocked and than make rules for allowing it if it must pass through.
 
Old 03-25-2012, 04:47 PM   #3
newbie to linux
LQ Newbie
 
Registered: Feb 2009
Location: Kitchener, ON Canada
Distribution: Ubuntu 11.10 with KDE 4.7.4, Debian Squeeze on a server
Posts: 28

Original Poster
Rep: Reputation: 0
I tried everything you suggested, iptable_nat is loaded, and using the LOG target doesn't generate anything that (to me anyways) indicates that I'm even trying to access the internet. I also tried shutting down Apache as I wasn't sure if that would cause problems. Anyways, no luck. if the contents of /var/log/syslog would be useful let me know and I'll post it. Also
Code:
cat /var/log/syslog | grep -i E0:CA:94:03:5A:A2 | grep -i ppp0 | wc -l
produced only
Code:
0
which would indicate that my computer E0:CA:94:03:5A:A2 wasn't trying to access the internet, would it not?
 
Old 03-26-2012, 12:13 AM   #4
tech_soul8
Member
 
Registered: Aug 2011
Posts: 75

Rep: Reputation: Disabled
post output of iptables -L. You can't access internet from Debian or just from win clients on local lan or both?

Last edited by tech_soul8; 03-26-2012 at 12:15 AM.
 
Old 03-26-2012, 04:54 AM   #5
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
If you are troubleshooting NAT, test it with ping rather than http traffic, to avoid interference of any DNS/proxy errors.
Ping 4.2.2.2 and if it doesn't work do iptables -t nat -L -v and see if the masquerade rule is getting traffic.

Once you have ping connectivity, look at any proxy/dns issues on the client computers (was the proxy transparent?)
 
1 members found this post helpful.
Old 03-27-2012, 07:20 PM   #6
newbie to linux
LQ Newbie
 
Registered: Feb 2009
Location: Kitchener, ON Canada
Distribution: Ubuntu 11.10 with KDE 4.7.4, Debian Squeeze on a server
Posts: 28

Original Poster
Rep: Reputation: 0
OK, I can ping if I give the IP address however, I need to configure DNSmasq to provide DNS lookups (which are currently going to the server, but it is not providing any DNS services). So I am currently doing some research and will post back here soon.
 
Old 03-27-2012, 09:48 PM   #7
newbie to linux
LQ Newbie
 
Registered: Feb 2009
Location: Kitchener, ON Canada
Distribution: Ubuntu 11.10 with KDE 4.7.4, Debian Squeeze on a server
Posts: 28

Original Poster
Rep: Reputation: 0
Success! DNSmasq is now successfully configured and I can access the internet without a proxy.
 
Old 03-30-2012, 11:31 AM   #8
WizadNoNext
Member
 
Registered: Nov 2009
Posts: 125

Rep: Reputation: 9
Obvious mistake.
Server without DNS? It seams to be joke.

I have server with:
BRouter (Bridge + router)
firewall (IP/IP6/ARP/EBtables)
DNS
DHCP
proxy
NTP
NFS
samba
(S)FTP(S) (working only as SFTP or FTPS, no plain FTP supported)
SSH (obvious)
some minor services.

For me this minimal set of services for home server. Actually I have two exactly same servers. One of them simply do not do firewalling, as it is plain bridge. Both have own IEEE802.11 Access Points with specific passphrases for specific MACs. I am planing to turn them into small cluser, but it is not for now.
 
  


Reply

Tags
debian, iptables, nat, squeeze


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Wifi not working in Eee PPC 1000HE (Debian Squeeze), but ethernet is working someshpr Linux - Laptop and Netbook 8 10-10-2011 03:59 PM
Various segmentation faults Debian Squeeze Virtualbox running on Debian Squeeze host fordwrench Debian 1 07-21-2011 03:55 AM
[SOLVED] TCP packets seem to be dropped on Debian Squeeze w/NAT DfReisan Linux - Networking 3 04-14-2011 05:40 AM
[SOLVED] ati 3d accelation not working on debian squeeze (tried everything on google) tuxxxxx Linux - Hardware 8 11-01-2010 07:28 AM
[SOLVED] Atheros Madwifi driver not working on debian squeeze mf93 Linux - Wireless Networking 3 09-28-2009 11:52 AM


All times are GMT -5. The time now is 05:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration