How come I can ping between machines, but not get internet?

ozymandias · 09-11-2005, 03:08 PM

I have a Debian machine connected by static IP to the internet via PPPOE. I also have a second machine (running Mac OSX) which is networked to it. I can ping between machines both ways, and even log on via SSH in both direction. Internet browsing works fine on the debian box, but nada on the Mac. I have set up my DNS servers for my ISP on the Mac, and I have enabled IP forwarding and masquerading on the Debian machine (I think!). Turning off the firewall script (briefly) has no effect. Any suggestions?

Matir · 09-11-2005, 03:22 PM

Can you post your firewall script? Namely, make sure that you "echo 1 > /proc/sys/net/ipv4/ip_forward", "/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE" (change the source IPs as needed) and ALLOW somewhere on the FORWARD chain?

ozymandias · 09-11-2005, 03:44 PM

Hi!
The firewall script follows - thanks for any help!

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="192.168.0.1/24"
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="ppp0"
EXTIP="83.217.***.***"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e " - Loading INPUT rulesets"

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading OUTPUT rulesets"

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading FORWARD rulesets"

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -jACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e " Firewall server rule loading complete\n\n"

Matir · 09-11-2005, 03:54 PM

As an FYI, INTIP should just be 192.168.0.1. The /24 specifies a network. It's identical to the line for INTNET. Also, does your external IP never change? There should also be a space before ACCEPT in -jACCEPT. I'm not sure if that matters, but I've seen iptables be real picky about syntax before.

Does anything get logged?

ozymandias · 09-11-2005, 04:05 PM

Making those changes doesn't seem to help.
Yes - I definitely have a fixed IP
It seems very strange - I can ping the Yahoo server, but not open the page! I don't think this is a Mac problem though. Just in case it makes a difference, the Mac is set with IP = 192.168.0.100, subnet 255.255.255.0, router 192.168.0.1 and my ISP's DNS numbers.
I'm not sure where any errors would be logged.

Matir · 09-11-2005, 04:20 PM

Somewhere in /var/log. It really depends on your installation.