LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-11-2005, 04:08 PM   #1
ozymandias
Member
 
Registered: Aug 2005
Location: West Midlands, UK
Posts: 61

Rep: Reputation: 15
How come I can ping between machines, but not get internet?


I have a Debian machine connected by static IP to the internet via PPPOE. I also have a second machine (running Mac OSX) which is networked to it. I can ping between machines both ways, and even log on via SSH in both direction. Internet browsing works fine on the debian box, but nada on the Mac. I have set up my DNS servers for my ISP on the Mac, and I have enabled IP forwarding and masquerading on the Debian machine (I think!). Turning off the firewall script (briefly) has no effect. Any suggestions?
 
Old 09-11-2005, 04:22 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Can you post your firewall script? Namely, make sure that you "echo 1 > /proc/sys/net/ipv4/ip_forward", "/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE" (change the source IPs as needed) and ALLOW somewhere on the FORWARD chain?
 
Old 09-11-2005, 04:44 PM   #3
ozymandias
Member
 
Registered: Aug 2005
Location: West Midlands, UK
Posts: 61

Original Poster
Rep: Reputation: 15
Hi!
The firewall script follows - thanks for any help!

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="192.168.0.1/24"
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="ppp0"
EXTIP="83.217.***.***"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e " - Loading INPUT rulesets"

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading OUTPUT rulesets"

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading FORWARD rulesets"

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -jACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e " Firewall server rule loading complete\n\n"
 
Old 09-11-2005, 04:54 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
As an FYI, INTIP should just be 192.168.0.1. The /24 specifies a network. It's identical to the line for INTNET. Also, does your external IP never change? There should also be a space before ACCEPT in -jACCEPT. I'm not sure if that matters, but I've seen iptables be real picky about syntax before.

Does anything get logged?
 
Old 09-11-2005, 05:05 PM   #5
ozymandias
Member
 
Registered: Aug 2005
Location: West Midlands, UK
Posts: 61

Original Poster
Rep: Reputation: 15
Making those changes doesn't seem to help.
Yes - I definitely have a fixed IP
It seems very strange - I can ping the Yahoo server, but not open the page! I don't think this is a Mac problem though. Just in case it makes a difference, the Mac is set with IP = 192.168.0.100, subnet 255.255.255.0, router 192.168.0.1 and my ISP's DNS numbers.
I'm not sure where any errors would be logged.
 
Old 09-11-2005, 05:20 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Somewhere in /var/log. It really depends on your installation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
machines with different submasks can ping each other, why? learnfast Linux - Newbie 1 03-11-2005 10:11 AM
Sharing Internet with two machines, ping doen't work sandrain Linux - Networking 7 02-24-2004 01:59 PM
Cannot ping between 2 machines on same router acampbell Linux - Wireless Networking 8 02-24-2004 04:27 AM
Ping between machines triplem Linux - Networking 1 04-14-2003 06:17 PM
Can't ping windows machines by hostname explorer Linux - Networking 10 03-06-2003 01:44 PM


All times are GMT -5. The time now is 03:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration