LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   LAN Traffic (Ping, HTTP, FTP) Cannot reach External IP (but can internet) (http://www.linuxquestions.org/questions/linux-networking-3/lan-traffic-ping-http-ftp-cannot-reach-external-ip-but-can-internet-541402/)

Jkm3141 03-28-2007 04:20 PM

LAN Traffic (Ping, HTTP, FTP) Cannot reach External IP (but can internet)
 
About 2 months ago I setup an old computer as a linux home firewall router. This is a one computer does all situation. To accomplish this I followed the guide here, http://brennan.id.au to setup various things like routing, a basic IPTables configuration and network file shares and stuff. All of that stuff works, and I can reach all my network services from the net and the LAN (file sharing on the lan, FTP on the lan and on the net, web on the lan and on the net). and so on. I own the domain Jkm3141.com which i stupidly used as the Internal DNS name. so each time i tried to access a network resource from the LAN i used that domain, which worked fine. I had a few issues accessing the web page from jkm3141.com on the lan not www.jkm3141.com, which i mistakenly shurgged off as a imporperly configured DNS server (no entry for streightup jkm3141.com). Recently I got fedup with having my external domain the same as my internal, so i changed all DNS and hostnames and DHCP assigned domain settings to the domain barton.local for convience sakes (part of my name, and local).all worked out dandy after that and i can still access all my network resources from the lan and internet except on the lan if i want to access my legit domain jkm3141.com i have to use the newly specified dns name server.barton.local. this lead me to discover that my old problem was not a imporperly configured DNS server but something much harder. I have now realised that i am unable to do any contact with my external IP, 65.37.56.90 (i dont care about giving it out here as anyone can get it with a simple dns query of my website). I am unable to ping, or goto any of the websites (2 domains now (Jkm3141.com and DaveHornPage.com)) associated with that Ip on the LAN. I cannot figure out this one, i am sure it is not a DNS issue anymore, or anything other than Iptables. I use a heavily modifed version of a script produced with Easy Firewall Generator for IPTables, and will post the output of iptables -nvL, my script, and the output of route -n (routing table).

Iptables -nvL output:


Code:

Chain INPUT (policy DROP 5 packets, 2482 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
 1074  102K bad_packets  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      all  --  *      *      0.0.0.0/0            224.0.0.1         
  856 62668 ACCEPT    all  --  eth1  *      192.168.1.0/24      192.168.1.0/24     
    0    0 ACCEPT    udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          udp spt:68 dpt:67
  142 31176 ACCEPT    all  --  eth0  *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 tcp_inbound  tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    5  2482 udp_inbound  udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    3  214 icmp_packets  icmp --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          PKTTYPE = broadcast

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
 8982 3469K bad_packets  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 4612  862K tcp_outbound  tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
    0    0 udp_outbound  udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    all  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
 4370 2607K ACCEPT    all  --  eth0  *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  664  133K ACCEPT    all  --  *      eth1    192.168.1.0/24      192.168.1.0/24     
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    0    0 ACCEPT    all  --  *      *      127.0.0.1            0.0.0.0/0         
    0    0 ACCEPT    all  --  *      lo      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    all  --  *      *      192.168.1.1          0.0.0.0/0         
    0    0 ACCEPT    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0         
  142 10762 ACCEPT    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0         

Chain bad_packets (2 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      all  --  eth0  *      192.168.1.0/24      0.0.0.0/0         
  44  4212 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
 9678 3520K bad_tcp_packets  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         
 9988 3566K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain bad_tcp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
 5284  912K RETURN    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
  24  960 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:!0x16/0x02 state NEW
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
 4370 2607K RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain icmp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      icmp -f  *      *      0.0.0.0/0            0.0.0.0/0         
    3  214 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          icmp type 8
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0          icmp type 11

Chain tcp_inbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:21
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp spt:20
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22

Chain tcp_outbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
 4612  862K ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain udp_inbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:137
    0    0 DROP      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:138
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68

Chain udp_outbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0

Route -n:

Code:

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.1.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
65.37.48.0      0.0.0.0        255.255.240.0  U    0      0        0 eth0
0.0.0.0        65.37.48.1      0.0.0.0        UG    0      0        0 eth0

And my script is:

iptables script:

Code:

echo $'\a'
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi


if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT  -i $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A OUTPUT -o $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart
echo $'\a'
echo "IPTables rules updated and saved."


Oh Yea, I Forgot to mention Im running Fedora Core 3 on this machine. I cannot for the life of me understand this problem, and nor can my teacher at school (CCNA class) :confused: :confused: :confused:

carl0ski 04-03-2007 06:09 AM

personally id start again using

IPCop distro based on CentOS purely for Routers
http://ipcop.org/index.php

remember though routers can't route when both interfaces either
have the same network/mask
and/or same host name exists on both sides

Jkm3141 04-03-2007 10:22 AM

Well obviously the IP's and netmasks are not the same on both interfaces, but I will look into the host names. I am not going to consider changing OS's for a more dedicated system, my whole goal with this project is to have a one system solution, and I know it's possible. I followed the guide at http://brennan.id.au/ to setup this system originally for everything except the IPTables firewall script, which I am sure is causing the problems. You say it shouldn't be able to route with the host names configured the same on both interfaces, however why can I can access all of the internet on the LAN and access allowed LAN services on the internet, however the only thing I cannot access from the LAN is my external IP (or anything pointing to it). I can access the internal IP of the gateway/firewall/server but not the external IP of the computer. All other internet IP's are fine. I am also sure that it is not a DNS Server problem, as stated by someone in another forum.

carl0ski 04-04-2007 07:35 AM

Quote:

Originally Posted by Jkm3141
Well obviously the IP's and netmasks are not the same on both interfaces, but I will look into the host names. I am not going to consider changing OS's for a more dedicated system, my whole goal with this project is to have a one system solution, and I know it's possible. I followed the guide at http://brennan.id.au/ to setup this system originally for everything except the IPTables firewall script, which I am sure is causing the problems. You say it shouldn't be able to route with the host names configured the same on both interfaces, however why can I can access all of the internet on the LAN and access allowed LAN services on the internet, however the only thing I cannot access from the LAN is my external IP (or anything pointing to it). I can access the internal IP of the gateway/firewall/server but not the external IP of the computer. All other internet IP's are fine. I am also sure that it is not a DNS Server problem, as stated by someone in another forum.

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
try removing this

it dumps all Ping responses (port 8 is a ping reply)

does using arping instead of ping work?

Jkm3141 04-04-2007 10:41 AM

Ill check if it does once I get home today. However, That line would explain the lack of ping ability. However, why can't I access that IP for any other services such as HTTP (Port 80), or FTP (21), SSH (22).....

That's what confuses me, I dont mind, and accually promote the lack of pinging because of security reasons.

Jkm3141 04-04-2007 03:47 PM

Yes, it can arping it, which means its a layer 3 routing issue, so the routing tables?

carl0ski 04-04-2007 06:26 PM

Quote:

Originally Posted by Jkm3141
Yes, it can arping it, which means its a layer 3 routing issue, so the routing tables?

correct,

unfortunately i cant help beyond that

i have never gone this far down the routing spectrum.


do you use Webmin to configure your server?
http://webadmin.sourceforge.net/

if not you should it takes much of the lines of code and makes it far more interpetable

Jkm3141 04-04-2007 07:24 PM

Quote:

Originally Posted by carl0ski
correct,

unfortunately i cant help beyond that

i have never gone this far down the routing spectrum.


do you use Webmin to configure your server?
http://webadmin.sourceforge.net/

if not you should it takes much of the lines of code and makes it far more interpetable


No I don't however that looks very intresting. However I have kinda gone crazy in trying to teach myself shell scripting and slight shell CGI scripting and have produced a very useful interactive shell menu system to do administration (by refrencing other Shell Scripts I have written). This system I made makes it really easy to do anything from opening ports for a game, to doing a complete backup of all configuration and scripts on the system, compressing, encrypting with openssl and then uploading to a remote FTP. I love it. However i will look into webmin but I doubt that will fix my problem. I am greatful the help though.

P.s. I know all my scripts are probably a huge security hole.

chrisortiz 04-05-2007 12:07 AM

i'm half asleep so if this isn't related to your problem i'm sorry

Code:

cat /proc/sys/net/ipv4/ip_forward
if it says 0

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
that should enable routing between networks

Jkm3141 04-05-2007 08:46 AM

Quote:

Originally Posted by chrisortiz
i'm half asleep so if this isn't related to your problem i'm sorry

Code:

cat /proc/sys/net/ipv4/ip_forward
if it says 0

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
that should enable routing between networks


Yea all thats enabled, like I said I can access all of the internet from the LAN, all forwarding works fine, It's just accessing the one ip, my external ip, from the LAN thats not possible.


All times are GMT -5. The time now is 09:49 AM.