LAN Traffic (Ping, HTTP, FTP) Cannot reach External IP (but can internet)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
LAN Traffic (Ping, HTTP, FTP) Cannot reach External IP (but can internet)
About 2 months ago I setup an old computer as a linux home firewall router. This is a one computer does all situation. To accomplish this I followed the guide here, http://brennan.id.au to setup various things like routing, a basic IPTables configuration and network file shares and stuff. All of that stuff works, and I can reach all my network services from the net and the LAN (file sharing on the lan, FTP on the lan and on the net, web on the lan and on the net). and so on. I own the domain Jkm3141.com which i stupidly used as the Internal DNS name. so each time i tried to access a network resource from the LAN i used that domain, which worked fine. I had a few issues accessing the web page from jkm3141.com on the lan not www.jkm3141.com, which i mistakenly shurgged off as a imporperly configured DNS server (no entry for streightup jkm3141.com). Recently I got fedup with having my external domain the same as my internal, so i changed all DNS and hostnames and DHCP assigned domain settings to the domain barton.local for convience sakes (part of my name, and local).all worked out dandy after that and i can still access all my network resources from the lan and internet except on the lan if i want to access my legit domain jkm3141.com i have to use the newly specified dns name server.barton.local. this lead me to discover that my old problem was not a imporperly configured DNS server but something much harder. I have now realised that i am unable to do any contact with my external IP, 65.37.56.90 (i dont care about giving it out here as anyone can get it with a simple dns query of my website). I am unable to ping, or goto any of the websites (2 domains now (Jkm3141.com and DaveHornPage.com)) associated with that Ip on the LAN. I cannot figure out this one, i am sure it is not a DNS issue anymore, or anything other than Iptables. I use a heavily modifed version of a script produced with Easy Firewall Generator for IPTables, and will post the output of iptables -nvL, my script, and the output of route -n (routing table).
Iptables -nvL output:
Code:
Chain INPUT (policy DROP 5 packets, 2482 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1074 102K bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
856 62668 ACCEPT all -- eth1 * 192.168.1.0/24 192.168.1.0/24
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
142 31176 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 tcp_inbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 2482 udp_inbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 214 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8982 3469K bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
4612 862K tcp_outbound tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 udp_outbound udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4370 2607K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
664 133K ACCEPT all -- * eth1 192.168.1.0/24 192.168.1.0/24
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.1.1 0.0.0.0/0
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
142 10762 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain bad_packets (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 192.168.1.0/24 0.0.0.0/0
44 4212 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
9678 3520K bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
9988 3566K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
pkts bytes target prot opt in out source destination
5284 912K RETURN tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
24 960 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
4370 2607K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
3 214 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain tcp_outbound (1 references)
pkts bytes target prot opt in out source destination
4612 862K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
Chain udp_outbound (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
Route -n:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
65.37.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
0.0.0.0 65.37.48.1 0.0.0.0 UG 0 0 0 eth0
And my script is:
iptables script:
Code:
echo $'\a'
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
$SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -i $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A OUTPUT -o $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart
echo $'\a'
echo "IPTables rules updated and saved."
Oh Yea, I Forgot to mention Im running Fedora Core 3 on this machine. I cannot for the life of me understand this problem, and nor can my teacher at school (CCNA class)
Well obviously the IP's and netmasks are not the same on both interfaces, but I will look into the host names. I am not going to consider changing OS's for a more dedicated system, my whole goal with this project is to have a one system solution, and I know it's possible. I followed the guide at http://brennan.id.au/ to setup this system originally for everything except the IPTables firewall script, which I am sure is causing the problems. You say it shouldn't be able to route with the host names configured the same on both interfaces, however why can I can access all of the internet on the LAN and access allowed LAN services on the internet, however the only thing I cannot access from the LAN is my external IP (or anything pointing to it). I can access the internal IP of the gateway/firewall/server but not the external IP of the computer. All other internet IP's are fine. I am also sure that it is not a DNS Server problem, as stated by someone in another forum.
Well obviously the IP's and netmasks are not the same on both interfaces, but I will look into the host names. I am not going to consider changing OS's for a more dedicated system, my whole goal with this project is to have a one system solution, and I know it's possible. I followed the guide at http://brennan.id.au/ to setup this system originally for everything except the IPTables firewall script, which I am sure is causing the problems. You say it shouldn't be able to route with the host names configured the same on both interfaces, however why can I can access all of the internet on the LAN and access allowed LAN services on the internet, however the only thing I cannot access from the LAN is my external IP (or anything pointing to it). I can access the internal IP of the gateway/firewall/server but not the external IP of the computer. All other internet IP's are fine. I am also sure that it is not a DNS Server problem, as stated by someone in another forum.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
try removing this
it dumps all Ping responses (port 8 is a ping reply)
Ill check if it does once I get home today. However, That line would explain the lack of ping ability. However, why can't I access that IP for any other services such as HTTP (Port 80), or FTP (21), SSH (22).....
That's what confuses me, I dont mind, and accually promote the lack of pinging because of security reasons.
if not you should it takes much of the lines of code and makes it far more interpetable
No I don't however that looks very intresting. However I have kinda gone crazy in trying to teach myself shell scripting and slight shell CGI scripting and have produced a very useful interactive shell menu system to do administration (by refrencing other Shell Scripts I have written). This system I made makes it really easy to do anything from opening ports for a game, to doing a complete backup of all configuration and scripts on the system, compressing, encrypting with openssl and then uploading to a remote FTP. I love it. However i will look into webmin but I doubt that will fix my problem. I am greatful the help though.
P.s. I know all my scripts are probably a huge security hole.
i'm half asleep so if this isn't related to your problem i'm sorry
Code:
cat /proc/sys/net/ipv4/ip_forward
if it says 0
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
that should enable routing between networks
Yea all thats enabled, like I said I can access all of the internet from the LAN, all forwarding works fine, It's just accessing the one ip, my external ip, from the LAN thats not possible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.