NAT/ip forwarding issues

Poedersuiker · 12-18-2010, 09:49 AM

I've been experiencing problems with my home network. Somehow my server rules prevent some traffic from ariving on the destination within the home network.

The network has the following setup:

ADSLline---Modem---Server---switch---clients

- The modem is a Draytek Vigor 120 set to bridge a pptpa to pptpe.
- The server is a Fedora 13 machine.
- The switch is a normal 5 port 1Gb switch.
- And the clients consist of multiple machines with different OSes, namely Ubuntu and Windows 7.

On the server I have the following network devices:
eth0: 192.168.0.1, internal network
eth1: no IP, bridge to ppp
ppp0: 80.***.**.73, external network with fixed IP (using dhcp to retrieve it from ISP).

I started forwarding and most of it works. Only, for example, some sites refuse to load on the clients (*NIX and Windows). If for instance I try to access addthis.com, Firefox will tell me it is waiting for s7.addthis.com. The same WILL work on the server, the site will show without a problem.

My iptables is stripped, rewritten and anything else I could think of multiple times. But the general policy is ACCEPT and I added the following commands (I changed the devices to match mine).

Code:

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

as stated in the Fedora documentation (2.8.5. FORWARD and NAT Rules).

Does anyone have a clue how to solve my problem? It would be nice to get everything working.

chickenjoy · 12-18-2010, 10:58 AM

Code:

# iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
# iptables --append FORWARD --in-interface ppp0 -j ACCEPT

Can you try the above? requests come from eth0 and is routed to ppp0.

Poedersuiker · 12-18-2010, 11:12 AM

Quote:

Originally Posted by chickenjoy

Code:

# iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
# iptables --append FORWARD --in-interface ppp0 -j ACCEPT

Can you try the above? requests come from eth0 and is routed to ppp0.

That didn't work unfortunately. My iptables give the following return on -L

Code:

[root@beest ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And this on -S:

Code:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -i ppp0 -j ACCEPT

nimnull22 · 12-18-2010, 03:08 PM

You forgot to tell us about the default routing on your server. Where does it send everything to?

And on your server you use only 2 interfaces:
eth0: 192.168.0.1, internal network
and
ppp0: external network

I think, you do not need eth1. All traffic should goes between those two interfaces.

Poedersuiker · 12-18-2010, 04:46 PM

The routing is as follows:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
lo1.dr4.d12.xs4 *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     1      0        0 eth0
default         lo1.dr4.d12.xs4 0.0.0.0         UG    0      0        0 ppp0

And for even more information the output of ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr 00:40:F4:BC:7E:81
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::240:f4ff:febc:7e81/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:331293 errors:0 dropped:0 overruns:0 frame:0
          TX packets:590385 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34779673 (33.1 MiB)  TX bytes:671836627 (640.7 MiB)
          Interrupt:18 Base address:0x8c00

eth1      Link encap:Ethernet  HWaddr 00:19:66:92:5C:E4
          inet6 addr: fe80::219:66ff:fe92:5ce4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2338502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2136295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1718389822 (1.6 GiB)  TX bytes:715722843 (682.5 MiB)
          Interrupt:27 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:496331 errors:0 dropped:0 overruns:0 frame:0
          TX packets:496331 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:101960018 (97.2 MiB)  TX bytes:101960018 (97.2 MiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:80.***.**.73  P-t-P:194.109.5.227  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2336844 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2134631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1666878560 (1.5 GiB)  TX bytes:660112391 (629.5 MiB)

eth1 is the device for the pptpe link (which is ppp0).

nimnull22 · 12-19-2010, 04:05 AM

Quote:

I started forwarding and most of it works. Only, for example, some sites refuse to load on the clients (*NIX and Windows). If for instance I try to access addthis.com, Firefox will tell me it is waiting for s7.addthis.com. The same WILL work on the server, the site will show without a problem.

As long as your routing table has only two interfaces I would prefer to have in FORWARD chain something like:
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

And as long some works some not? please try to change MTU on your ppp0 interface from MTU:1492 to MTU:1450
You can do it if you type under root in console:
ip link set ppp0 down
ip link set ppp0 mtu 1400
ip link set ppp0 up

It might help.

Poedersuiker · 12-19-2010, 05:52 AM

Quote:

Originally Posted by nimnull22

As long as your routing table has only two interfaces I would prefer to have in FORWARD chain something like:
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

And as long some works some not? please try to change MTU on your ppp0 interface from MTU:1492 to MTU:1450
You can do it if you type under root in console:
ip link set ppp0 down
ip link set ppp0 mtu 1400
ip link set ppp0 up

It might help.

Changing the MTU kills the connection. The iptables commands didn't do the job either. I feel like soms of the packets are just dumped by the iptables routine.

Is there some way to track packets to and from a specified website? Or maybe see the pakcets dumped by iptables?

nimnull22 · 12-19-2010, 06:23 AM

Wait.

First of all, I did a mistake - I wanted to set it to 1450. I use 1400 and everything works perfect. So please do:

ip link set ppp0 mtu 1450

You probably have to avoid to bring down interface like this as it then will get new IP prom ISP.
So just change MTU and then do: ifconfig ppp0, make sure that MTU was changed.

Then, check if you have, as it was before:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
lo1.dr4.d12.xs4 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 1 0 0 eth0
default lo1.dr4.d12.xs4 0.0.0.0 UG 0 0 0 ppp0

Poedersuiker · 12-19-2010, 10:14 AM

I did the modification of mtu before too. I thought one could be a mistype but both had the same error. Routing is still good.

For now I connected an other router (instead of the modem). This way I have two computers working and the network behind the server is still safe. The trouble started when I needed to start using PtPPA for my connection. I will ask my ISP for an alternative or find one myself (changing ISP).
Thanks for your help and hopefully I can correct the errors or have better luck with another modem/router.