Network access OK but server cannot use internet

gkhewitt · 08-02-2003, 04:05 AM

Ok hoping someone can help me, I have little hair left after this one...

I have a home network set up with a Redhat 8 box and 3 client PCs. The redhat box has eth0 connected to the cable modem for Internet and eth1 as the LAN which goes to a hub.

I have IP tables setup for NAT with Masquerading and forwards are accepted from eth1. Inputs are also always accepted from eth1. Output policy is ACCEPT, except for netbios stuff on eth0 which is dropped.

The problem is that client machines can use the internet no problem through the server, but the server can not use the internet itself?!? Pages and things keep timing out etc. Cannot ping using name or IP. My mailserver on the box can receive mail but cannot send at all (DNS failiure).

Any ideas??

soob · 08-02-2003, 07:54 AM

Does sound weird. If the clients can get webpages thru the server, then iptables' FORWARD rules are passing traffic. If the mailserver receives (I guess you mean from the internet?) the the INPUT rules are accepting, at least on port 25. Do your INPUT rules allow related packets, to allow for DNS and ping responses? How about posting the iptables rules you're using?

gkhewitt · 08-02-2003, 08:28 AM

Here's iptables -L's output:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp multiport dports telnet,smtp,domain,http,81,pop3,7025,7443,7080,webcache,10000,20000

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp multiport sports printer,ms-sql-s,135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport sports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,593,ms-sql-m udp

Let me know if you need any more info..

Cheers,

gkhewitt · 08-02-2003, 01:05 PM

Solved! Got a response on another forum. If anyone else has the same problem, you just need to add the following to IPtables to allow responses back in the input chain:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

soob · 08-03-2003, 07:18 PM

OK... glad it's solved. I was worried about this rule in INPUT - first, it seems to allow everything from everywhere. second, it can't be working. Or I misunderstood the rule.

ACCEPT all -- anywhere anywhere

gkhewitt · 08-04-2003, 06:16 AM

Sorry, just copied it out of iptables -L, the rule you are looking at is restricted to "eth1," so all computers on the LAN have unrestricted access.

soob · 08-04-2003, 08:13 PM

thanks for explaining. 'iptables -L' doesn't tell you about what interface the rule applies to.