some domains inaccessible, possibly masquerade or dns related

front_sturm · 05-22-2006, 09:50 AM

Howdy!

I've setup my home network consisting of 2(!) computers, with the "server" accessing the Internet via modem - ppp0 and sharing this connection with the client via eth0, using masquerade of course.
Now, at first it seems that all is fine and working, but it turns out that some domains are inaccessible from the client!
With those, all I get is a blank screen (with the 'connecting' or similar in the status bar), the result is the same whether the client runs Debian or WinXp.
Examples of inaccessible domains include opera, microsoft, realplayer (and a load of others).
I've investigated the problem a bit, and here's some output from the client:

>host opera.com
>opera.com is an alias for front. opera. com.
>front.opera. com has address 193.69. 116.18
>front.opera. com has address 193.69. 116.19
>front.opera. com has address 193.69. 116.22
>opera.com is an alias for front.opera.com.
>opera.com is an alias for front.opera.com.

Now, if I try to access opera.com or 193.69. 116.18 it fails as described, but putting 193.69. 116.19 in the address bar get me into the webpage.

Any ideas as to what have I forgotten about? All runs fine on the server and the resolv.conf files are identical and point to my ISP's DNS servers.

Iptables configuration on the server is presented below (feedback welcomed):

# Clear
iptables -X
iptables -P INPUT DROP
iptables -F INPUT

iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

iptables -P FORWARD DROP
iptables -F FORWARD

iptables -t nat -F
iptables -t mangle -F

# Load modules
modprobe ipt_MASQUERADE

# Allow related traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open aMule ports
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 4662 -j ACCEPT

# Open loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow pinging within the intranet
iptables -A INPUT -i eth0 -p icmp -j ACCEPT

#Open DHCP ports
iptables -A INPUT -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 68 -j ACCEPT

#631 is CUPS
iptables -A INPUT -i eth0 -p tcp --dport 631 -j ACCEPT

# Intranet config
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

ps. there should be a tripple "w" before opera.com, as I can't post url's within threads yet

sin · 05-22-2006, 12:11 PM

looking at you FW script i cant see how any traffic from you client machine gets to the internet,

I think you need to modify your script to allow outgoing traffic from the LAN

front_sturm · 05-22-2006, 02:25 PM

I thought these lines:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

take care of that. Most of the traffic moves in&out no problem.

Further observations:
if I'll try to tracerout any of the unaccessible domains, the packets bounce between routers until the 30 hop limit is reached and traceroute finishes. If that ain't strange, I don't know what is.

sin · 05-22-2006, 03:25 PM

try this

#!/bin/bash

ETH_INT=eth0
ETH_EXT=ppp0
HOMESUBNET=192.168.0.0/24

EXTERN_IP=`ifconfig $ETH_EXT | grep inet | cut -d : -f 2 | cut -d \ -f 1`

modprobe ipt_MASQUERADE

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o $ETH_EXT -j SNAT --to $EXTERN_IP

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $ETH_EXT -j ACCEPT

#allow icmp traffic - ping, traceroute
iptables -A INPUT -i $ETH_INT -p icmp -j ACCEPT

#default policy(s)
iptables -P INPUT DROP

front_sturm · 05-23-2006, 04:27 AM

Using SNAT instead of MASQUERADE - interesting idea and frankly speaking, I had my hopes high. Still, after trying out your script and another one, found at iptables-tutorial.frozentux.net/scripts/rc.firewall.txt the best I could come up with was the same result as with masquerade - most of the traffic flows alright, some domains remain inaccessible.

I also used yet another script for masquerade, found at ww.debian-administration.org/articles/23, with exactly the same results (which is logical, since all those scripts should enable connection sharing). This leads me to the suspicion that either it's my ISP or buggy drivers issue(or something?!). I'll try to switch the roles of server and client and possibly, try sharing the connection under MS.

It turns out I am able to bypass the problem if I setup a proxy on the server machine and direct traffic through it, but it's a pain if you know stuff should work and it doesn't.

Many thanks for your help, SiN!