[SOLVED] Iptables: LAN clients cannot access internet
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Rep:
Iptables: LAN clients cannot access internet
I thought I knew some fundamentals of using iptables, but no more.
It's been a while since I've set up a new linux router/firewall box.
What does function:
1. I can ssh into the box from the internet and/or from the LAN.
2. I can ping the gateway from LAN clients.
3. I can ping the ISP DNS servers' addresses from LAN clients.
What does not function:
1. LAN clients cannot access any http sites.
- - - -
I thought my configs. so far have a completely open setup for traffic, only limiting incoming traffic from the internet on eth0 by RELATED,ESTABLISHED; everything else (I thought) was ready to accept all traffic in/out.
iptables -nvL:
root@joejoe:/# iptables -nvL
Chain INPUT (policy DROP 114 packets, 31643 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
30 3192 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 935 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 290 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 192.168.195.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
24 4200 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
1 576 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2
- - - -
I'm running a very simple dhcp server on eth1 (LAN-facing interface).
The config. follows:
# dhcpd.conf
#
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# This is a very basic subnet declaration.
subnet 192.168.195.0 netmask 255.255.255.0 {
range 192.168.195.10 195.195.195.200;
default-lease-time 720;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option routers 192.168.195.1;
option domain-name-servers 68.87.71.230;
option domain-name-servers 68.87.73.246;
}
- - - - -
When client machines start, they receive ip addresses successfully from the dhcp server on eth1
- - - - -
The router box itself is an HP 1u server with 2 Gigabit NIC's.
They both have different MAC identifiers and the TIGON3 drivers load with no problems.
- - - - -
So I'm stumped.
My error must be staring me in the face but I can't see it.
Thanks for reading.
p.s. - please let me know if you need to see my iptables rules; left those out so not to run on too long.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Here's the iptables:
#!/bin/bash
# Location in which iptables initscript will save set rules on
# service shutdown
#IPTABLES_SAVE="/var/lib/iptables/rules-save"
# Options to pass to iptables-save and iptables-restore
#SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
#SAVE_ON_STOP="yes"
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Quote:
Originally Posted by estabroo
If you switch your default policy to ACCEPT does it work? That would let you know if you need more rules to fix the issue
No, does not work.
Changed INPUT, OUTPUT, and FORWARD policy (-P) to ACCEPT and no success.
LAN client can ping previously listed sites, but browser requests are not returned.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Quote:
Originally Posted by harsshal
try
Code:
service iptables stop
If client works fine after that, means there is a problem with iptables.
If doesn't, start iptables and search for other flaws.
Heh, was able to get out of meeting early.
Tested iptables stop - and still no go.
The same as before -- I can ping anything on the net, but cannot retrieve web pages to LAN clients in a browser.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Quote:
Originally Posted by win32sux
Could it be that your LAN clients are configured to use some non-existent proxy server?
I don't think so.
At first, I tested with Win XP Pro clients connected to eth1 (LAN interface) by a switch.
But since the initial failures, I've used my linux notebook directly plugged into the CAT5 cable running from eth1 on the routerbox.
The notebook has Slackware 13 and is set to use dhcp for acquiring ip adddress.
Is it possible a proxy is installed on the routerbox, or am I simply missing a proper iptables rule to FORWARD port 80 requests?
Where can I look and what should I be looking for regarding possible proxy on the routerbox?
Routerbox is using Slackware 13 too - fresh install about 2 weeks ago - installed almost everything except X, X apps., and KDE.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.