LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-16-2009, 11:51 AM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Rep: Reputation: 21
Iptables: LAN clients cannot access internet


I thought I knew some fundamentals of using iptables, but no more.
It's been a while since I've set up a new linux router/firewall box.

What does function:

1. I can ssh into the box from the internet and/or from the LAN.
2. I can ping the gateway from LAN clients.
3. I can ping the ISP DNS servers' addresses from LAN clients.

What does not function:

1. LAN clients cannot access any http sites.

- - - -
I thought my configs. so far have a completely open setup for traffic, only limiting incoming traffic from the internet on eth0 by RELATED,ESTABLISHED; everything else (I thought) was ready to accept all traffic in/out.

iptables -nvL:

root@joejoe:/# iptables -nvL
Chain INPUT (policy DROP 114 packets, 31643 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
30 3192 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 935 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 290 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 192.168.195.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
24 4200 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
1 576 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 2

- - - -
I'm running a very simple dhcp server on eth1 (LAN-facing interface).
The config. follows:
# dhcpd.conf
#
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# This is a very basic subnet declaration.
subnet 192.168.195.0 netmask 255.255.255.0 {
range 192.168.195.10 195.195.195.200;
default-lease-time 720;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option routers 192.168.195.1;
option domain-name-servers 68.87.71.230;
option domain-name-servers 68.87.73.246;

}

- - - - -

When client machines start, they receive ip addresses successfully from the dhcp server on eth1
- - - - -
The router box itself is an HP 1u server with 2 Gigabit NIC's.
They both have different MAC identifiers and the TIGON3 drivers load with no problems.
- - - - -

So I'm stumped.
My error must be staring me in the face but I can't see it.
Thanks for reading.

p.s. - please let me know if you need to see my iptables rules; left those out so not to run on too long.

Last edited by Sum1; 09-16-2009 at 11:53 AM.
 
Old 09-16-2009, 12:05 PM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
did you turn on ip forwarding? echo 1 > /proc/sys/net/ipv4/io_forward (can usually be permanently set in sysctl.conf)

you'll probably also need a masquerade or snat rule, something like

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.195.0/24 -j MASQUERADE
 
Old 09-16-2009, 12:31 PM   #3
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
The LAN clients can ping outside? Like ping www.website.com, is the IP addresses resolving ?

Anyway, the solution above presented by estabroo should solve your problem.

Last edited by sparc86; 09-16-2009 at 12:32 PM.
 
Old 09-16-2009, 12:52 PM   #4
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by estabroo View Post
did you turn on ip forwarding? echo 1 > /proc/sys/net/ipv4/io_forward (can usually be permanently set in sysctl.conf)

you'll probably also need a masquerade or snat rule, something like

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.195.0/24 -j MASQUERADE
Yes - cat /proc/sys/net/ipv4/ip_forward
produces result "1"

Yes, I have the following:
# External Network Interface
SKYWAY="eth0"
# Internal Network Interface
LAN1="eth1"
# Internal Subnet
SUBNET1="192.168.195.0/24"

$IPT -t nat -A POSTROUTING -o $SKYWAY -s $SUBNET1 -j MASQUERADE
 
Old 09-16-2009, 12:53 PM   #5
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by sparc86 View Post
The LAN clients can ping outside? Like ping www.website.com, is the IP addresses resolving ?
I have not tried that, will do so and report back in a few mins.
 
Old 09-16-2009, 01:07 PM   #6
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by Sum1 View Post
I have not tried that, will do so and report back in a few mins.
Test results yield successful ping of the following:

www.distrowatch.com
www.yahoo.com
www.google.com
www.linuxquestions.org

When I try "links http://www.distrowatch.com" I see "request sent" at the bottom of the screen, but the site (and the others too) will not load.
 
Old 09-16-2009, 01:13 PM   #7
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Here's the iptables:

#!/bin/bash

# Location in which iptables initscript will save set rules on
# service shutdown
#IPTABLES_SAVE="/var/lib/iptables/rules-save"
# Options to pass to iptables-save and iptables-restore
#SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
#SAVE_ON_STOP="yes"

# External Network Interface
SKYWAY="eth0"
# Internal Network Interface
LAN1="eth1"
# Internal Subnet
SUBNET1="192.168.195.0/24"

IPT="/usr/sbin/iptables"
MPROBE="/sbin/modprobe"

echo "Flush any/all rules previously existing."
echo "Set policies."
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

echo "Reload necessary modules."
$MPROBE ip_tables
$MPROBE nf_conntrack
$MPROBE nf_conntrack_ipv4
$MPROBE nf_nat
$MPROBE xt_state
$MPROBE xt_tcpudp
$MPROBE ipt_REJECT
$MPROBE ipt_LOG
$MPROBE ipt_state
$MPROBE ipt_MASQUERADE
$MPROBE ip_conntrack
$MPROBE ip_conntrack_ftp
$MPROBE iptable_mangle
$MPROBE iptable_nat
$MPROBE iptable_filter

echo "lo"
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT

echo "input"
$IPT -t filter -A INPUT -i $SKYWAY -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -i $SKYWAY -p tcp -m state --state NEW --dport 22 -j ACCEPT
$IPT -t filter -A INPUT -i $LAN1 -j ACCEPT
$IPT -t filter -A INPUT -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "ouput"
$IPT -t filter -A OUTPUT -o $SKYWAY -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN1 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "forward"
$IPT -t filter -A FORWARD -i $LAN1 -j ACCEPT
$IPT -t filter -A FORWARD -o $LAN1 -j ACCEPT
$IPT -t filter -A FORWARD -i $SKYWAY -j ACCEPT
$IPT -t filter -A FORWARD -o $SKYWAY -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -s $SUBNET1 -j ACCEPT
$IPT -t filter -A FORWARD -p icmp -m limit --limit 30/minute --limit-burst 2 -j ACCEPT

echo "prerouting/postrouting"
$IPT -t nat -A POSTROUTING -o $SKYWAY -s $SUBNET1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Netfilter framework is set."
 
Old 09-16-2009, 01:33 PM   #8
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
If you switch your default policy to ACCEPT does it work? That would let you know if you need more rules to fix the issue
 
Old 09-16-2009, 01:44 PM   #9
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by estabroo View Post
If you switch your default policy to ACCEPT does it work? That would let you know if you need more rules to fix the issue
Will test and try to get back in a few mins.
Thanks for your time and patience.
 
Old 09-16-2009, 01:44 PM   #10
harsshal
Member
 
Registered: Jul 2006
Location: New York, NY
Distribution: redhat,ubuntu,RHEL,fedora,centOS
Posts: 105

Rep: Reputation: 15
try
Code:
service iptables stop
If client works fine after that, means there is a problem with iptables.
If doesn't, start iptables and search for other flaws.
 
Old 09-16-2009, 01:57 PM   #11
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by estabroo View Post
If you switch your default policy to ACCEPT does it work? That would let you know if you need more rules to fix the issue
No, does not work.
Changed INPUT, OUTPUT, and FORWARD policy (-P) to ACCEPT and no success.
LAN client can ping previously listed sites, but browser requests are not returned.
 
Old 09-16-2009, 02:04 PM   #12
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by harsshal View Post
try
Code:
service iptables stop
If client works fine after that, means there is a problem with iptables.
If doesn't, start iptables and search for other flaws.
Thanks for the suggestion.
I'm running out of time for today.....have a meeting shortly.
Will test tomorrow morning and see if progress can be made.
 
Old 09-16-2009, 03:39 PM   #13
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by harsshal View Post
try
Code:
service iptables stop
If client works fine after that, means there is a problem with iptables.
If doesn't, start iptables and search for other flaws.
Heh, was able to get out of meeting early.

Tested iptables stop - and still no go.
The same as before -- I can ping anything on the net, but cannot retrieve web pages to LAN clients in a browser.
 
Old 09-17-2009, 01:01 AM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Could it be that your LAN clients are configured to use some non-existent proxy server?
 
Old 09-17-2009, 07:08 AM   #15
Sum1
Member
 
Registered: Jul 2007
Distribution: Slackware and Gentoo
Posts: 232

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by win32sux View Post
Could it be that your LAN clients are configured to use some non-existent proxy server?
I don't think so.
At first, I tested with Win XP Pro clients connected to eth1 (LAN interface) by a switch.
But since the initial failures, I've used my linux notebook directly plugged into the CAT5 cable running from eth1 on the routerbox.

The notebook has Slackware 13 and is set to use dhcp for acquiring ip adddress.

Is it possible a proxy is installed on the routerbox, or am I simply missing a proper iptables rule to FORWARD port 80 requests?
Where can I look and what should I be looking for regarding possible proxy on the routerbox?
Routerbox is using Slackware 13 too - fresh install about 2 weeks ago - installed almost everything except X, X apps., and KDE.

Thanks for your time and help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules to NAT or FORWARD packets between LAN clients templeton Linux - Networking 5 11-28-2010 09:00 AM
iptables - accept access from NFS clients dekzorro Linux - Networking 2 09-23-2007 02:30 PM
allow internet access from LAN using IPTABLES cccc Linux - Networking 2 03-24-2006 04:47 PM
linux squid and iptables for secure lan for internet access. pune_abhishek Linux - Networking 4 11-30-2003 07:20 PM
iptables, clients only gain access to a few domain dnla Linux - Networking 5 09-26-2003 09:12 AM


All times are GMT -5. The time now is 08:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration