Hi Im new this forum

I have a problem with fodora acting as a NAT Gateway, my two XP pc-tracert does not work.
but on my other two linux boxes behind the firewall do a traceroute with no problems.

Has anyone seen this problem before

That's because *n*x traceroute uses UDP datagrams, but Win* tracert uses ICMP. Apparently your firewall is blocking all ICMP traffic.

I can ping ext Ip Addresses from Win*, can i post my firewall script here

Go ahead, it's the quickest way to get an answer

# Start rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
# echo -e "0\t61000" > /proc/sys/net/ipv4/ip_local_port_range
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i;
done
fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i;
done
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
fi

#end rc.local

#start of rc.firewall

#!/bin/sh
IPTABLES="/sbin/iptables"
ADD="$IPTABLES -A"
CREATE="$IPTABLES -N"
FLUSH="$IPTABLES -F"
MODPROBE="/sbin/modprobe"

$MODPROBE ip_tables
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp

# External network interface (BPA)
EXT_IF="eth0"
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\ -f1`

# Internal network interface (LAN)
INT_IF="eth1"
INT_NET="192.168.1.0/24"

ANY="0.0.0.0/0"

# Filename for incoming/outgoing byte counters
ACCF=/var/log/TRAFFIC
LOCK=/tmp/TRAFFIC.lck

start() {
# Start firewall rules
# Set to default values
reset

BPA_AUTH_SVR="61.9.208.13"
#BPA_AUTH_SVR=`host sm-server | grep address | cut -f4 -d" "`
echo "External IP" = $EXT_IP

# Get byte counters
getcounters

# Set default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# [ TRAF ] Accounting chains
$IPTABLES -N TRAF-IN
$IPTABLES -N TRAF-OUT
#
# [ INPUT ]
#
echo "Iptable Input"
$IPTABLES -F INPUT

# Byte counter for incoming traffic
$IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1

# Allow BPA heartbeat packets
$IPTABLES -A INPUT -s $BPA_AUTH_SVR -i $EXT_IF -p udp --dport 5050 -j ACCEPT

# Allow all packets from localhost and internal network
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT

# Stateful inspection - Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

#Drop invalid packets
$ADD INPUT -m state --state INVALID -j DROP

# DROP packets from invalid source
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP

# LOG and DENY everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: "

echo "Iptable Input OK "

## [ FORWARD ]
echo "Iptable FORWARD"

$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -j TRAF-IN -c $X3
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -j TRAF-OUT -c $X4
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-prefix "netfilter: "

echo "Iptable FORWARD OK "

## [ OUTPUT ]
echo "Iptable OUTPUT "

# Byte counter for outgoing traffic
$IPTABLES -A OUTPUT -o $EXT_IF -j TRAF-OUT -c $X2

echo "Iptable OUTPUT OK "
echo "Iptable NAT "
## [ NAT ]

$IPTABLES -F -t nat
$IPTABLES -t nat -F POSTROUTING

$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j SNAT --to-source $EXT_IP
#$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

## Transparent proxy - Uncomment this to forward HTTP traffic on port 80 to Squid
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Iptable NAT OK "

}

getcounters() {
X1="0 0"
X2="0 0"
X3="0 0"
X4="0 0"
if [ -s $ACCF ]; then
X1=`grep INPUT $ACCF | cut -d" " -f2,3`
X2=`grep OUTPUT $ACCF | cut -d" " -f2,3`
X3=`grep FORW-IN $ACCF | cut -d" " -f2,3`
X4=`grep FORW-OUT $ACCF | cut -d" " -f2,3`
fi
}

# Save byte counters
save() {
# Save iptables rules and accounting information
lockfile -l300 -r5 $LOCK >/dev/null 2>&1
if [ $? -eq 0 ]; then
X=`$IPTABLES -nL | wc -l | sed "s/ //g"`
if [ $X -gt "8" ]; then
$IPTABLES -nvxL INPUT | grep TRAF-IN | awk '{print "INPUT " $1" "$2}' > $ACCF
$IPTABLES -nvxL OUTPUT | grep TRAF-OUT | awk '{print "OUTPUT " $1" "$2}' >>$ACCF
$IPTABLES -nvxL FORWARD | grep TRAF-IN | awk '{print "FORW-IN " $1" "$2}' >>$ACCF
$IPTABLES -nvxL FORWARD | grep TRAF-OUT | awk '{print "FORW-OUT "$1" "$2}' >>$ACCF
fi
rm -f $LOCK
fi
}

reset() {
# Reset to default values
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
}

stop() {
save
reset
}

# DROP all packets from external interface, allow from internal network
lock() {
reset
getcounters
$IPTABLES -N TRAF-IN
$IPTABLES -N TRAF-OUT
$IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
$IPTABLES -A INPUT -j DROP
}

case "$1" in
start)
start
;;
stop)
stop
;;
save)
save
;;
lock)
lock
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|save|lock|restart}"
esac
exit

Hmmm, it doesn't look like there's anything protocol-specific in there. It could be a few things, possibly that your ISP blocks the ICMP type that Windows is using (I don't think it uses ECHO REQUEST for tracert, but I could be wrong). It could also be that iptables doesn't recognize it as ESTABLISHED or RELATED traffic, but that would be odd.

What happens if you do traceroute -I on Linux (-I should make it use ICMP rather than UDP)? Also, does your Windows trace just show all stars (* * * for every hop), or do you get a response inside your network and then stars outside?

If you're familiar with tcpdump, you could run that on your internal interface when trying to do a tracert from Windows and see what traffic you get, then do the same thing only run the tcpdump on the external interface and see if the datagrams are being forwarded by the external interface and see if the responses are coming back.

had a look at tcpdump could not make heads or talls

With tracert works till ext IPs and replys with **

[root@router root]# traceroute -s 192.168.1.254 -I www.telstra.com.au
traceroute to www.telstra.com.au (144.135.18.41) from 192.168.1.254, 30 hops max, 38 byte packets
1 10.224.16.1 (10.224.16.1) 7.197 ms 6.309 ms 6.253 ms
2 border-router.qld.bigpond.net.au (61.9.209.3) 9.398 ms 8.588 ms 8.567 ms
3 GigabitEthernet4-2.cha23.telstra.net (139.130.193.117) 12.000 ms 8.476 ms 7.529 ms

From the Windows PC

Tracing route to www.telstra.com.au [144.135.18.41]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms router.local [192.168.1.254]
2 7 ms 10 ms 7 ms 10.224.16.1
3 * * * Request timed out.
4 * * * Request timed out.

That's pretty interesting. Are you saying that tracert from Windows worked fine prior to putting in the Linux box firewall? From the results it looks like the traffic is getting past the external interface of the firewall prior to timing out, so it seems like either the broadband router or the first router on your ISP's side is blocking the traffic. The really amusing thing is that they're specifically blocking the type of ICMP traffic that Windows tracert produces, and nothing else. That's really weird.

Would the 10.224.16.1 IP be the bridge ip between eth0 and the cable modem becouse it doues not rev lookup

I plug in a bridge/router device and tracert works fine and i think from mem that there is no 10.224.16.1 in the trace route.

It's probably the external address of your Linux box. Use the ifconfig -a command and see what the results are.

eth0 Link encap:Ethernet HWaddr 000:B7:51:BA:78
inet addr:203.45.233.67 Bcast:255.255.255.255 Mask:255.255.252.0
inet6 addr: fe80::2d0:b7ff:fe51:ba78/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8128200 errors:0 dropped:0 overruns:0 frame:0
TX packets:3404310 errors:93 dropped:0 overruns:0 carrier:93
collisions:136180 txqueuelen:1000
RX bytes:1842531721 (1757.1 Mb) TX bytes:236852432 (225.8 Mb)

eth1 Link encap:Ethernet HWaddr 00:E0:18:45:62:30
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:18ff:fe45:6230/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3740071 errors:0 dropped:0 overruns:0 frame:0
TX packets:2508208 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:306864325 (292.6 Mb) TX bytes:1582830265 (1509.5 Mb)
Interrupt:12 Base address:0xd400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:31558 errors:0 dropped:0 overruns:0 frame:0
TX packets:31558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9788618 (9.3 Mb) TX bytes:9788618 (9.3 Mb)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Ahh, you have one of those weird half-bridges. Those things are just creepy. Yes, the 10.224.16.1 IP appears to be that of your bridge, since your external NIC has a real routeable IP address.

So were to from here Call Ghost Busters ??