Slackware router problem

orsty9001 · 08-01-2010, 12:45 AM

I set up a slackware box a couple of years ago to be a router in my house. It does that and zoneminder and that's pretty much it.

Today the power went out and the UPS could only keep this machine up for about 45 mins before it ran out of power. When the power came back up the I turned on the slackware box and it booted normally. Everything started up fine but one problem.

I have 4 other machines in the house that connect to the internet. None of them will pull up a web page. They will however ping and resolve anything on the outside world without a problem. My slackware box will load websites without a problem but anything on the internal network will not bring up a web page even though all of it can talk to the outside world. I know the problem is with this slackware box routing the web pages because my laptop and phone will both connect to my neighbor's internet and work fine.

I've searched the internet for the past 6 hours with no luck.

I'm running slackware 13 and it's you basic dnsmasq setup with two lan cards. eth0 going to the cable modem and eth1 going to my switch.

MS3FGX · 08-01-2010, 01:03 AM

You say you searched online for 6 hours...but for what exactly? You haven't given us a lot of details to work with here.

Is dnsmasq starting? Is the machine still giving out valid DHCP leases? How were you handling routing? What does your iptables configuration look like currently (iptables -L), etc, etc.

orsty9001 · 08-01-2010, 01:30 AM

Sorry, going into hour 30 of being awake. It's been one of those days.

iptables -L gives me this

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
bad_packets  all  --  anywhere             anywhere            
DROP       all  --  anywhere             ALL-SYSTEMS.MCAST.NET 
ACCEPT     all  --  192.168.1.0/24       anywhere            
ACCEPT     all  --  anywhere             192.168.1.255       
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
tcp_inbound  tcp  --  anywhere             anywhere            
udp_inbound  udp  --  anywhere             anywhere            
icmp_packets  icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level warning prefix `INPUT packet died: ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
bad_packets  all  --  anywhere             anywhere            
tcp_outbound  tcp  --  anywhere             anywhere            
udp_outbound  udp  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: ' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  localhost            anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.1.1          anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: ' 


Chain bad_tcp_packets (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            
LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
LOG        tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth scan: ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
RETURN     tcp  --  anywhere             anywhere            

Chain icmp_packets (1 references)
target     prot opt source               destination         
LOG        icmp -f  anywhere             anywhere            LOG level warning prefix `ICMP Fragment: ' 
DROP       icmp -f  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
RETURN     icmp --  anywhere             anywhere            

Chain tcp_inbound (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:commplex-main:5100 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6891:6900 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:auth 
RETURN     tcp  --  anywhere             anywhere            

Chain tcp_outbound (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            

Chain udp_inbound (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns 
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
REJECT     udp  --  anywhere             anywhere            udp dpt:auth reject-with icmp-port-unreachable 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
RETURN     udp  --  anywhere             anywhere            

Chain udp_outbound (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere

I really don't know enough about this OS to know what to look for. It's pulling an IP addresss from my cable modem without a problem and all my machines are picking up an IP address from it without a problem. From any of my laptops I can ping the outside world. They will resolve domain names too. Nothing on the network side of my slackware box will fetch web pages. I tried searching for the symptoms in hopes that someone else has had this same problem this evening with no luck.

I'm not exactly sure how it's routing traffic to be honest so I'm not sure what to look for.

number22 · 08-01-2010, 08:48 AM

if you can ping from inside your network, from other window computer behind firewall, then the most likely problem is your dns resolve problem.

after that, you should check your iptables rules, especially anything relate to http.

>>DROP all -- anywhere ALL-SYSTEMS.MCAST.NET

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Add NEW into above section, test it out.

orsty9001 · 08-01-2010, 11:12 AM

It didn't change the behavior.

I was able to rule out a dns problem by pinging www.google.com from one of my internal machines. It resolved the ipaddress and pinged it.

number22 · 08-01-2010, 12:28 PM

The most likely problem is with your iptables. Check your iptables nat section, I presume that you are running it as proxy server.

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to xxx.xxx.xxx.xxx(you have real fixed internet IP)

Or

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

(dynamic IP address)

when you type route -n on command line; you should see your internet IP address as a default gateway and 0.0.0.0 is in front of this default gateway. check your /etc/hosts.allow file. make sure it allows out bound traffics, ALL:192.168.1.0/24

orsty9001 · 08-01-2010, 01:54 PM

I get this error when I try the last line there.

Code:

iptables v1.4.3.2: Couldn't load target `MANGLE_PREROUTING':/usr/libexec/xtables/libipt_MANGLE_PREROUTING.so: cannot open shared object file: No such file or directory

number22 · 08-01-2010, 02:48 PM

oops, that MANGLE_PREROUTING is custom chains in my firewall, you don't actually need any thing about iptables -t mangle chain. Just iptables -t nat chain for masquerading ip address.

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to xxx.xxx.xxx.xxx(you have real fixed internet IP)

Or

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

(dynamic IP address)

and of course, your /etc/rc.d/ip_forward file is executable.

orsty9001 · 08-01-2010, 03:19 PM

I understand and it's no problem.

I noticed something strange when I did a route -n.

eth0 which is my ethernet card that my cable modem is plugged into is listed twice.

First time it's listed it is as you've described. The second time it's listed like this.

Code:

0.0.0.0         97.81.208.1     0.0.0.0         UG    0    0        0 eth0

number22 · 08-01-2010, 03:33 PM

your route -n should look likes below:

Destination Gateway Genmask Flags Metric Ref Use Iface
97.81.208.1 0.0.0.0 255.255.255.255 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 97.81.208.1 0.0.0.0 UG 0 0 0 eth0

you should make sure your lo is up too. Anyway, check out iptables rules specially with http protocol on both interface eth1 and lo, allow them in INPUT, OUTPUT, FORWARD chains of your iptables.
Rarely, your NIC went bad, but it can happen.

orsty9001 · 08-01-2010, 05:05 PM

I found a backup from 6 months ago I did of all the scripts and whatnot on this machine. I did a iptables-restore with the file it generated back then and still no luck. That backup was taken when this used to work.

number22 · 08-01-2010, 07:42 PM

you can simplified your iptables rules, and make INPUT, OUTPUT, and FORWARD chains open,and rule out problem line by line.

the worst case, you have to recompile your kernel.

ryerke · 08-01-2010, 09:25 PM

Have you tried to repair the connections from the other machines? I know that it can be easy to overlook the obvious sometimes. At least for me it is. Anytime I lose power and have my NAT shutdown I have to repair the connections on all computers even though the network settings remain the same.
Another thing to consider is the nameserver listed in resolv.conf. That should be the one that is forwarded by dnsmasq for DNS to the network.

orsty9001 · 08-01-2010, 10:04 PM

Quote:

Originally Posted by ryerke

Have you tried to repair the connections from the other machines? I know that it can be easy to overlook the obvious sometimes. At least for me it is. Anytime I lose power and have my NAT shutdown I have to repair the connections on all computers even though the network settings remain the same.
Another thing to consider is the nameserver listed in resolv.conf. That should be the one that is forwarded by dnsmasq for DNS to the network.

First thing I tried, I know the machines are working fine because they will log into this slackware box. I have a samba share set up to share some files between all the computers in the house. I can also bring up the zoneminder web page and see my cameras. all my machines will resolve ip addresses on the internal network.

I've spent the past few hours systematically changing rules in the iptables to accept with no luck.

I did a dmesg while I tried to go to google. This is what I get.

Code:

fp=bad_packets:1 a=DROP IN=eth1 OUT=eth0 SRC=192.168.1.254 DST=74.125.159.147 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3125 DF PROTO=TCP SPT=1117 DPT=443 WINDOW=16445 RES=0x00 ACK FIN URGP=0

My guess is that iptables is still doing something nasty but I really don't have enough experience with this stuff to figure out what's going on.

number22 · 08-01-2010, 11:47 PM

Try recompile your kernel, and make sure your check out all router options and iptables modules, I would use smp-large build scripts then double check advance router options.

you may have corrupted modules files,or missing files.