SO! i've got a client with redhat enterprize-4 that was either set up by a complete newb or a guru. it's an all-in-one solution: web, email, routing, ftp, squid, dansguardian, canna, dovecot, samba... everytime i'm on it, i find something new!

anyway, it was originally set up for eight machines. that's reflected in access.db, hosts, samba - they all have the same eight ip addresses. i've added another box and i can get all services except internet. i have no idea what could be preventing internet from working. i've got proxy off. i don't think it's DNS (i've tried to hit sites by ip address as a check). i don't see anything in iptables with the other clients ipaddresses in it. i've looked for a netmask that might limit routing to the orginal eight.

it could be dg and dovecot, but i'm not all that familiar with either.

any suggestions?

-tofer

Just a thought what does /etc/resolv.conf say on the box that you just added?

When you say can't get internet, do you mean http, or any kind of external connection(eg ssh).

If you can't get anything external at all then check the routing table on your machine and compare it to the routing table on one of the working machines. (route -n). It wouldn't hurt to check the interface configuration as well (ifconfig). Note and post any differences.

*Now assuming that it is only outbound http that doesn't work*

You say the machine runs squid, so do the 8 working machines go through squid? If so what happens if you try and get a webpage directly from the internet on a working machine (how to do this varies from browser to browser). If this doesn't work then chances are there is a firewall rule either on this box (or between this box and the net) preventing outbound http (most sensible places that run a proxy have such a firewall rule somewhere). You must also configure the new box to go through squid. If you can make direct http connections from a working box, but not from the new box, then again, I would suspect a firewall rule

thanks guys!

all boxes behind the redhat box are winders.

can i dump an iptables -L in this thread without getting quished?

when i first got in this place, they were frantic about disabling ssh ~ i shut it down only to realize that client boxes were running some ssh bound proxy. disabling proxy at the client end worked, so i assumed it wasn't forced in a route table (still might be a rule there someplace). ssh is back, but only on the local net. squid, dansguardian, canna, dovecot are all things i'm not familiar with. i don't want to shut them down without knowing the consequences. i'll look for config files and rules when i can get in there again!

thanks again!
-tofer

thanks for the directions... still got nuthin. also i can't ftp out. it'll auth, but can't push a file. can't VNC over 5900 either. if i change the ipaddress (all are static) to within a certain range at least internet works.

here's iptables:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:8009
DROP tcp -- anywhere anywhere tcp dpt:http-alt
DROP tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:squid state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:auth state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
LOG udp -- anywhere anywhere udp dpt:ntalk LOG level warning
DROP udp -- anywhere anywhere udp dpt:ntalk
LOG udp -- anywhere anywhere udp dpt:talk LOG level warning
DROP udp -- anywhere anywhere udp dpt:talk
LOG udp -- anywhere anywhere udp dpt:syslog LOG level warning
DROP udp -- anywhere anywhere udp dpt:syslog
LOG udp -- anywhere anywhere udp dpt:xdmcp LOG level warning
DROP udp -- anywhere anywhere udp dpt:xdmcp
LOG tcp -- anywhere anywhere state INVALID,NEW LOG level warning
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt:455
DROP tcp -- anywhere anywhere tcp dpt:netbios-ns
DROP tcp -- anywhere anywhere tcp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:socks
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP tcp -- anywhere anywhere state NEW tcp dpt:22 recent: UPDATE seconds: 15 name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:22 recent: SET name: DEFAULT side: source
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
DROP tcp -- anywhere anywhere tcp dptop3 state INVALID
ACCEPT tcp -- anywhere anywhere tcp dptop3 state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dptop3s state INVALID
DROP tcp -- anywhere anywhere tcp dptop3s state NEW,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:1026
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s
DROP tcp -- anywhere anywhere tcp dpt:ircd

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere print-server tcp dpt:5900
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp spt:netbios-ns LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-ns
LOG tcp -- anywhere anywhere tcp spt:netbios-dgm LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-dgm
LOG tcp -- anywhere anywhere tcp spt:netbios-ssn LOG level warning
DROP tcp -- anywhere anywhere tcp spt:netbios-ssn


heres squid:
http_port 3128
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl home_network src 192.168.10.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow home_network
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_reply_access allow home_network
icp_access allow home_network
miss_access allow home_network

reply_body_max_size 0 allow home_network

visible_hostname zgarch_serv
snmp_access deny !home_network
coredump_dir /var/spool/squid

here's route from a working box:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e a6 1b ff e7 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.10 192.168.10.18 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.18 192.168.10.18 20
192.168.10.18 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.18 192.168.10.18 20
224.0.0.0 240.0.0.0 192.168.10.18 192.168.10.18 20
255.255.255.255 255.255.255.255 192.168.10.18 192.168.10.18 1
Default Gateway: 192.168.10.10
===========================================================================
Persistent Routes:
None

and a non-working box:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 f0 7a cf e9 ...... Kingston EtherRx KNE111TX PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.10 192.168.10.19 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.19 192.168.10.19 20
192.168.10.19 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.19 192.168.10.19 20
224.0.0.0 240.0.0.0 192.168.10.19 192.168.10.19 20
255.255.255.255 255.255.255.255 192.168.10.19 192.168.10.19 1
Default Gateway: 192.168.10.10
===========================================================================
Persistent Routes:
None

I fixed it! as it turns out, red hat - at least this version - keeps another config file for iptables way down in it's guts which overrides anything from the command line. anyway, seems to be working...