Hi

I have just installed FC5 on an old PC which has two NIcs in it. The first eth0 is on-board and is connnected to a cable modem and gets its address via DHCP.

The second eth1 has a fixed IP (10.20.72.1/24). It is a Asound 4 port router card which is connected to my local network. The box acts as a DNS and DHCP server and this all works great. The dhcp server updates the zones in dns nicely.

The problem seems to be very strange. I have set masquerading up before but for some reason its acting very strangely. I've got ip_forwarding configured via /etc/sysctl.conf.

I have a PC connected to the network with address 10.20.72.220.Connectivity between different PCs on the network and any PC to the linux bos is fine.

The strange thing is that I can ping any internet address from any PC on my local network and download POP3 mail no problem. Browsing the internet fails from any PC and the conection drops after a few seconds.

To test connectivity from work. and I am attempting to route packets on 3389 (remote desktop) to this 10.20.72.220 from the outside world. Again I've done this before and this doesn't work either.

Any Ideas?

Heres some output.

# Generated by iptables-save v1.3.5 on Wed Jun 21 10:29:45 2006
*nat
:PREROUTING ACCEPT [85:17323]
:POSTROUTING ACCEPT [9:491]
:OUTPUT ACCEPT [171:13518]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.20.72.220
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 21 10:29:45 2006
# Generated by iptables-save v1.3.5 on Wed Jun 21 10:29:45 2006
*mangle
:PREROUTING ACCEPT [6753:2080371]
:INPUT ACCEPT [6370:1998136]
:FORWARD ACCEPT [383:82235]
:OUTPUT ACCEPT [7814:1568966]
:POSTROUTING ACCEPT [8197:1651201]
COMMIT
# Completed on Wed Jun 21 10:29:45 2006
# Generated by iptables-save v1.3.5 on Wed Jun 21 10:29:45 2006
*filter
:INPUT DROP [63:2520]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7814:1568966]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.20.72.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.20.72.220 -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
COMMIT
# Completed on Wed Jun 21 10:29:45 2006

i recomand u to use iptables -t nat -A PROSTRUTING -s 10.20.72.0/24 -j SNAT xxx.xxx.xxx.xxx the ip on the side of your box machine 2 router !

Hi

Surely I should not have to use SNAT on this one. The other issue here is that my cable modem issues me with a dynamic IP. This makes this real hard as I would have to change my firewall rules on a change to the public IP.

I have only everr used SNAT at work when we wanted to route traffic on a specific IP to our IIS web server.

Again theres something wrong here. One new addition to all this seems to be that I can telnet from the internet to my public IP on port 3389 and it connects. It drops soon afterwards.

I have just opened up telnet on the private side and tested connecting from a PC on my private network. Its dropping the connection every few minutes and I have to wait to reconnect. This is feeling more like an IRQ issue the more I look at it.

The linux server in question is an old compaq deskpro 4000 (DP4000). I am wondering if the 4 port card is interfering with something. Guess its time to check things out with the setup diskettes.

Is there any way of querying irq information on devices from linux?

Thanks

Junpit

there are some script on www.linuxguruz.com at at iptables section how 2 make a firewall with dhcp u will find there scripts of firewall 4 cable modems and 4 your dhcp

OK I tried several of them. I tweaked my internal interfaces etc. and none of them allow masquerading when run.

First of all could someone confirm that masquerading works on FC5 and more importantly state matching for initiated connections that attempt to connect back.

I changed IRQs ensureing none of the network cards etc. were sharing. This did not result in any noticable change. Ie still getting drop outs from a telnet connection on the local network to my linux box whilst my ssh connection from the internet never drops.

Hence the first thing I need to verify is that there is not a better driver for my card. Its using tulip at the moment. My card is an asound 4 port pci network card. When connecting from one pc plugged into this card to another pc plugged into this card there are no issues. I am told that the internals of the card just act as a switch for anything not bound to the pc hosting the card. I believe the card is an ADMTek AN983B chipset.

I know this sounds drastic but I know that this card works against microcrash and hence I am considering backing up my dhcp/dns/iptables configs and wiping it with windows. At least I can verify if there is a fault with the card this way. Should it be successful and work against windows I will probably take a step backwards and install suse 8 or 9 as I know I have had this card working against these distros in the past although not opn this specific machine. This is of course assuming I cannot get a better driver to work against the card in FC5.

If the card is faulty I will buy a switch and put a realtek 8139 in the box. I know this works ace with linux.

Any help is greatly appreciated.

Thanks

Junpit

yes the masquarade is working are u shure activate the ip_forward

few details :
this line isnt necessary imo
-A INPUT -s 10.20.72.0/255.255.255.0 -i eth0 -j DROP

10.x.x.x and 192.68.x.x cant be routed on the internet. routers drop those IPs automatically.

also maybe try to ssh after modifying this line
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
take out the tcp-flags detail, maybe there is a lil mistake in there. i personnaly dont play with flags, yet. but i would add -s IP.Of.Where.ItComes

and see if it works that way.

Hi

I am sure port forwarding is on and working as I can ping from one of the pcs on the internal network. I set this up in sysctl.conf to make sure it was on as well as changing the setting in rc.local.

I guess the drop on eth0 for my internal subnet is to protect my machine from a spoof. Someone else had added it to the script I nabbed and I left it in there.

Thanks Anyway

Junpit

use ..
cat /proc/sys/net/ipv4/ip_forward
is the value is 0 use

echo "1" >/proc/sys/net/ipv4/ip_forward

Hi

I added this in rc.local as well as the setting is sysctl.conf. This is definitely on as I can actually ping a machine on the internet (like my ISPs DNS servers) from a local PC.

Theres definitely something screwy going off with state matching as normal communication (POP3/ICMP etc works fine).

-Junpit