Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-25-2006, 05:40 PM
|
#1
|
LQ Newbie
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3
Rep:
|
CentoOS router/firewall prob - local network works but router can't access Internet
Okay, I just replaced an old RHEL3 router/firewall with a CentOS 4.4 machine. I have since been unable to get to the Internet (any host/protocol/etc) with the router/firewall box. All the clients in the local network and the VPN network can get out (via nat).
I run an internal DNS/DHCP server separate from the router/firewall. I also run several web, ftp, external dns, etc servers inside the router that I DNAT/SNAT to the outside world. All of these work fine.
Every machine on the internal/vpn networks can access the outside world. The only machine that cannot is the router. DNS on the router works because it is using the internal DNS server but pings/traceroutes/whatevers don't work. It would seem to me that this is a gateway problem, but from what I see in my routing table everything looks good.
It is important to note that this exact same setup worked fine when running RHEL3.
Any help is appreciated. I would like to be able to download updates for this machine.
Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)
The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.
Now a couple of configs on the router:
/etc/resolv.conf
=====================
search xxxxxxxxxxxxx.com
nameserver 192.168.1.102
nameserver 192.168.1.101
/etc/hosts
===============================
127.0.0.1 localhost.localdomain localhost
ifconfig (trimmed due to length)
=================================
eth0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
eth1
inet addr:xxx.xxx.204.61 Bcast:xxx.xxx.204.63 Mask:255.255.255.248
w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1
ip_forward
================
enabled (i.e. echo "1" > ....)
route
====================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.11.2 * 255.255.255.255 UH 0 0 0 tun0
xxx.xxx.209.8 * 255.255.255.252 U 0 0 0 w1g1ppp
xxx.xxx.204.0 * 255.255.255.192 U 0 0 0 w1g1ppp
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.11.0 192.168.11.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default xxx.xxx.209.9 0.0.0.0 UG 0 0 0 w1g1ppp
Last edited by elementalvoid; 10-25-2006 at 05:52 PM.
|
|
|
12-08-2006, 05:16 PM
|
#2
|
Member
Registered: Aug 2005
Location: West Midlands, UK
Posts: 61
Rep:
|
Don't know if this'll help - I had a (maybe) similar problem. I could ping external ip addresses, but not get pages to appear on my browser. Try setting your MTU to less than 1500. 1492 seemed to work for me.
Regards,
Oz.
|
|
|
12-08-2006, 05:30 PM
|
#3
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Leave the whole thing aside & tell me, Are you able to ping any domain on internet with its ip ?
Like pinging linuxquestion.org with ?
Last edited by amitsharma_26; 12-08-2006 at 05:32 PM.
|
|
|
12-11-2006, 10:34 AM
|
#4
|
LQ Newbie
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3
Original Poster
Rep:
|
ozymandias: Thanks for the thought on switching the MTU. That wasn't the problem.
amitsharma_26: Nope, can't ping anything except the internal addresses. It doesn't matter wether it is by IP or by name (DNS resolution is working because I am using an internal host for that).
Thanks.
|
|
|
12-12-2006, 02:00 PM
|
#5
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by elementalvoid
Let's start with a pretty drawing.
===================================
Internet
||
||
\/
ISP P2P
(xxx.xxx.209.9)
||
||
\/
(xxx.xxx.204.1)
Router/Firewall
(192.168.1.1)
||
|| ==> DMZ (xxx.xxx.204.62)
||
\/
Local Network (192.168.1.0/24)
The P2P connection is w1g1ppp.
The local network is connected to eth0.
The DMZ is connected to eth1.
w1g1 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
w1g1ppp Link encap:Point-to-Point Protocol
inet addr:xxx.xxx.204.1 P-t-P:xxx.xxx.209.10 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
iptables -> Smallest set of rules that gets internal computers to have access to the Internet. I took out all the DNAT/SNAT rules for security.
==================
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s xxx.xxx.204.62 -i eth1 -j ACCEPT
-A INPUT -p udp -m udp --dport 0:1024 -j DROP
-A INPUT -p udp -m udp -j ACCEPT
-A INPUT -j DROP
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to-source xxx.xxx.204.1
|
Add another rule to allow RELATED,ESTABLISHED packets back to YOU.
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
12-12-2006, 03:28 PM
|
#6
|
LQ Newbie
Registered: Oct 2006
Distribution: RHEL / CentOS / Gentoo / Ubuntu
Posts: 3
Original Poster
Rep:
|
AWESOME.
Thanks! I really appreciate your help..
|
|
|
12-12-2006, 03:39 PM
|
#7
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
You are welcome.
Usually the wayout to troubleshoot such problem is to see the iptables packet counters(watch -n1 "iptables -nvL"). You could have noticed that all the packets which are going out would be incrementing the counters of -j DROP rule while they come back; you should have further checkback those packets to see the actual reason.
|
|
|
All times are GMT -5. The time now is 09:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|