LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-12-2004, 09:41 PM   #1
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Rep: Reputation: 30
iptables. Can ping through to internet side nic but can't get to internet


hello all. here is the iptable.comf

#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='20.20.20.28/40
LAN_NIC='eth1'
WAN_IP='65.xx.xx.233'
WAN_NIC='eth0'

# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 21

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

as stated in title. I can't get to the internet. I have my linux box with eth0 connecting to the internet. eth1 is connected to my lan (through a hub). Well I can ping my ip on eth0 from any machine on my lan. I can't get to the internet though. My linux box is also my dhcp server. Any help is appreciated.
 
Old 07-12-2004, 09:45 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
echo 0 > /proc/sys/net/ipv4/ip_forward
you want forwarding turned *ON*. Change that to:
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 07-12-2004, 10:03 PM   #3
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Can you browse the net from your linux box?
are your DNS resolutions on the clients good?
 
Old 07-12-2004, 10:03 PM   #4
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Original Poster
Rep: Reputation: 30
I changed that. Still not working. Did a reboot on both machines to make sure.
 
Old 07-12-2004, 10:07 PM   #5
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Original Poster
Rep: Reputation: 30
I can browse the net on my linux box. I try a dns lookup and I get nothing. But my dhcpd.conf does not include a dns server because my lan currently does not ahve a dns server. I pinged google from linux. I get ip. (only way i know to get an ip with linux other than my own) I ping ip from window box and fail. request times out.
 
Old 07-12-2004, 10:32 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
LAN_IP_NET='20.20.20.28/40

That CIDR notation throws an error for me. Should it be 32 or 24? Check the output of iptables -n -L -v (as well as the nat table) to be sure it's loading.

Last edited by Capt_Caveman; 07-12-2004 at 10:34 PM.
 
Old 07-12-2004, 10:34 PM   #7
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Does your ISP provide you your IP via DHCP or is it a static address. You may simply include the dns servers of your ISP in dhcpd.conf.

Alternatively, you can start DNS service on your system, and put in the IP of your LAN interface as the dns server address in your dhcpd.conf
 
Old 07-12-2004, 10:39 PM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
That CIDR notation throws an error for me. Should it be 32 or 24? Check the output of iptables -n -L -v (as well as the nat table) to be sure it's loading.
Adding to Capt_caveman's post ... you can a subnet from the Private (unregistered) addresses

10.0.0.0 -10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0- 192.168.255.255
 
Old 07-13-2004, 08:06 AM   #9
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Original Poster
Rep: Reputation: 30
I used 20.20.20.x because thats what the howto I was readign was using. Umm heres a ? 20.20.20.28/40 (this is what I thought) is the range of ip's that will be accepted from the lan. Is that correct or is it supposed to be the network and subnet? I am currently unabel to work on this (at work) but I would think its loading because I was unable to ping through to the internet nic eth0 until I fixed the iptable. (somewhat fixed I can ping through to eth0 but still unable to get internet.)
 
Old 07-13-2004, 08:35 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
/32 would specify only the 20.20.20.28 host.
/24 would specify the 20.20.20.0-255 subnet

To my knowledge there is no /40 in CIDR notation (IP addresses only have 32 bits). If you enter that command using the command line :
Code:
[root@Helios root]# iptables -A FORWARD -i eth0 -s 20.20.20.20/40 -j ACCEPT
iptables v1.2.9: invalid mask `40' specified
Try `iptables -h' or 'iptables --help' for more information.
Btw, 20.20.20.28 is a valid public IP address that's owned by someone and isn't a private IP block like 10.10 or 192.168 (I believe that's what ppuru was telling you). If you have your routing table setup properly it should work, but you may get weird results.
 
Old 07-13-2004, 01:26 PM   #11
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Original Poster
Rep: Reputation: 30
Ahhhhh. I see said the blind man. Thats were I thought this was going. So tonight I will change by dhcp scope to the 192.168.x.x range. Then I will use the script posted on my dns post and hopefully I will have better luck. I appreciate the explanation.
 
Old 07-13-2004, 07:37 PM   #12
gonus
Member
 
Registered: Apr 2002
Location: Huntsville, Alabama
Distribution: Ubuntu 9.04
Posts: 445

Original Poster
Rep: Reputation: 30
Guys I am like back to square one. I have reset the dhcp scope to 192.168.0.2-6. I set the eth1 to 192.168.0.6. I used the www.iptables-script.dk iptable script. Now I am back to unable to ping outside. Here ismy new conf I am overlooking again but I ned help as I am still a newb

#!/bin/sh

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Diable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth1'
WAN_IP='68.113.72.168'
WAN_NIC='eth0'

# load some modules (if needed)

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 07-13-2004, 09:40 PM   #13
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
your lan ip net should read as

LAN_IP_NET='192.168.0.0/24'
 
Old 07-13-2004, 10:30 PM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Your script works just fine on my test LAN. The only catch I can see is that you aren't allowing any NEW incoming traffic between the LAN machines and the firewall, so if it's also acting as as a dhcp/dns server, then it could be causing problems. So try this just in case:
iptables -A INPUT -i $LAN_NIC -s $LAN_IP_NET -j ACCEPT

You might also want to take a look at the networking setup of the client (miss-configuring things like the gateway IP, DNS, etc might be the culprit ). As well as the boot logs of the client to see if it's having any networking related errors.
 
Old 07-13-2004, 10:50 PM   #15
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Capt_Caveman is right ... LAN traffic was blocked; missed that small thing that had a huge impact
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FC4 won't ping 127.0.0.1 or the internet, but will ping local computers jalsk Linux - Networking 4 11-22-2005 05:59 PM
Nic card -> cable internet modem no internet connection zeshan_b Mandriva 21 09-26-2004 11:48 AM
how do i minimize internet connection to side of taskbar in KDE 3.2 coolinuxguy246 Linux - Newbie 1 06-21-2004 06:20 AM
Can ping network but can't ping any internet ip when I hard set the ip Streme Linux - Wireless Networking 4 04-13-2004 09:18 AM
IP-less sniffing on WAN side of internet router codeape Linux - Networking 18 02-17-2004 02:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration