Linux router, my boxes can ping outside, but no web

mallard · 07-12-2006, 08:58 PM

I have a Debian box with two network cards, eth0 connected to cable modem and eth1 connected to switch. I'm currently using ipmasq to handle iptables and routing stuff. I was doing it by hand before, but discovered ipmasq while trying to solve the problem I'm having, and liked it enough to stick with it.

Here's my /etc/networking/interfaces:

Code:

	#loopback interface
	auto lo iface lo inet loopback

	# interface external network (internet), configured through dhcp 
	auto eth0
	iface eth0 inet dhcp

	#interface network 1
	auto eth1
	iface eth1 inet static
        	address 192.168.10.254
        	netmask 255.255.255.0
        	network 192.168.10.0
        	broadcast 192.168.10.255

Debian box uses DHCP to get love from the cable modem, I can access web fine from the Deb box. I connected two other machines (one Windows, one Mac) to the switch, and configured each with a static 192.168.10.x ip address using 192.168.10.254 as the gateway. On both machines, I can ping yahoo no problem, and do a traceroute. I thought I was good to go.

But neither machine gets web. There's something fishy going on thats letting ICMP through but nothing else. I tried email and AIM as well, no love. But they can ping www yahoo com, which means DNS is good, and that forwarding is happening.

I'm hoping there's a simple "gotcha" here.

DaneM · 07-13-2006, 02:14 AM

Hi, Mallard.

It sounds like you need to open port 80 and make sure that it's getting forwarded from the LAN to the WAN. Also, make sure that all established and related packets are getting forwarded from the WAN to the LAN.

What are using for a firewall? Straight IPTables (i.e. a script), Shorewall, etc.? I'm not really familiar with ipmasq, so I don't really know what to tell you as far as which command you should use :-p.

If anybody else has a good idea, feel free to chime in :-).

--Dane

NomadX · 07-13-2006, 02:56 PM

9 times out of 10, if you can ping/traceroute etc an IP but not a URL it's because URL's arent being resolved. Do you have a DNS nameserver line or 2 in your /etc/resolv.conf on all the machines or just the debian box? The debian box ip shouldn't be considered a DNS unless your actualy running one (Which your almost definetly not)

Good luck
DrS

rml_85226 · 07-13-2006, 04:58 PM

I had a similiar problem with Linux 9.. I ended up setting my ISP DNS server addresses in the etc/resolv.conf file...
This seemed to allow my clinets to access web pages......

Hope this helps............

mallard · 07-13-2006, 06:39 PM

Its not a DNS problem...I can ping an outside website...ala "ping www dot yahoo dot com"...and get a response. But I try to go to the web page (even by IP), and nothing. Both my client boxes have outside primary and secondary DNSes set.

And ipmasq uses iptables under the covers. Doing "iptables --list" shows me "LOG level warning" next to several entries. I found thread id 241279 pertaining to that, but no answer. Anyone know where the log files are? Doesn't smell like syslog.

mallard · 07-13-2006, 07:02 PM

Okay, I suppose the "LOG level warning" shows up because those particular lines are for LOG entries...not a problem. More information. I can FTP to the outside world from my boxen, and I noticed Bitorrent working on one of them. HTTP and HTTPS still no good. Curious about DNS I entered yahoo's IP in the browser (after resolving it by pinging), and it could not be reached.

I feel I'm so close...just can't understand why web not working for me.

Here's my iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.10.0/24      anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Heres my iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  127.0.0.0/8          anywhere            LOG level warning
DROP       all  --  127.0.0.0/8          anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  192.168.10.0/24      anywhere
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
LOG        all  --  192.168.10.0/24      anywhere            LOG level warning
DROP       all  --  192.168.10.0/24      anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             ool-[censored].dyn.optonline.net
ACCEPT     all  --  anywhere             255.255.255.255
LOG        all  --  anywhere             anywhere            LOG level warning
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.10.0/24      anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
LOG        all  --  anywhere             192.168.10.0/24     LOG level warning
DROP       all  --  anywhere             192.168.10.0/24
LOG        all  --  anywhere             anywhere            LOG level warning
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             192.168.10.0/24
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
LOG        all  --  anywhere             192.168.10.0/24     LOG level warning
DROP       all  --  anywhere             192.168.10.0/24
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  ool-[censored].dyn.optonline.net  anywhere
ACCEPT     all  --  255.255.255.255      anywhere
LOG        all  --  anywhere             anywhere            LOG level warning
DROP       all  --  anywhere             anywhere

mallard · 07-13-2006, 07:07 PM

I got it! MTU!

From thread 306304.

This fixed everything...eth1 is the card connecting the server to the switch with all my boxen.

Code:

/sbin/ifconfig eth1 mtu 1492

archtoad6 · 07-14-2006, 08:50 AM

Quote:

Originally Posted by rml_85226

I had a similiar problem with Linux 9..

Just a (hopefully gentle) reminder, there is no "Linux 9" per se -- the kernel is only up to 2.6 -- "9" could be RH, SuSE, Slack, & maybe others. Furthermore, OP is using Debian, which is only up to 3.1, so context isn't much help.

Please don't fall into the trap of thinking that your distro is the only one -- I count 515 in the Distrowatch drop-down menu this morning.