LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   please help: strange problem with NAT??? (https://www.linuxquestions.org/questions/linux-networking-3/please-help-strange-problem-with-nat-392523/)

cutejai 12-13-2005 06:43 PM
please help: strange problem with NAT???
 
hi all.
i've just newly set up my debian(2.4.27-2-386) box with NAT and possibly some minor firewall rule.
and now i'm up to a point where everything seems to work fine, except certain website.
e.g www.dpreview.com www.hotmail.com and lots more and can't sign in msn.
***please note, i can ping them, but i just can't browse them using my internet browser. even try with firefox
some other site like www.google.com and this one, all seems to work fine.

here is my firewall.sh
------------------------------------------
#!/bin/sh

echo -e "\n\nSETTING UP IPTABLES PROXY..."

#set variable to interface
LOOPBACK="lo"
LAN="eth0"
WAN="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

#loading required stateful /NAT kernel moduels
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

#enable ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


#Flush any rules that may still be configured
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT

# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# Set up the firewall rules
/sbin/iptables -t filter -A INPUT -i $LOOPBACK -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $LAN -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT

#forward certain ports
#ssh
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 22 -j ACCEPT

#bittorrent
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT

#dameware remote control
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 6129 -j ACCEPT

#ftp port
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 20:21 -j ACCEPT

# Set up the ip forwarding
/sbin/iptables -t filter -A FORWARD -i $LAN -o $WAN -j ACCEPT
/sbin/iptables -t filter -A FORWARD -i $WAN -o $LAN state --state RELATED,ESTABLISHED -j ACCEPT

# Set up ip masquerading
/sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
---------------------------------------

i even try to modify the default policy to
# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

still don't work.


when i try using window's ppp0e to connect to internet. everything works fine. which means it's not the model's problem.

so any help or input would be greatly appreciated. and thanx for reading this long post

-----------------------------------
here is the routing table.
destination gateway genmask flags iface
nexthop.nsw.iin * 255.255.255.255 UH ppp0
10.0.0.0 * 255.0.0.0 U eth0
default nexthop.nsw.iin 0.0.0.0 UG ppp0
-------------------------------------

bulliver 12-14-2005 01:03 PM
Quote:
i even try to modify the default policy to
# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
You realize you have rendered your firewall completely useless with those rules right? With these default policies, all packets will be accepted.

In any event, your rules look fine, a I doubt very much if the firwall is the cause of your problem, as you said yourself you can ping theses sites. I would look elsewhere for the cause of your problems.

cutejai 12-16-2005 05:32 AM
thanx for your respond bulliver.
and yes, i definitely know that by changing my default policy to accept will render my firewall useless, but i just need to try it. that's all.

So now i know what's cause this problem.
the problem can be solved only when i connect to internet manually by running "pon dsl-provider"

by running it manually, i notice it will create these special rule in forwarding chain.
-------------------
iptables -L

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS TCP -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
---------------------
so this rule looks like, it will clamp the MTU to the right size. otherwise www.dpreview.com wouldn't let me access it.

so does anyone know how to add it in my firewall rule??? what's the syntex???

or at least show me how to disable their default startup script, so that i can just add this "pon dsl-provider" line just before i run my firewall script.

thanx you for any reply

roopunix 12-16-2005 05:37 AM
did you check ur DNS address.Are they set ?


All times are GMT -5. The time now is 08:46 AM.