POSTROUTING just stopped?

ryedunn · 12-19-2004, 01:12 PM

I have Internet access from my firewall/linux box but my MS box (192.168.0.2) can no longer access the internet but can access the linux box (ping, samba etc). Everything has been running great for the last 2 months without a problem but it just stopped dead today.

[root@firewall root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:24.14.xxx.xxx (edited)

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I would appreciate any suggestion you have.
The GNUbie

peter_robb · 12-19-2004, 01:17 PM

Do iptables-save to view the current rules..

Make sure it's still there correctly..

and please also check these /proc settings..
cat /proc/sys/net/ipv4/tcp_ecn # should be 0
Another member here had this change after an update..
and cat /proc/sys/net/ipv4/ip_forward # should be 1

ryedunn · 12-19-2004, 01:27 PM

Wow Im at a loss.... everything still looks good..but Im not very good at this stuff

[root@firewall root]# iptables-save
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*mangle
:PREROUTING ACCEPT [6139:1225043]
:INPUT ACCEPT [6139:1225043]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8159:7719359]
:POSTROUTING ACCEPT [8165:7720796]
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*nat
:PREROUTING ACCEPT [396:128942]
:POSTROUTING ACCEPT [282:19442]
:OUTPUT ACCEPT [282:19442]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 24.14.xxx.xxx (edited)
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8159:7719359]
:TRUSTED - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state NEW -j TRUSTED
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -p icmp -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -s 209.117.5.0/255.255.255.0 -j ACCEPT
-A TRUSTED -d 24.14.xxx.xxx (edited) -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -d 192.168.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
[root@firewall root]# cat /proc/sys/net/ipv4/tcp_ecn
0
[root@firewall root]# cat /proc/sys/net/ipv4/ip_forward
1

peter_robb · 12-19-2004, 01:53 PM

Looks ok..

Time to add some LOG rules to see where everything is going..

iptables -t nat -A PREROUTING -i eth1 -j LOG --log-level 6 --log-prefix "1_lan-eth1 "
iptables -A FORWARD -i eth1 -j LOG --log-level 6 --log-prefix "2_lan-drop "
iptables -t nat -I POSTROUTING -o eth0 -j LOG --log-level 6 --log-prefix "3_lan-eth0 "

tail -f /var/log/messages to watch them..

ryedunn · 12-19-2004, 03:17 PM

ok I will add those....

but I powered everything off for an hour..... I was frustrated... powered everything back up and it works now...??

yes I rebooted before but who knows..

thank you for your help.

peter_robb · 12-19-2004, 03:31 PM

That's certainly not the answer you'd like to keep using, eh?

Keep us informed pls..

Linux.tar.gz · 12-19-2004, 03:33 PM

It's probably a DNS problem. Look at your /etc/resolv.conf and compare with your NAT'ed boxes.

ryedunn · 01-10-2005, 08:34 PM

well its happening again...

resolv.conf matches the DNS servers on the MS box

ryedunn · 01-10-2005, 09:21 PM

peter_robb,
I added the rules that you suggested to my /etc/rc.d/rc.firewall file and did a /etc/rc.d/rc.firewall restart

This means absolutly nothing to me but... (again I edited out the last two octects of my ip)

Jan 10 21:15:21 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:f3:c1:59:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=64438 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 10 21:16:29 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=64.179.4.149 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42176 DF PROTO=TCP SPT=32928 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:29 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=25290 DF PROTO=UDP SPT=32811 DPT=53 LEN=44
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=25722 DF PROTO=UDP SPT=32812 DPT=53 LEN=52
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=808 DF PROTO=TCP SPT=32929 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34461 DF PROTO=TCP SPT=32930 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:34 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=204.127.198.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=30292 DF PROTO=UDP SPT=32812 DPT=53 LEN=44
Jan 10 21:16:37 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=33418 DF PROTO=UDP SPT=32813 DPT=53 LEN=44
Jan 10 21:16:49 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.73.86.58 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64918 DF PROTO=TCP SPT=32931 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:50 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.73.86.235 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27973 DF PROTO=TCP SPT=32932 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:18:19 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:f3:c1:59:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=64514 PROTO=UDP SPT=137 DPT=137 LEN=58

Please help, and thank you!
TheGNUbie

ryedunn · 01-10-2005, 09:49 PM

WHOA!!!...

ok so I fire up the old laptop... well cause I have nothing better to do (Im stuck) and I go straight to the internet!

here are the logs:
Jan 10 21:28:08 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=152.163.208.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=547 DF PROTO=TCP SPT=1060 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=620 DF PROTO=TCP SPT=1061 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=620 DF PROTO=TCP SPT=1061 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=628 DF PROTO=TCP SPT=1062 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=628 DF PROTO=TCP SPT=1062 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=688 DF PROTO=TCP SPT=1063 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=688 DF PROTO=TCP SPT=1063 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.28.86.247 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=696 DF PROTO=TCP SPT=1064 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.28.86.247 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=696 DF PROTO=TCP SPT=1064 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:10 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=785 DF PROTO=TCP SPT=1065 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:10 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=785 DF PROTO=TCP SPT=1065 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:28 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=812 PROTO=UDP SPT=137 DPT=137 LEN=76

I compared a few options on my MS box and the laptop...
Under the DNS tab - the Append parent suffixes of the primary DNS suffix was turned on the laptop for resolution of unqualified names.
and the WINS tab / NetBIOS setting - Enable NetBIOS over TCP/IP was checked on the laptop and the other box had the Default (Use Netbios setting from teh DHCP server. If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TOP/IP) setting checked.
I also turned off the MS firewall, but this was on the laptop too....
Once all that was changed, I could connect to the internet....I turned the firewall back on and could still connect, but with that flaky MS crap I just kept it off.

Im still curious to see what you gurus think.
TheGnubie