LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-19-2004, 02:12 PM   #1
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Rep: Reputation: 30
POSTROUTING just stopped?


I have Internet access from my firewall/linux box but my MS box (192.168.0.2) can no longer access the internet but can access the linux box (ping, samba etc). Everything has been running great for the last 2 months without a problem but it just stopped dead today.

[root@firewall root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:24.14.xxx.xxx (edited)

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I would appreciate any suggestion you have.
The GNUbie
 
Old 12-19-2004, 02:17 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Do iptables-save to view the current rules..

Make sure it's still there correctly..

and please also check these /proc settings..
cat /proc/sys/net/ipv4/tcp_ecn # should be 0
Another member here had this change after an update..
and cat /proc/sys/net/ipv4/ip_forward # should be 1

Last edited by peter_robb; 12-19-2004 at 02:19 PM.
 
Old 12-19-2004, 02:27 PM   #3
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Original Poster
Rep: Reputation: 30
Wow Im at a loss.... everything still looks good..but Im not very good at this stuff

[root@firewall root]# iptables-save
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*mangle
:PREROUTING ACCEPT [6139:1225043]
:INPUT ACCEPT [6139:1225043]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8159:7719359]
:POSTROUTING ACCEPT [8165:7720796]
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*nat
:PREROUTING ACCEPT [396:128942]
:POSTROUTING ACCEPT [282:19442]
:OUTPUT ACCEPT [282:19442]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 24.14.xxx.xxx (edited)
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
# Generated by iptables-save v1.2.9 on Sun Dec 19 13:23:14 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8159:7719359]
:TRUSTED - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state NEW -j TRUSTED
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -p icmp -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -s 209.117.5.0/255.255.255.0 -j ACCEPT
-A TRUSTED -d 24.14.xxx.xxx (edited) -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -d 192.168.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec 19 13:23:14 2004
[root@firewall root]# cat /proc/sys/net/ipv4/tcp_ecn
0
[root@firewall root]# cat /proc/sys/net/ipv4/ip_forward
1
 
Old 12-19-2004, 02:53 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Looks ok..

Time to add some LOG rules to see where everything is going..

iptables -t nat -A PREROUTING -i eth1 -j LOG --log-level 6 --log-prefix "1_lan-eth1 "
iptables -A FORWARD -i eth1 -j LOG --log-level 6 --log-prefix "2_lan-drop "
iptables -t nat -I POSTROUTING -o eth0 -j LOG --log-level 6 --log-prefix "3_lan-eth0 "

tail -f /var/log/messages to watch them..
 
Old 12-19-2004, 04:17 PM   #5
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Original Poster
Rep: Reputation: 30
ok I will add those....

but I powered everything off for an hour..... I was frustrated... powered everything back up and it works now...??

yes I rebooted before but who knows..

thank you for your help.
 
Old 12-19-2004, 04:31 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
That's certainly not the answer you'd like to keep using, eh?

Keep us informed pls..
 
Old 12-19-2004, 04:33 PM   #7
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,446

Rep: Reputation: 95
It's probably a DNS problem. Look at your /etc/resolv.conf and compare with your NAT'ed boxes.
 
Old 01-10-2005, 09:34 PM   #8
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Original Poster
Rep: Reputation: 30
grr

well its happening again...

resolv.conf matches the DNS servers on the MS box
 
Old 01-10-2005, 10:21 PM   #9
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Original Poster
Rep: Reputation: 30
peter_robb,
I added the rules that you suggested to my /etc/rc.d/rc.firewall file and did a /etc/rc.d/rc.firewall restart

This means absolutly nothing to me but... (again I edited out the last two octects of my ip)

Jan 10 21:15:21 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:f3:c1:59:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=64438 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 10 21:16:29 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=64.179.4.149 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42176 DF PROTO=TCP SPT=32928 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:29 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=25290 DF PROTO=UDP SPT=32811 DPT=53 LEN=44
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=25722 DF PROTO=UDP SPT=32812 DPT=53 LEN=52
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=808 DF PROTO=TCP SPT=32929 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:30 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34461 DF PROTO=TCP SPT=32930 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:34 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=204.127.198.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=30292 DF PROTO=UDP SPT=32812 DPT=53 LEN=44
Jan 10 21:16:37 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=63.240.76.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=33418 DF PROTO=UDP SPT=32813 DPT=53 LEN=44
Jan 10 21:16:49 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.73.86.58 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64918 DF PROTO=TCP SPT=32931 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:16:50 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=24.14.xxx.xx DST=216.73.86.235 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27973 DF PROTO=TCP SPT=32932 DPT=80 WINDOW=4488 RES=0x00 SYN URGP=0
Jan 10 21:18:19 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:f3:c1:59:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=64514 PROTO=UDP SPT=137 DPT=137 LEN=58

Please help, and thank you!
TheGNUbie

Last edited by ryedunn; 01-10-2005 at 10:22 PM.
 
Old 01-10-2005, 10:49 PM   #10
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 459

Original Poster
Rep: Reputation: 30
WHOA!!!...

ok so I fire up the old laptop... well cause I have nothing better to do (Im stuck) and I go straight to the internet!

here are the logs:
Jan 10 21:28:08 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=152.163.208.121 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=547 DF PROTO=TCP SPT=1060 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=620 DF PROTO=TCP SPT=1061 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=620 DF PROTO=TCP SPT=1061 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=628 DF PROTO=TCP SPT=1062 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=628 DF PROTO=TCP SPT=1062 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=688 DF PROTO=TCP SPT=1063 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.16.137 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=688 DF PROTO=TCP SPT=1063 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.28.86.247 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=696 DF PROTO=TCP SPT=1064 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:09 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.28.86.247 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=696 DF PROTO=TCP SPT=1064 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:10 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=00:0c:41:25:f3:48:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=785 DF PROTO=TCP SPT=1065 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:10 www kernel: 3_lan-eth0 IN= OUT=eth0 SRC=192.168.0.3 DST=64.236.29.20 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=785 DF PROTO=TCP SPT=1065 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 21:28:28 www kernel: 1_lan-eth1 IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:66:a2:ac:ae:08:00 SRC=192.168.0.3 DST=192.168.0.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=812 PROTO=UDP SPT=137 DPT=137 LEN=76


I compared a few options on my MS box and the laptop...
Under the DNS tab - the Append parent suffixes of the primary DNS suffix was turned on the laptop for resolution of unqualified names.
and the WINS tab / NetBIOS setting - Enable NetBIOS over TCP/IP was checked on the laptop and the other box had the Default (Use Netbios setting from teh DHCP server. If static IP address is used or the DHCP server does not provide NetBIOS setting, enable NetBIOS over TOP/IP) setting checked.
I also turned off the MS firewall, but this was on the laptop too....
Once all that was changed, I could connect to the internet....I turned the firewall back on and could still connect, but with that flaky MS crap I just kept it off.

Im still curious to see what you gurus think.
TheGnubie
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mark set on PREROUTING stays until POSTROUTING? eantoranz Linux - Networking 3 07-26-2005 06:50 PM
Iptables postrouting question phatboyz Linux - Networking 8 01-31-2005 02:58 PM
kmyfirewall & dynamic IP for POSTROUTING SNAT mpw Linux - Software 0 05-05-2004 08:12 AM
iptables POSTROUTING doesn't match local-process replies. bentz Linux - Networking 3 03-10-2004 07:34 PM
getting x stopped Zodux Linux - General 4 02-09-2004 09:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration