Problem with one adapter accessing internal services using external ip address.

orsty9001 · 03-03-2013, 09:19 AM

I have a linux router that has 3 adapters, 2 wired one wireless. The wired adapter is connected to a few machines on the network and works fine. All those machine can access the webserver running on the gateway and can ssh into and ping the gateway using the external ip address. All of the wireless devices can access the internet and ping anything in the outside world just fine. The only thing anything connected to wlan0 can't do is access any service like ssh, apache, or ping the gateway using the external adapter.

I'm thinking it's probably something I need to turn on or allow in iptables to let wlan0 talk to eth0 (the adapter plugged into the modem that has the external ip address). Anything connected to wlan0 can ping the internal ip address and be pinged from anything on the network, it just can't talk to eth0. I just don't know what to do because I rarely mess with iptables.

Thanks for your help in advance.

foodown · 03-03-2013, 01:26 PM

Please post the output of the following when executed as root:

Code:

ifconfig
route -n
iptables-save

orsty9001 · 03-03-2013, 02:05 PM

Quote:

Originally Posted by foodown

Please post the output of the following when executed as root:

Code:

ifconfig
route -n
iptables-save

Code:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 576
        inet xx.xxx.xxx.xxx  netmask 255.255.248.0  broadcast 255.255.255.255
        ether 00:04:4b:05:71:76  txqueuelen 1000  (Ethernet)
        RX packets 3239621  bytes 1751454322 (1.6 GiB)
        RX errors 2002  dropped 0  overruns 2001  frame 1
        TX packets 870903  bytes 102968145 (98.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::204:4bff:fe05:7177  prefixlen 64  scopeid 0x20<link>
        ether 00:04:4b:05:71:77  txqueuelen 1000  (Ethernet)
        RX packets 48670106  bytes 3406025407 (3.1 GiB)
        RX errors 0  dropped 10  overruns 0  frame 0
        TX packets 40039645  bytes 248158180873 (231.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 8061  bytes 1018138 (994.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8061  bytes 1018138 (994.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.1  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::92f6:52ff:fee5:780a  prefixlen 64  scopeid 0x20<link>
        ether 90:f6:52:e5:78:0a  txqueuelen 1000  (Ethernet)
        RX packets 373525  bytes 50509081 (48.1 MiB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 521972  bytes 603511606 (575.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         75.137.104.1    0.0.0.0         UG    203    0        0 eth0
75.137.104.0    0.0.0.0         255.255.248.0   U     203    0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

Code:

# Generated by iptables-save v1.4.17 on Sun Mar  3 15:02:38 2013
*mangle
:PREROUTING ACCEPT [50427081:4233318743]
:INPUT ACCEPT [48256809:2533844198]
:FORWARD ACCEPT [2165209:1696291459]
:OUTPUT ACCEPT [39289791:246663379284]
:POSTROUTING ACCEPT [41464498:248363194799]
COMMIT
# Completed on Sun Mar  3 15:02:38 2013
# Generated by iptables-save v1.4.17 on Sun Mar  3 15:02:38 2013
*nat
:PREROUTING ACCEPT [51285:5057327]
:INPUT ACCEPT [5709:1452664]
:OUTPUT ACCEPT [10972:2591861]
:POSTROUTING ACCEPT [3824:882512]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Mar  3 15:02:38 2013
# Generated by iptables-save v1.4.17 on Sun Mar  3 15:02:38 2013
*filter
:INPUT DROP [969:58544]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [4395:371386]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -d 192.168.1.255/32 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A INPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -i eth1 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -i wlan0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A OUTPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 192.168.10.0/24 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -j ACCEPT
-A bad_packets -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 192.168.1.0/24 -i eth0 -j DROP
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Sun Mar  3 15:02:38 2013