Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
03-03-2013, 09:19 AM
#1
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Rep:
Problem with one adapter accessing internal services using external ip address.
I have a linux router that has 3 adapters, 2 wired one wireless. The wired adapter is connected to a few machines on the network and works fine. All those machine can access the webserver running on the gateway and can ssh into and ping the gateway using the external ip address. All of the wireless devices can access the internet and ping anything in the outside world just fine. The only thing anything connected to wlan0 can't do is access any service like ssh, apache, or ping the gateway using the external adapter.
I'm thinking it's probably something I need to turn on or allow in iptables to let wlan0 talk to eth0 (the adapter plugged into the modem that has the external ip address). Anything connected to wlan0 can ping the internal ip address and be pinged from anything on the network, it just can't talk to eth0. I just don't know what to do because I rarely mess with iptables.
Thanks for your help in advance.
03-03-2013, 01:26 PM
#2
Member
Registered: Jun 2009
Location: Texas
Distribution: Slackware
Posts: 611
Please post the output of the following when executed as root:
Code:
ifconfig
route -n
iptables-save
03-03-2013, 02:05 PM
#3
Member
Registered: Mar 2008
Distribution: Slackware, Mint, Raspbian
Posts: 94
Original Poster
Rep:
Quote:
Originally Posted by
foodown
Please post the output of the following when executed as root:
Code:
ifconfig
route -n
iptables-save
Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 576
inet xx.xxx.xxx.xxx netmask 255.255.248.0 broadcast 255.255.255.255
ether 00:04:4b:05:71:76 txqueuelen 1000 (Ethernet)
RX packets 3239621 bytes 1751454322 (1.6 GiB)
RX errors 2002 dropped 0 overruns 2001 frame 1
TX packets 870903 bytes 102968145 (98.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::204:4bff:fe05:7177 prefixlen 64 scopeid 0x20<link>
ether 00:04:4b:05:71:77 txqueuelen 1000 (Ethernet)
RX packets 48670106 bytes 3406025407 (3.1 GiB)
RX errors 0 dropped 10 overruns 0 frame 0
TX packets 40039645 bytes 248158180873 (231.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 8061 bytes 1018138 (994.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8061 bytes 1018138 (994.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::92f6:52ff:fee5:780a prefixlen 64 scopeid 0x20<link>
ether 90:f6:52:e5:78:0a txqueuelen 1000 (Ethernet)
RX packets 373525 bytes 50509081 (48.1 MiB)
RX errors 0 dropped 6 overruns 0 frame 0
TX packets 521972 bytes 603511606 (575.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 75.137.104.1 0.0.0.0 UG 203 0 0 eth0
75.137.104.0 0.0.0.0 255.255.248.0 U 203 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Code:
# Generated by iptables-save v1.4.17 on Sun Mar 3 15:02:38 2013
*mangle
:PREROUTING ACCEPT [50427081:4233318743]
:INPUT ACCEPT [48256809:2533844198]
:FORWARD ACCEPT [2165209:1696291459]
:OUTPUT ACCEPT [39289791:246663379284]
:POSTROUTING ACCEPT [41464498:248363194799]
COMMIT
# Completed on Sun Mar 3 15:02:38 2013
# Generated by iptables-save v1.4.17 on Sun Mar 3 15:02:38 2013
*nat
:PREROUTING ACCEPT [51285:5057327]
:INPUT ACCEPT [5709:1452664]
:OUTPUT ACCEPT [10972:2591861]
:POSTROUTING ACCEPT [3824:882512]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Mar 3 15:02:38 2013
# Generated by iptables-save v1.4.17 on Sun Mar 3 15:02:38 2013
*filter
:INPUT DROP [969:58544]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [4395:371386]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -d 192.168.1.255/32 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A INPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.10.0/24 -i eth1 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -d 192.168.1.0/24 -i wlan0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A OUTPUT -s 192.168.10.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 192.168.10.0/24 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -j ACCEPT
-A bad_packets -s 192.168.1.0/24 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 192.168.1.0/24 -i eth0 -j DROP
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 995 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 993 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 5000:5100 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 6891:6900 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Sun Mar 3 15:02:38 2013
All times are GMT -5. The time now is 02:58 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News