Hello!,

Geeting mad with this problem;

I'm running a redhat 2.4.20-20.9 gateway with a direct connect 100M line between linux and a win98 PC.
On the gateway, a ADSL line.
Set up seems to be OK cause;

- I can access with good response any web site from the Linux box
- I can ping any web site from the win98 bow with excellent response time
-When I trace the route from teh win98, I can see all of them and with excellent response time.
- While using samba, I can xfer files from/to linux <-> win98 at excellent speed
- When I try to access a web site from win98, I got almost immediate response saying "web site connectedd, waiting answer" -> assuming that the ISP name server get contacted by the win98 client. Got confirmation by tracing also from win98).
- At that stage, the web browser takes ages to return the internet page (the progress bar is moving like a snail) and it finaly stalled with "connection time out" error.

According to what I saw and understand, the routing etc.. is fine but something goes wrong in the packet xfer from the outside world (or the linux gateway) to the win98 pc.

Any help/suggestion is more than welcome,

Thkx

do you have a proxy server defined in your internet options?
perhaps it's the wrong one or something? try turning it off if you do... because it might be trying to connect to the proxy server.

half of what you say makes me wonder whether IP masquerading is set up correctly but the other half makes it sound as though it is...

sorry that's all I can think of...

Thkx for you help !

- No proxy defined on win or linux(I try to keep it as simple as possible to have a chance to identify the problem

and the IPtables file I used is here:

#Init section.
iptables -F #Flush anything which might be in iptables. Probably not necessary
#since this is executed on startup, but do it anyway.
iptables -t nat -F #Flush NAT-related entries.


#POLICY section. Insecure, but this needs to get online first.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


#FORWARD section.
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#POSTROUTING section.
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

Weird isn't it ?

perhaps try this...

#!/bin/bash

inet=`ifconfig | grep -A1 ppp0 | grep -v ppp0 | awk '{ print $2 }' | awk -F: '{ print $2 }'`

## FLUSH TABLES
/sbin/iptables -v -t nat -F
/sbin/iptables -v -t filter -F
/sbin/iptables -v -t nat -X
/sbin/iptables -v -t filter -X
/sbin/iptables -v -t nat -Z
/sbin/iptables -v -t filter -Z

## RULES

/sbin/iptables -v -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -v -t filter -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -v -t nat -A POSTROUTING -i eth0 -j SNAT --to-source $inet
/sbin/iptables -v -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i ppp0 -m state --state NEW -j REJECT --reject-with icmp-host-unreachable


I can't guarantee this will work, since I went through and changed my subnet to 'eth0' and my eth0 to ppp0... but hopefully it should be ok...

I would use these rules if I was you... copy it to a file and execute it and see if it executes ok (I have -v in which tells it to be verbose) - if there are errors post them here and I will go through them with you. These rules are fairly secure... yours are a script kiddies' wet dream

oh P.S. if that variable assignment up the top doesn't work (it works with eth0 but I just changed it to ppp0 - then just manually put your IP address in where it says 'inet' for the time being and we can figure out a way to make it permenant later!)

eccles23 may have it right with the firewall rules, but I'm wondering this:

You say you can ping an internet adderss... when you ping from the 98 box to a domain name, do you get name resolution?

If so, from a command line try to type:

telnet www.google.com 80

Then type:
get

Do you get anything back? If you get a response via a name, but the telnet to port 80 fails the it's definitely an issue with your iptables.

Cheers,

MrKnisely

Cheers,

First of all , thkx to all the people submitting ideas.

So I tried the suggested Ip tables setting (the sohpisticated one and it doesn't change anything except that I can't ping a name from Wi98 while my kiddies iptable can.
I guess that what we call name resolution (Am I right there ?) is working okay.

The output of the suggested Iptable setting is as follow;
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Zeroing chain `PREROUTING'
Zeroing chain `POSTROUTING'
Zeroing chain `OUTPUT'
Zeroing chain `INPUT'
Zeroing chain `FORWARD'
Zeroing chain `OUTPUT'
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
iptables v1.2.7a: Can't use -i with POSTROUTING

Try `iptables -h' or 'iptables --help' for more information.
ACCEPT all opt -- in ppp0 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all opt -- in ppp0 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW reject-with icmp-host-unreachable

As you may noticed, an error there but I change -i to -o there and is accepted ok.
Man page says that -i is not allowed with postrouting, only -o.


About telent www.google.com 80 from win98
Telnet fires up as expected and wait till I abort it (wait at least 5 minutes).
When I use my old IPtables setting, got a message 'lost connection'.

Any further idea ?

Thkx

Last update (in fact no excotig news)

The IPtables filter suggested is working top class , I mean, got the correct IP etc.. not a shadow of an error but no improvement;

- Using this one block ping from win98
- but using internet explorer from win 98 gives "web site found, waiting answer" -> DNS seems to work but still stalled connection.

No chnages with telnet..

Do you have any kind of traffic shaping / QoS control in your box? You may want to take a look al those rules too.

Best regards and good luck!

-- L.

Not up to my knowledge (I'm pretty new on Linux also).
Any tool that you could recommend ?

Thkx

I am not familiar with RedHat, but I have read somewhere that it has some kind of (very rudimentary) scripts/config files for implementing QoS. You should be able to found them somewhere in your /etc directory (any RedHat guru wants to help at this point is welcome). If you can figure out how to disable it, do it and retest your gateway.

-- L.

ahhh I thought one of the rules might break.
unfortunately the one that did was the ip masquerading one...

so how it should actually be is:

/sbin/iptables -v -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $inet

where you should replace 192.168.0.0/24 with your own LAN's network/subnet mask...
and $inet is substituted with your dialup ip address...

)))

OK, I applied the "patch" to the iptables script and now I can ping from win98 and get name resolution. Unfortunately, Internet access is still impossible from Win98.
It looks like the web browser can connect to the selected web site but doesn't get a reply of get a reply which remain stucked somewhere.

I forgot to mention in my very first msg that I'm not using DHCP in my small network and conecting the modem directly to win98 gives absoluyely normal reponse time while surfing.

Thkx for this anyway !

Still thinking and trying to "see" something on teh traffic pattern.

Just tested something else;

Fired up IOnternet xplorer on the win box and typed my linux gateway server IP adress in the URL window, he returns "Impossibel to establish a connection with the server" (translating the error msg from blody french so it must be something like that
I have no idea if this test is relevant cause I do not have any valid website on the Linux Box.

Samba is still working OK but they are using different way to access the server I guess (at least the cable is workig for sure).

The more I do, the less I understand

By the way, I've found a good network sniffer at http://dag.wieers.com/packages/sniffit/

Now, I can access Google at the speed of light from the win98 box, select something I'm sure I never loked for such as "buying kung-fu shoes" in order to avoid any cache search or whatever.
I got answers of chinese shops to get those shoes and when I try to access it , it remain blocked again .
Seems that only google is working.

Looking into the sniffer log file, I've found this ;


?Rk@?

Accept: */*
Referer: http://www.google.com/
Accept-Language: fr
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
Host: www.google.com
Connection: Keep-Alive
Cookie: PREF=ID=34c16d4fbada428a:TM=1080775242:LM=1080775242:S=KaNA6JjQhN0ya1LZ

?Rk@?

and this for all acess to goofgle.
When it comes to something else, I got this;





A␌␌␊⎻├: */*
A␌␌␊⎻├-L▒┼±┤▒±␊: °⎼
A␌␌␊⎻├-E┼␌⎺␍␋┼±: ±≥␋⎻, ␍␊°┌▒├␊
U⎽␊⎼-A±␊┼├: M⎺≥␋┌┌▒/4.0 (␌⎺└⎻▒├␋␉┌␊; MSIE 4.01; W␋┼␍⎺┬⎽ 98)
H⎺⎽├: └≤⎻▒±␊.␉┌┤␊┬␋┼.␌␤
C⎺┼┼␊␌├␋⎺┼: K␊␊⎻-A┌␋┴␊

?R┐@9?


Seems that a bit of garbling is happening there.
By the way, very last investigation shows that I can almsot access other sites than google, almost, not reaching the end of teh page.

I haven't change anythhing since the last step, crazy.

Anyway, I least I brought something; a sniffer program.