Ladies & Gents
The host is acting as the router for an internal network with DNS-cache, DHCP, and NAT. I want to add some audio functionality to it but before I do that I wanted to update it to Wheezy so that I would not have to work on it for a while. So I edited my sources.list and added in the Wheezy repos and did apt-get dist-upgrade (I know I should have looked at the recommended process online first). All went fine with a successful reboot but then I discovered that NAT was broken.
So I started looking into the problem. The host has 4 nic's, two of which are activated and used, the other two are not used at all, no need at this time. Udev is set to name them correctly. Eth0 is set to pull an ip from my isp and does so correctly. Eth1 is set static and is setup correctly. ip forwarding is turned on in sysctl.conf with net.ipv4.ip_forward=1.
I appear to have the correct iptables rules. They are set by Arno's Iptables Firewall Script v2.0.1
Code:
-------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 2351 packets, 743358 bytes)
pkts bytes target prot opt in out source destination
2351 743358 NAT_PREROUTING_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxxxxxx to:x.x.x.x
2351 743358 POST_NAT_PREROUTING_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 2 packets, 388 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 822 packets, 57330 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 826 packets, 57634 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
826 57634 NAT_POSTROUTING_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.7.0/24 !192.168.7.0/24
826 57634 POST_NAT_POSTROUTING_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain NAT_POSTROUTING_CHAIN (1 references)
pkts bytes target prot opt in out source destination
Chain NAT_PREROUTING_CHAIN (1 references)
pkts bytes target prot opt in out source destination
Chain POST_NAT_POSTROUTING_CHAIN (1 references)
pkts bytes target prot opt in out source destination
Chain POST_NAT_PREROUTING_CHAIN (1 references)
pkts bytes target prot opt in out source destination
I have tried flushing all the rules and tables and setting them up by hand like
Code:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
with no joy. /etc/init.d/arno-iptables-firewall restart brings back my ability to connect to the host on its local network. But there is still no NAT taking place.
This system was functioning flawlessly prior to the dist-upgrad.
There are reportedly some issue with network-manager when doing dist-upgrade. I tried to disable it as instructed...
Code:
update-rc.d network-manager disable
update-rc.d: using dependency based boot sequencing
update-rc.d: error: cannot find a LSB script for network-manager
Further searching shows that it is not installed.
resolv conf may be the issue but I don't know how to check that yet or how to disable it. I do know that burried down in its config is my original resov.conf named original.
Pinging on eth0 does not work
ping -I eth0 74.125.131.104 (
www.google.com)
PING 74.125.131.104 (74.125.131.104) from 192.168.0.104 eth0: 56(84) bytes of data.
From 192.168.0.104 icmp_seq=1 Destination Host Unreachable
From 192.168.0.104 icmp_seq=2 Destination Host Unreachable
From 192.168.0.104 icmp_seq=3 Destination Host Unreachable
From 192.168.0.104 icmp_seq=4 Destination Host Unreachable
From 192.168.0.104 icmp_seq=5 Destination Host Unreachable
From 192.168.0.104 icmp_seq=6 Destination Host Unreachable
^C
--- 74.125.131.104 ping statistics ---
8 packets transmitted, 0 received, +6 errors, 100% packet loss, time 7039ms
pipe 3
Code:
sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1 # not used
net.ipv4.conf.eth2.mc_forwarding = 0 # not used
net.ipv4.conf.eth3.forwarding = 1 # not used
net.ipv4.conf.eth3.mc_forwarding = 0 # not used
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.eth2.forwarding = 0 # not used
net.ipv6.conf.eth2.mc_forwarding = 0 # not used
net.ipv6.conf.eth3.forwarding = 0 # not used
net.ipv6.conf.eth3.mc_forwarding = 0 # not used
I tried uninstalling resolvconf, putting a copy of the original resolv.conf in place, rebooted, no joy. I have not reinstalled it yet.
In the update log there are some warnings about ifupdown breaking netbase and moving some files out of the way. But then later netbase is installed and setup without issues.
I am getting very frustrated. I have no idea what else to try.
Any ideas?