bruj3w 09-20-2004 02:53 PM

strange problem

i have a box running slackware running as a router/firewall with apache serving up a few files.

every machine behind the firewall can connect to the internet fine but the router/firewall itself doesnt want to connect to the web, ftp, irc etc, even though it does obviously have a internet connection as all the machines behind it can connect without a problem.

thinking it was a iptables issue i flushed the tables completly, although this hasnt helped.

i cant ping anything, and it fails to revolve hostnames, although i also know its not a dns problem as it uses the same dns server as machines on the lan behind it.

obviously i've restarted networking etc but am i stuck.

any help would be great. cheers.

servnov 09-20-2004 09:20 PM

so you want to login to your router and use it to connect to other machines...?

bruj3w 09-21-2004 03:51 AM

well yes.

i want to be able to grab updates, packages and such from it.

scowles 09-21-2004 01:19 PM

I'm no iptables expert, but it sounds like you need to add some iptable rules that grant your firewall access to services like web, dns ,etc.... Think of the problem you describe as - requests (packets) that originate from your firewall do not hit the FORWARD chain like those from your LAN.

bruj3w 09-21-2004 02:20 PM

i really dont think its an iptables issue as i've gone back to older versions of my 'script' that i know work. never the less, here's my ./rc.firewall.


iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A OUTPUT -j ACCEPT -m state --state NEW -o eth0 -p tcp

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

various local bits and bats removed

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATE -j ACCEPT

iptables -t nat -I PREROUTING -p tcp --dport xx:xx -j DNAT --to-destination x.x.x.x

servnov 09-21-2004 06:27 PM

kinda long and not to good...You will need -j before DROP, REJECT, FORWARD, ACCEPT

servnov 09-22-2004 04:37 PM

as in this lines:
iptables -P INPUT DROP
iptables -P OUTPUT DROP

