strange problem

bruj3w · 09-20-2004, 01:53 PM

heya

i have a box running slackware running as a router/firewall with apache serving up a few files.

every machine behind the firewall can connect to the internet fine but the router/firewall itself doesnt want to connect to the web, ftp, irc etc, even though it does obviously have a internet connection as all the machines behind it can connect without a problem.

thinking it was a iptables issue i flushed the tables completly, although this hasnt helped.

i cant ping anything, and it fails to revolve hostnames, although i also know its not a dns problem as it uses the same dns server as machines on the lan behind it.

obviously i've restarted networking etc but am i stuck.

any help would be great. cheers.

servnov · 09-20-2004, 08:20 PM

so you want to login to your router and use it to connect to other machines...?

bruj3w · 09-21-2004, 02:51 AM

well yes.

i want to be able to grab updates, packages and such from it.

bruj3w · 09-21-2004, 09:45 AM

*bump*

scowles · 09-21-2004, 12:19 PM

I'm no iptables expert, but it sounds like you need to add some iptable rules that grant your firewall access to services like web, dns ,etc.... Think of the problem you describe as - requests (packets) that originate from your firewall do not hit the FORWARD chain like those from your LAN.

bruj3w · 09-21-2004, 01:20 PM

i really dont think its an iptables issue as i've gone back to older versions of my 'script' that i know work. never the less, here's my ./rc.firewall.

#!/bin/sh
#1.1
#

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A OUTPUT -j ACCEPT -m state --state NEW -o eth0 -p tcp

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#######
various local bits and bats removed
#######

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATE -j ACCEPT

iptables -t nat -I PREROUTING -p tcp --dport xx:xx -j DNAT --to-destination x.x.x.x

servnov · 09-21-2004, 05:27 PM

kinda long and not to good...You will need -j before DROP, REJECT, FORWARD, ACCEPT

bruj3w · 09-22-2004, 12:27 PM

*bump*

servnov · 09-22-2004, 03:37 PM

as in this lines:
iptables -P INPUT DROP
iptables -P OUTPUT DROP