Edit: I've found shorewall to be the culprit now, worked around it by adding "eth0 -" into /etc/shorewall/routestopped and stopping shorewall. I don't need shorewall for incoming protection from the net right now anyway since the router is doing that now. I'd still appreciate any help with getting shorewall configured right.
Hey there,
relative linux newbie here. Although the system had been running fine for around three years, I decided to get myself a WLAN router.
Before today, my Mandrake box dialed into my DSL provider via pppoe. It shared this connection with my one other machine through a second LAN card and a plain crossed-over RJ45 cable. That worked fine all the way.
Now the router does the dialing, since it has an integrated modem. That also works fine. The Mandrake machine (192.168.0.2) is plugged into the router (192.168.0.1), as is my XP machine (192.168.0.3) and the laptop (192.168.0.4).
All of these machines can ping each other (except that the Mandrake box is set to drop these, but I can ssh into it as well as get mail from it via IMAP). Even Samba works fine.
So all is well except for one little but decisive thing: the Mandrake machine refuses to make outbound connections. Meaning if I try using lynx for example to connect to any web page I receive
Code:
Alert!: Unable to access document.
lynx: Can't access startfile
When I attached a screen to the machine and tried Konqueror I got the same result. And it did so instantly, meaning there is certainly no time-out involved. Using IPs instead of host names did not help:
Code:
[root@icarus philip]# lynx 209.85.135.103
Looking up 209.85.135.103 first
Looking up 209.85.135.103
Making HTTP connection to 209.85.135.103
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://209.85.135.103/
Neither the XP desktop nor the XP notebook going through the same router have any trouble accessing the net.
I have rummaged around the configuration files on the Mandrake machine and when that failed I attached a screen to it and went through the GUI. I deleted the adsl connection in the configuration, later uninstalled all ppp-related packages. I tried setting up either lan card to function as internet connection gateway, the result stayed the same.
I could always connect into open services on the Mandrake machine on various ports at 192.168.0.2, be it SSH, IMAP or even Samba. But the Mandrake box just wouldn't communicate with the outside world anymore.
Allright, I'm still trying to keep this as concise as possible so I'll leave the descriptions at that for now. Of course I'll be glad to provide more as needed. Thank you all in advance for any pointers.
Philip
Here's a few things I imagine you'd like to see:
Code:
[root@icarus philip]# uname -a
Linux icarus.dyndns.org 2.6.3-7mdksecure #1 SMP Wed Mar 17 14:42:34 CET 2004 i686 unknown unknown GNU/Linux
Code:
[root@icarus philip]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:FC:21:25:09
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::250:fcff:fe21:2509/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27487 errors:0 dropped:0 overruns:0 frame:0
TX packets:46902 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2223319 (2.1 Mb) TX bytes:62579970 (59.6 Mb)
Interrupt:12 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6559 (6.4 Kb) TX bytes:6559 (6.4 Kb)
Code:
[root@icarus philip]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default Router 0.0.0.0 UG 0 0 0 eth0
("Router" is set to 192.168.0.1 in /etc/hosts, which is the WLAN router serving just fine as gateway for the two XP machines)
And in case you're wondering why I'm using lynx instead of the simple ping to check outbound connections, this is what happens when I try pinging (but this behaviour also happened when everything was fine under adsl):
Code:
[root@icarus philip]# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.0.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.0.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Operation not permitted
--- 192.168.0.3 ping statistics ---
3 packets transmitted, 0 received, +8 errors, 100% packet loss, time 2022ms
Shorewall seems to have some remnants of the ppp-days - could that be part of the reason why I'm having these problems?
Code:
[root@icarus shorewall]# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: ppp+:0.0.0.0/0
Local Zone: eth0:0.0.0.0/0 eth1:0.0.0.0/0 ham0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "DROP net fw tcp 135,139,445 -" added.
Rule "ACCEPT net fw tcp 25,110,143,444,2421,2422,2433,2444,2459,2462,2580,2591:2599,24000:24100,25000:26000 -" added.
Rule "ACCEPT loc fw tcp 25,53,80,110,135,137,139,143,444,2401,2421,2422,2444,2459,2580,4001,8080,24000:24100,25000:26000 -" added.
Rule "ACCEPT loc fw udp 53 -" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy DROP for net to fw using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted