Yikes! No one can get Internet thru Linux gateway/router/firewall/DHCP
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yikes! No one can get Internet thru Linux gateway/router/firewall/DHCP
help!
I have a IBM eServer running Linux Mandrake Multi-Network-Firewall (Kernel 2.4.18). The server has two Broadcom NetXtreme Gigabit Ethernet cards, both of which are configured properly (I believe).
eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface.
eth1 is static IP with 192.168.1.1/255.255.255.0 and is connected to a Ethernet switch where the Windows XP LAN is.
The idea is that the Windows XP LAN will connect to the Internet through the server. The server should act as a firewall, Internet content filter, DHCP server, and possibly a Web proxy too. And a router and gateway.
I believe I have configured eth0/adsl properly because the conection is started at boot (adsl-start) and adsl-status indicates the connection is up. From eth0, I can ping Internet addresses like www.sympatico.ca and www.google.ca.
From eth1 I can ping my LAN (example, 192.168.1.113). But it seems like eth1 and eth0 cannot talk to each other. For instance, no one on the LAN can access the Internet, even to ping it (host unknown). and if I ping eth0's IP address from eth1, I get "destination host unreachable".
I am quite new to all this, but I have tried to set up IP MASQ from a HOWTO i found on the Internet; also I tried to set up routing from a HOWTO as well. Even used "route add default PPP0" and still, can't connect.
I must be missing something, but what! I have been working on this for a week now, please help!!!
Input: what comes from the internet
output : what comes from your network
forward: goes from one board to the other Eth0 to 1
also check on /etc/rc.d/rc.firewall
to check what ports you actually have open on your firewall do
netstat -a [-n -p -A inet]
If for some reason, you need to clear all the rules, to start up building new ones and use Internet right away (very Careful: without security)
do
ipchains -F
Open your predermined rule,
ipchains -P output ACCEPT
and program your machines to have a gateway to your firewall's internal eth ip address.
When you have people accessing the web, start creating rules with ipchains to build up security. (buy a good book like Firewalls Linux /Prentice Hall)
If your aproach is to start with security START HERE, check that your default rule is in DENY, and start building rules to activate each service you want, (web,smtp...)
NEVER CALL THIS ipchains commands from shell and not from a remote machine, use a file, you might loose contact
Thanks Manrique, my Linux uses iptables instead, but I think the commands are the same. I made a backup copy of my iptables file, and just deleted it, and stopped the firewall program completely (shorewall). Next I made a iptables file with everything set to ACCEPT. Still, cannot connect. (This was last week). Then last night I set up some MASQUERADE rules, because of only having one public IP address, I thought that's why the LAN machines cannot connect.. Still no go.
I did not have a /etc/rc.d/rc.firewall file, but last night I copied one from a Internet HOWTO and edited it for my machine.
Finally, I set up routing useing the route command.
EDIT: Oh, i forgot to mention: since the server isn't working, during work hours we use our old hardware router that is also a gateway/DHCP. This hardware router uses 192.168.1.1 for the LAN, which is the same as the card on the server. So all the machines on the LAN are already programmed to look to that IP for DHCP and Internet services.
Again, thanks for your help, do you have any more suggestions of what I can try?
Yes, When I reboot my windows computer (well the test one) it does indeed seem to get a IP address. winipcfg shows that the lease was obtained at the time I rebooted. And on the server the DHCP log shows that the matching IP address is being used. So, I'm sure that yes, the DHCP server is working.
4. set up iptables from a script I found on the Internet HOWTO that includes the line (something like)
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
So following the helpful steps that the experts have given to the other users, hasn't worked for me so far. What did I overlook? The Windows machines use 192.168.1.1 as a gateway/DHCP.
quote from 1st post
"eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface."
If your gateway to the internet is through eth0 connected to your adsl modem shouldn't you use eth0 as your default route? I have a dsl connection and my default route for traffic traversing my firewall is the interface attached to the DSL Modem. Below you can see my route table.
[09:09:28][root@host:dir ]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
[
Hello Avatar,
I'd like to give some help and I guess it might be useful.
According to the msg you posted you say that your server is configured correctly.
So if you are sure about your route ip or unsure do this:
login as root and on the command line type:
# route [ret]
am sure with this command you will be able to see something like this;
Destination GATEWAY GenMask Flags Metric Ref Use Iface
Default 192.***.**.* 255.***.***.* UG 0 0 0 eth0
if you aren't connecting to the internet with this gateway then try another one by issuing the following command as root:
# route add default gw 192.***.***.***.* [replace stars with you gateway ip numbers]
And remember you can't use two different gateways at the same time instead one should be deleted or disabled before you switch to another by issuing this command as root:
# route del default gw 192.***.***.***.* [replace stars with you gateway ip numbers]
From here try to ping your gateway if it is o.k, then try pinging you dns if you have one. If not sure where you dns resides just issue this command and you will see it or add it there:
# vi /etc/resolve.conf [ret]
If everything is alright then try pinging i.e www.google.com and if everything is o.k then you are ready to go on the internet and in case things are not working out but you are able to ping all the hosts then you seem to be behind a proxy and you need to specify it in your favourite web browser and if you are using mozilla then go to
edit --->Preferences--->Advanced---->Proxies----->Select Manual Proxy Configuration.
Dear try you luck and see if it works and if it doesn't then you need to consult you Network Administrator otherwise you might need to go to a Cyber Cafe to surf the net.
Bye.
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
With the forwarding section you are allowing all forwarded packets that have the destination of 192.168.1.0/24, but not enabling the forwarding of packets that come from 192.168.1.0/24. I think you need to change the -d to a -s
Also, it seems odd to be using ppp0, but if you can ping from your firewall out to the internet, the routing must be working right. Maybe the NAT table needs to be pointed at eth0 instead? That's a complete guess though.
Hey Avatar, I don't know if you got this resolved yet, but here is my firewall startup script, in case it helps you. I see a few descrepencies between ours. This is verbatim so it reflects my small network.
Code:
#!/bin/bash
#
# stops and start the firewall definitions
firewall_start() {
echo "Starting Firewall..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
EXTERNAL=eth0
INTERNAL=eth1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900:5910 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A INPUT -i $INTERNAL -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j ACCEPT
}
firewall_stop() {
echo "Disabling Firewall..."
iptables -t filter --flush
iptables -t filter --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t nat -X
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}
firewall_restart() {
firewall_stop
sleep 1
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
Yeah, sorry. Never was good at putting comments.... This is from my slack 9.1 router. Hope this helps you buddy!
Last edited by benjithegreat98; 02-03-2004 at 05:24 PM.
Originally posted by Dewar Here's a possible problem I see here.
Code:
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
With the forwarding section you are allowing all forwarded packets that have the destination of 192.168.1.0/24, but not enabling the forwarding of packets that come from 192.168.1.0/24. I think you need to change the -d to a -s
Also, it seems odd to be using ppp0, but if you can ping from your firewall out to the internet, the routing must be working right. Maybe the NAT table needs to be pointed at eth0 instead? That's a complete guess though.
Hope that first bit helps at least
-Dewar
Dewar, you are correct. My iptables forward now looks like this:
Code:
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
and everything seems to be working great now. I know this iptables firewall isn't the greatest, but at least my users can access the Internet perfectly. (Note: the content filtering and proxy options of MNF do NOT work).
Also, the NAT table is correct to use PPP0. At least for me
psyche, dewar, benji, fatal: Thank you all for your assistance. My problem is resolved now. It is the selfless community of Linux users that makes up the greatest amount of my satisfaction with this operating system; I always know that if something doesn't work... someone will help me fix it!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.