LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-27-2004, 08:52 AM   #1
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Rep: Reputation: 33
Yikes! No one can get Internet thru Linux gateway/router/firewall/DHCP


help!

I have a IBM eServer running Linux Mandrake Multi-Network-Firewall (Kernel 2.4.18). The server has two Broadcom NetXtreme Gigabit Ethernet cards, both of which are configured properly (I believe).

eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface.

eth1 is static IP with 192.168.1.1/255.255.255.0 and is connected to a Ethernet switch where the Windows XP LAN is.

The idea is that the Windows XP LAN will connect to the Internet through the server. The server should act as a firewall, Internet content filter, DHCP server, and possibly a Web proxy too. And a router and gateway.

I believe I have configured eth0/adsl properly because the conection is started at boot (adsl-start) and adsl-status indicates the connection is up. From eth0, I can ping Internet addresses like www.sympatico.ca and www.google.ca.

From eth1 I can ping my LAN (example, 192.168.1.113). But it seems like eth1 and eth0 cannot talk to each other. For instance, no one on the LAN can access the Internet, even to ping it (host unknown). and if I ping eth0's IP address from eth1, I get "destination host unreachable".

I am quite new to all this, but I have tried to set up IP MASQ from a HOWTO i found on the Internet; also I tried to set up routing from a HOWTO as well. Even used "route add default PPP0" and still, can't connect.

I must be missing something, but what! I have been working on this for a week now, please help!!!
 
Old 01-27-2004, 11:08 AM   #2
mfeoli
Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 92

Rep: Reputation: 15
Let's see,

Im rather new too, but maybe can help you since have the same configuration here. All I know was self taught, so better doble check.

If your firewall is based on ipchains, check what your actual iprules are like with:

to list your rules:

ipchains -L input
ipchains -L output
ipchains -L forward

Input: what comes from the internet
output : what comes from your network
forward: goes from one board to the other Eth0 to 1

also check on /etc/rc.d/rc.firewall

to check what ports you actually have open on your firewall do
netstat -a [-n -p -A inet]

If for some reason, you need to clear all the rules, to start up building new ones and use Internet right away (very Careful: without security)
do
ipchains -F

Open your predermined rule,
ipchains -P output ACCEPT

and program your machines to have a gateway to your firewall's internal eth ip address.

When you have people accessing the web, start creating rules with ipchains to build up security. (buy a good book like Firewalls Linux /Prentice Hall)

If your aproach is to start with security START HERE, check that your default rule is in DENY, and start building rules to activate each service you want, (web,smtp...)

NEVER CALL THIS ipchains commands from shell and not from a remote machine, use a file, you might loose contact
 
Old 01-27-2004, 01:37 PM   #3
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
Thanks for the reply

Thanks Manrique, my Linux uses iptables instead, but I think the commands are the same. I made a backup copy of my iptables file, and just deleted it, and stopped the firewall program completely (shorewall). Next I made a iptables file with everything set to ACCEPT. Still, cannot connect. (This was last week). Then last night I set up some MASQUERADE rules, because of only having one public IP address, I thought that's why the LAN machines cannot connect.. Still no go.

I did not have a /etc/rc.d/rc.firewall file, but last night I copied one from a Internet HOWTO and edited it for my machine.

Finally, I set up routing useing the route command.
EDIT: Oh, i forgot to mention: since the server isn't working, during work hours we use our old hardware router that is also a gateway/DHCP. This hardware router uses 192.168.1.1 for the LAN, which is the same as the card on the server. So all the machines on the LAN are already programmed to look to that IP for DHCP and Internet services.

Again, thanks for your help, do you have any more suggestions of what I can try?

Last edited by Avatar; 01-27-2004 at 01:42 PM.
 
Old 01-27-2004, 03:29 PM   #4
mfeoli
Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 92

Rep: Reputation: 15
Are you sure the DHCP daemon is up and running in your linux to give the IP's to your windows machines?
 
Old 01-27-2004, 03:39 PM   #5
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
Yes, When I reboot my windows computer (well the test one) it does indeed seem to get a IP address. winipcfg shows that the lease was obtained at the time I rebooted. And on the server the DHCP log shows that the matching IP address is being used. So, I'm sure that yes, the DHCP server is working.
 
Old 01-28-2004, 03:10 PM   #6
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
I forgot to mention, I have followed the steps that others have posted about routing.

1. Eth1 is properly configured with 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

2. IP forwarding is turned on
"cat /proc/sys/net/ipv4/ip_forward" returns 1

3. added entry in routing table
route add -net 192.168.1.0 netmask 255.255.255.0 eth1
route add default ppp0

4. set up iptables from a script I found on the Internet HOWTO that includes the line (something like)
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

So following the helpful steps that the experts have given to the other users, hasn't worked for me so far. What did I overlook? The Windows machines use 192.168.1.1 as a gateway/DHCP.
 
Old 01-28-2004, 04:04 PM   #7
fataldata
Member
 
Registered: Jun 2002
Location: Breckenridge, Colorado
Distribution: Ubuntu Hardy 8.04
Posts: 101

Rep: Reputation: 15
Does your iptables FILTER table have a FORWARD chain which ACCEPTS traffic.
Here is an example of mine.

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
Old 02-02-2004, 04:02 PM   #8
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
Here's the contents of the IPTABLES that I'm using for now:

Code:
#### FLUSH TABLES ####
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

#### POLICY SETTINGS ####
iptables -P INPUT DROP    # Drop all incoming packets
iptables -P FORWARD DROP  # Drop all forwarded packets
iptables -P OUTPUT ACCEPT # Accept all outgoing packets

#### INPUT ####
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT

#### NATing ####
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
HTH
 
Old 02-03-2004, 10:14 AM   #9
fataldata
Member
 
Registered: Jun 2002
Location: Breckenridge, Colorado
Distribution: Ubuntu Hardy 8.04
Posts: 101

Rep: Reputation: 15
quote from 1st post
"eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface."

If your gateway to the internet is through eth0 connected to your adsl modem shouldn't you use eth0 as your default route? I have a dsl connection and my default route for traffic traversing my firewall is the interface attached to the DSL Modem. Below you can see my route table.

[09:09:28][root@host:dir ]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
[
 
Old 02-03-2004, 11:13 AM   #10
psyche_4ever
LQ Newbie
 
Registered: Jan 2004
Location: KIGALI-RWANDA
Distribution: Redhat Linux 9
Posts: 16

Rep: Reputation: 0
Hello Avatar,
I'd like to give some help and I guess it might be useful.
According to the msg you posted you say that your server is configured correctly.
So if you are sure about your route ip or unsure do this:
login as root and on the command line type:
# route [ret]
am sure with this command you will be able to see something like this;
Destination GATEWAY GenMask Flags Metric Ref Use Iface
Default 192.***.**.* 255.***.***.* UG 0 0 0 eth0

if you aren't connecting to the internet with this gateway then try another one by issuing the following command as root:

# route add default gw 192.***.***.***.* [replace stars with you gateway ip numbers]

And remember you can't use two different gateways at the same time instead one should be deleted or disabled before you switch to another by issuing this command as root:

# route del default gw 192.***.***.***.* [replace stars with you gateway ip numbers]

From here try to ping your gateway if it is o.k, then try pinging you dns if you have one. If not sure where you dns resides just issue this command and you will see it or add it there:

# vi /etc/resolve.conf [ret]

If everything is alright then try pinging i.e www.google.com and if everything is o.k then you are ready to go on the internet and in case things are not working out but you are able to ping all the hosts then you seem to be behind a proxy and you need to specify it in your favourite web browser and if you are using mozilla then go to
edit --->Preferences--->Advanced---->Proxies----->Select Manual Proxy Configuration.

Dear try you luck and see if it works and if it doesn't then you need to consult you Network Administrator otherwise you might need to go to a Cyber Cafe to surf the net.
Bye.
 
Old 02-03-2004, 01:14 PM   #11
Dewar
Member
 
Registered: Sep 2003
Location: Washington State
Distribution: SuSE 8.0, SuSE 9.0, Slack 9.1
Posts: 90

Rep: Reputation: 15
Here's a possible problem I see here.

Code:
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
With the forwarding section you are allowing all forwarded packets that have the destination of 192.168.1.0/24, but not enabling the forwarding of packets that come from 192.168.1.0/24. I think you need to change the -d to a -s

Also, it seems odd to be using ppp0, but if you can ping from your firewall out to the internet, the routing must be working right. Maybe the NAT table needs to be pointed at eth0 instead? That's a complete guess though.

Hope that first bit helps at least
-Dewar
 
Old 02-03-2004, 01:46 PM   #12
fataldata
Member
 
Registered: Jun 2002
Location: Breckenridge, Colorado
Distribution: Ubuntu Hardy 8.04
Posts: 101

Rep: Reputation: 15
Nice catch Dewar I totally missed that one, but I think you're right about the -s/-d issue in the FORWARD table.
 
Old 02-03-2004, 05:21 PM   #13
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Hey Avatar, I don't know if you got this resolved yet, but here is my firewall startup script, in case it helps you. I see a few descrepencies between ours. This is verbatim so it reflects my small network.

Code:
#!/bin/bash
#
# stops and start the firewall definitions

firewall_start() {
  echo "Starting Firewall..."

  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

  EXTERNAL=eth0
  INTERNAL=eth1  

  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT

  iptables -A INPUT -i lo -p all -j ACCEPT
  iptables -A OUTPUT -o lo -p all -j ACCEPT

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900:5910 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#  iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -j REJECT

  iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
#  iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
  iptables -A INPUT -i $INTERNAL -j ACCEPT
  iptables -A INPUT -j REJECT

  iptables -A OUTPUT -j ACCEPT
}

firewall_stop()  {
  echo "Disabling Firewall..."
  iptables -t filter --flush
  iptables -t filter --delete-chain
  iptables -t nat --flush
  iptables -t nat --delete-chain
  iptables -t nat -X
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}

firewall_restart()  {
  firewall_stop
  sleep 1
  firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac
Yeah, sorry. Never was good at putting comments.... This is from my slack 9.1 router. Hope this helps you buddy!

Last edited by benjithegreat98; 02-03-2004 at 05:24 PM.
 
Old 02-11-2004, 08:47 PM   #14
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
Quote:
Originally posted by Dewar
Here's a possible problem I see here.

Code:
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
With the forwarding section you are allowing all forwarded packets that have the destination of 192.168.1.0/24, but not enabling the forwarding of packets that come from 192.168.1.0/24. I think you need to change the -d to a -s

Also, it seems odd to be using ppp0, but if you can ping from your firewall out to the internet, the routing must be working right. Maybe the NAT table needs to be pointed at eth0 instead? That's a complete guess though.

Hope that first bit helps at least
-Dewar
Dewar, you are correct. My iptables forward now looks like this:
Code:
#### FORWARDING ####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
and everything seems to be working great now. I know this iptables firewall isn't the greatest, but at least my users can access the Internet perfectly. (Note: the content filtering and proxy options of MNF do NOT work).
Also, the NAT table is correct to use PPP0. At least for me
 
Old 02-11-2004, 08:50 PM   #15
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555

Original Poster
Rep: Reputation: 33
psyche, dewar, benji, fatal: Thank you all for your assistance. My problem is resolved now. It is the selfless community of Linux users that makes up the greatest amount of my satisfaction with this operating system; I always know that if something doesn't work... someone will help me fix it!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux can't connect to internet with DHCP through Linksys wired router ruslan40321 Linux - Networking 9 03-30-2008 02:08 PM
Linux router/firewall box for shared Internet access from 3 separate LANs? dan.patton Linux - Networking 4 04-15-2006 05:37 PM
Using Linux as an internet router / gateway bashworth Linux - Networking 2 09-10-2004 06:00 PM
What programs should I use for DHCP, firewall, and a gateway/router? Godsguitarist Linux - Networking 2 10-17-2003 06:30 PM
Linux router / gateway internet restrictions Rancid Linux - Security 8 09-21-2003 06:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration