LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-20-2005, 02:15 AM   #1
fuzzyash
Member
 
Registered: Aug 2003
Location: Melbourne Australia
Distribution: Fedora Core 4
Posts: 184

Rep: Reputation: 30
iptables help


Hi all,

I need help configuring my firewall.
I am running a separate box as my server & accessing sites from there is fine but when accessing any site from another computer on my network it takes about 15 seconds before anything happens! Once it has made the connection though it flies along (cable connection) but it's just that first 15 seconds that has got me stumped. Granted the server is just an old crappy duron 800 but that shouldn't matter, especially seeings that access from there is instantaneous .

Anyways, heres my iptables-save output:

[root@<SERVER HOSTNAME> ~]# iptables-save
# Generated by iptables-save v1.2.11 on Sun Feb 20 17:55:53 2005
*mangle
:PREROUTING ACCEPT [23335:1345317]
:INPUT ACCEPT [23249:1334715]
:FORWARD ACCEPT [71:5558]
:OUTPUT ACCEPT [26627:18957948]
:POSTROUTING ACCEPT [26698:18963506]
COMMIT
# Completed on Sun Feb 20 17:55:53 2005
# Generated by iptables-save v1.2.11 on Sun Feb 20 17:55:53 2005
*nat
:PREROUTING DROP [4458:192479]
:POSTROUTING DROP [0:0]
:OUTPUT DROP [0:0]
-A PREROUTING -i lo -j ACCEPT
-A PREROUTING -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT
-A PREROUTING -m limit --limit 1/sec -j LOG --log-prefix "PRER:-> "
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to-source <SERVER IP NUMBER>
-A POSTROUTING -m limit --limit 1/sec -j LOG --log-prefix "POSTR:-> "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s <SERVER IP NUMBER> -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUTR:-> "
COMMIT
# Completed on Sun Feb 20 17:55:53 2005
# Generated by iptables-save v1.2.11 on Sun Feb 20 17:55:53 2005
*filter
:INPUT DROP [19:776]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -d <SERVER IP NUMBER> -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "INPUT:-> "
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.0.10 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.0.2 -i eth1 -j ACCEPT
-A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "FORWARD:-> "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -s <SERVER IP NUMBER> -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUTPUT:-> "
COMMIT
# Completed on Sun Feb 20 17:55:53 2005

If anyone can see a problem with this config or thinks things could be done a better way, please, I need your help!

Thanks to anyone who takes the time to aid me with this problem

Ash
 
Old 02-21-2005, 03:26 AM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Do a few tracert websitename and see where your packets are getting held up at.
 
Old 02-21-2005, 04:21 AM   #3
fuzzyash
Member
 
Registered: Aug 2003
Location: Melbourne Australia
Distribution: Fedora Core 4
Posts: 184

Original Poster
Rep: Reputation: 30
Thanks musicman_ace but I got it !!

Thanks for your reply musicman_ace but I sorted it about 2 hours after you posted.
It seems that my bloody service provider, "Optusnet" here in Aus, changed their bloody nameserver IP's & didn't bother to inform me, how nice of them, obviously I'm not a valued customer!! (Oh well, we can't expect too much from a phone company now can we, especially in this country!!)
So anyway, their primary became their secondary & their new primary had a completely different IP, no wonder things were bogn' up!!
I wonder how many other Linux users are out there experiencing the exact same thing?

So kiddies, what have we learned today? One should check one's nameserver IP's daily, or, the bigger the business the less they care for the customer?!? Man how I wish the our governments worked!! ARSEHOLES !!!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 05:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration