Slackware router problem
I set up a slackware box a couple of years ago to be a router in my house. It does that and zoneminder and that's pretty much it.
Today the power went out and the UPS could only keep this machine up for about 45 mins before it ran out of power. When the power came back up the I turned on the slackware box and it booted normally. Everything started up fine but one problem. I have 4 other machines in the house that connect to the internet. None of them will pull up a web page. They will however ping and resolve anything on the outside world without a problem. My slackware box will load websites without a problem but anything on the internal network will not bring up a web page even though all of it can talk to the outside world. I know the problem is with this slackware box routing the web pages because my laptop and phone will both connect to my neighbor's internet and work fine. I've searched the internet for the past 6 hours with no luck. I'm running slackware 13 and it's you basic dnsmasq setup with two lan cards. eth0 going to the cable modem and eth1 going to my switch. |
You say you searched online for 6 hours...but for what exactly? You haven't given us a lot of details to work with here.
Is dnsmasq starting? Is the machine still giving out valid DHCP leases? How were you handling routing? What does your iptables configuration look like currently (iptables -L), etc, etc. |
Sorry, going into hour 30 of being awake. It's been one of those days.
iptables -L gives me this Code:
Chain INPUT (policy DROP) I'm not exactly sure how it's routing traffic to be honest so I'm not sure what to look for. |
if you can ping from inside your network, from other window computer behind firewall, then the most likely problem is your dns resolve problem.
after that, you should check your iptables rules, especially anything relate to http. >>DROP all -- anywhere ALL-SYSTEMS.MCAST.NET ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Add NEW into above section, test it out. |
It didn't change the behavior.
I was able to rule out a dns problem by pinging www.google.com from one of my internal machines. It resolved the ipaddress and pinged it. |
The most likely problem is with your iptables. Check your iptables nat section, I presume that you are running it as proxy server.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to xxx.xxx.xxx.xxx(you have real fixed internet IP) Or iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE (dynamic IP address) when you type route -n on command line; you should see your internet IP address as a default gateway and 0.0.0.0 is in front of this default gateway. check your /etc/hosts.allow file. make sure it allows out bound traffics, ALL:192.168.1.0/24 |
I get this error when I try the last line there.
Code:
iptables v1.4.3.2: Couldn't load target `MANGLE_PREROUTING':/usr/libexec/xtables/libipt_MANGLE_PREROUTING.so: cannot open shared object file: No such file or directory |
oops, that MANGLE_PREROUTING is custom chains in my firewall, you don't actually need any thing about iptables -t mangle chain. Just iptables -t nat chain for masquerading ip address.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to xxx.xxx.xxx.xxx(you have real fixed internet IP) Or iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE (dynamic IP address) and of course, your /etc/rc.d/ip_forward file is executable. |
I understand and it's no problem.
I noticed something strange when I did a route -n. eth0 which is my ethernet card that my cable modem is plugged into is listed twice. First time it's listed it is as you've described. The second time it's listed like this. Code:
0.0.0.0 97.81.208.1 0.0.0.0 UG 0 0 0 eth0 |
your route -n should look likes below:
Destination Gateway Genmask Flags Metric Ref Use Iface 97.81.208.1 0.0.0.0 255.255.255.255 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 97.81.208.1 0.0.0.0 UG 0 0 0 eth0 you should make sure your lo is up too. Anyway, check out iptables rules specially with http protocol on both interface eth1 and lo, allow them in INPUT, OUTPUT, FORWARD chains of your iptables. Rarely, your NIC went bad, but it can happen. |
I found a backup from 6 months ago I did of all the scripts and whatnot on this machine. I did a iptables-restore with the file it generated back then and still no luck. That backup was taken when this used to work.
|
you can simplified your iptables rules, and make INPUT, OUTPUT, and FORWARD chains open,and rule out problem line by line.
the worst case, you have to recompile your kernel. |
Have you tried to repair the connections from the other machines? I know that it can be easy to overlook the obvious sometimes. At least for me it is. Anytime I lose power and have my NAT shutdown I have to repair the connections on all computers even though the network settings remain the same.
Another thing to consider is the nameserver listed in resolv.conf. That should be the one that is forwarded by dnsmasq for DNS to the network. |
Quote:
First thing I tried, I know the machines are working fine because they will log into this slackware box. I have a samba share set up to share some files between all the computers in the house. I can also bring up the zoneminder web page and see my cameras. all my machines will resolve ip addresses on the internal network. I've spent the past few hours systematically changing rules in the iptables to accept with no luck. I did a dmesg while I tried to go to google. This is what I get. Code:
fp=bad_packets:1 a=DROP IN=eth1 OUT=eth0 SRC=192.168.1.254 DST=74.125.159.147 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3125 DF PROTO=TCP SPT=1117 DPT=443 WINDOW=16445 RES=0x00 ACK FIN URGP=0 |
Try recompile your kernel, and make sure your check out all router options and iptables modules, I would use smp-large build scripts then double check advance router options.
you may have corrupted modules files,or missing files. |
All times are GMT -5. The time now is 07:24 AM. |