Network problems with DHCP and/or iptables...
Hi!
I'm having problems with DHCP and/or iptables on my NAT-machine. Sorry for
the lengthy mail, but I tried to describe every step on the way as
accurately as possible. If you have any idea about what's wrong, please
reply (and CC me as I'm not subscribing to debian-user) or e-mail me
privately.
I can only obtain one IP address from my cable ISP (via DHCP) and therefore
need to use NAT to be able to use both of my computers. For most of the time
this setup works ok, but a few times (2 or 3) a day somethings stops
working.
Normally I can ping my ISPs DNS at 10.0.0.1 or any other host on the net,
but when a hang occurs I can't ping any address. At first I thought that the
DHCP-client I ran (dhcpcd 1.3.17pl2-8) was to blame because the problems
vanished if I restarted dhcpcd together with ipmasq 3.5.10 in /etc/init.d.
Since dhcpcd was marked obsolete in testing I tried upgrading to/installing
dhcp-client 3.0+3.0.1rc9-2. The problems didn't stop though.
So I sniffed (using tethereal 0.9.4-1) my network connection when a hang
occured. I couldn't see anything unusual in the log up until the hang. After
the hang I noticed that my ping attempts didn't receive any ICMP replys as
expected when a ping fails.
Since I was running a 2.4.17 kernel with netfilter and used iptables
1.2.6a-5 and ipmasq I suspected that my netfilter rules might block incoming
packets before tethereal (or any other program like ping) sees them so I
disabled ipmasq and setup my own netfilter rules with the commands below
(eth0 is the external NIC, while eth1 is the internal configured statically
with 192.168.1.1 as its address):
iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -F FORWARD
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -A INPUT -j ACCEPT
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -j ACCEPT -i eth1 -o eth0 -s 192.168.1.0/24
iptables -t filter -A FORWARD -j ACCEPT -i eth0 -o eth1 -d 192.168.1.0/24
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE -s 192.168.1.0/24
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
These rules, as far as I understand, opens up and allows any packet to be
accepted contrary to the ipmasq rules. This didn't eliminate the hangs
either.
At the time I was running kernel 2.4.17 so I compiled a 2.4.18 kernel which
didn't solve the problem. I tried compiling a 2.4.19-rc1 kernel (which I'm
running now) because of the netfilter and 8139too updates but I still
couldn't make the problems go away.
A few minutes ago the same ping problems occured. I tried plugging in a
Windows machine using DHCP which worked instantly. When I replugged my linux
machine it still couldn't ping my ISPs DNS (or any other host) so I suppose
I can't blame my ISP (though I would like to :-) ). I noted though that the
led on the cable-modem didn't light up when tethereal reported that a packet
was sent. Since the cable-modem works most of the time I don't think the
modem is the source of the problems.
I can't figure out if the problem is in dhcp-client, ipmasq, iptables,
netfilter or my NIC-driver. Everything seems correctly configured and it has
worked for the last 9 months apart from the last two weeks though.
Are there any debug options that might be appropriate to set? Does anyone
have an idea about what might be wrong?
/ Sebastian Rasmussen
_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: