Re: Debian gateway problem
On Thu, 26 Dec 2013 20:41:24 +1300
Richard Hector <richard@walnut.gen.nz> wrote:
> On 26/12/13 18:27, mett wrote:
> > Hi,
> >
> > I'm using a debian box as a router and multiserver between my LAN
> > and the internet.
> >
> > Everything was working fine till yesterday when I put the box down
> > for upgrading memory, for a few hours.
> >
> > Right now, the external interface of the gateway is fully accessible
> > from the net, and I do not have any problem with the different
> > services I am providing to the outside(mail, webserver. and dns for
> > the web servers).
> >
> > The problem is on the LAN side, I can access some sites but not all
> > the sites as I used to do.
> >
> > For example, I can access the "Start page" search engine but not
> > "Duckduckgo".
>
> That's really strange.
>
>
> > iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
>
> I assume that's really on one line?
Yes
>
>
> > # Don't forward from the outside to the inside.
> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>
> That looks like outside to outside - you probably want "-i ppp0 -o
> eth0"
>
> Beyond that, I have no idea, sorry.
>
> I'd be testing with tcpdump, as you have been. Possibly confirm that
> the IP addresses you're getting from DNS inside and on the gateway
> are the same?
>
> Also perhaps try removing everything unrelated to the masquerading bit
> from your script and see if that works, then add bits back in?
>
> I also generally use a policy DROP rule (iptables -P INPUT DROP),
> which I specify at the top of the file, rather than dropping through
> to a DROP/REJECT rule at the end. That shouldn't make any difference,
> though.
>
> Richard
>
>
Hi,
It seems I had many problems in fact...
I couldn't check everything yet but now it's working
I did few dirty things like deleting all the rules one by one
because even when moving the script somewhere else, it still acted
when I restarted interfaces.
Finally I cleaned the original script,
going one rule at a time.
------------------------------------------------------------------------
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#log udp port 5060
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug
#asterisk
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT
#tor
iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT
#postfix
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT
#dovecot
iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT
#apache
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#maradns
iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o eth0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
------------------------------------------------------------------------
I realized that if I use the following rules at the beginning,
even wih the POSTROUTING at the end, then it doesn't work.
[iptables -t nat -F]
Also, this one doesn't get accepted by iptables
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
it's deprecated and you have to put it before the option,
which I tried but the result scared me with words like
nontracked, raw and similar.
I thought the ! was for "Not this one".
Anyway, I deleted this rule and changed the one with ppp0 to ppp0
for ppp0 to eth0.
I thought it made sense ppp0 to ppp0 like "don't forward via this
interface". Only INPUT to OUTPUT.
I'll have to check the whole more seriously cause I was planning to
drop,as you advised, all the non accepted ones in the INPUT chain,
before the masquerade problem happened.
Thanks for your comment.
Reply to: