Re: Debian gateway problem

To: debian-user@lists.debian.org
Subject: Re: Debian gateway problem
From: mett <mett@pmars.jp>
Date: Fri, 27 Dec 2013 01:26:12 +0900
Message-id: <[🔎] 20131227012612.0f1073a6@hp.tamerr>
In-reply-to: <[🔎] 52BBDDA4.60106@walnut.gen.nz>
References: <[🔎] 20131226142700.4f9f1be6@asus.tamerr> <[🔎] 52BBDDA4.60106@walnut.gen.nz>

On Thu, 26 Dec 2013 20:41:24 +1300
Richard Hector <richard@walnut.gen.nz> wrote:

> On 26/12/13 18:27, mett wrote:
> > Hi,
> > 
> > I'm using a debian box as a router and multiserver between my LAN
> > and the internet.
> > 
> > Everything was working fine till yesterday when I put the box down
> > for upgrading memory, for a few hours.
> > 
> > Right now, the external interface of the gateway is fully accessible
> > from the net, and I do not have any problem with the different
> > services I am providing to the outside(mail, webserver. and dns for
> > the web servers).
> > 
> > The problem is on the LAN side, I can access some sites but not all
> > the sites as I used to do.
> > 
> > For example, I can access the "Start page" search engine but not
> > "Duckduckgo".
> 
> That's really strange.
> 
> 
> > iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> 
> I assume that's really on one line?
Yes
> 
> 
> > # Don't forward from the outside to the inside.
> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
> 
> That looks like outside to outside - you probably want "-i ppp0 -o
> eth0"
> 
> Beyond that, I have no idea, sorry.
> 
> I'd be testing with tcpdump, as you have been. Possibly confirm that
> the IP addresses you're getting from DNS inside and on the gateway
> are the same?
> 
> Also perhaps try removing everything unrelated to the masquerading bit
> from your script and see if that works, then add bits back in?
> 
> I also generally use a policy DROP rule (iptables -P INPUT DROP),
> which I specify at the top of the file, rather than dropping through
> to a DROP/REJECT rule at the end. That shouldn't make any difference,
> though.
> 
> Richard
> 
> 

Hi,

It seems I had many problems in fact...
I couldn't check everything yet but now it's working

I did few dirty things like deleting all the rules one by one
because even when moving the script somewhere else, it still acted
when I restarted interfaces.

Finally I cleaned the original script,
going one rule at a time.
------------------------------------------------------------------------
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

#log udp port 5060
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug

#asterisk
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT

#tor
iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT

#postfix
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT

#dovecot
iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT

#apache
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

#maradns
iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

------------------------------------------------------------------------ 
I realized that if I use the following rules at the beginning,
even wih the POSTROUTING at the end, then it doesn't work.

[iptables -t nat -F]

Also, this one doesn't get accepted by iptables

iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
it's deprecated and you have to put it before the option,
which I tried but the result scared me with words like
nontracked, raw and similar.

I thought the ! was for "Not this one".

Anyway, I deleted this rule and changed the one with ppp0 to ppp0 
for ppp0 to eth0.
I thought it made sense ppp0 to ppp0 like "don't forward via this
interface". Only INPUT to OUTPUT.

I'll have to check the whole more seriously cause I was planning to
drop,as you advised, all the non accepted ones in the INPUT chain,
before the masquerade problem happened.
 
Thanks for your comment.

Reply to:

Follow-Ups:
- Re: Debian gateway problem
  - From: Jarth Berilcosm <jarth@yahoo.com>

References:
- Debian gateway problem
  - From: mett <mett@pmars.jp>
- Re: Debian gateway problem
  - From: Richard Hector <richard@walnut.gen.nz>

Prev by Date: Re: How to install memoizable?
Next by Date: Re: Grub2 menu editing
Previous by thread: Re: Debian gateway problem
Next by thread: Re: Debian gateway problem
Index(es):
- Date
- Thread