Re: Debian gateway problem

To: Debian User <debian-user@lists.debian.org>
Subject: Re: Debian gateway problem
From: Tom H <tomh0665@gmail.com>
Date: Thu, 26 Dec 2013 22:55:14 +0000
Message-id: <[🔎] CAOdo=SzVydfZe27T2dEkMvZUWY7VnzquPL1+b_0DjuyQAMbg8Q@mail.gmail.com>
In-reply-to: <[🔎] 20131226142700.4f9f1be6@asus.tamerr>
References: <[🔎] 20131226142700.4f9f1be6@asus.tamerr>

On Thu, Dec 26, 2013 at 5:27 AM, mett <mett@pmars.jp> wrote:
>
> I'm using a debian box as a router and multiserver between my LAN and
> the internet.
>
> Everything was working fine till yesterday when I put the box down for
> upgrading memory, for a few hours.
>
> Right now, the external interface of the gateway is fully accessible
> from the net, and I do not have any problem with the different services
> I am providing to the outside(mail, webserver. and dns for the web
> servers).
>
> The problem is on the LAN side, I can access some sites but not all the
> sites as I used to do.
>
> For example, I can access the "Start page" search engine but not
> "Duckduckgo".
>
> The gateway can access everything, it's the hosts behind the gateway
> that cannot.
>
> I have 2 interfaces on this box:
> eth0 which is used as the LAN interface and
> eth1 which is used as ppp0 with a static IP from my ISP.
>
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # Allow outgoing connections from the LAN side.
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
>
> # Masquerade.
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> # Don't forward from the outside to the inside.
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

1) Add logging to these rules to see which one(s) is(are) blocking your access.

2) "iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT" should
be "iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT" or
(better since you have two nics) "iptables -A INPUT -m state --state
NEW -i eth0 -j ACCEPT"

3) OT:

A) "# Don't forward from the outside to the inside" and "iptables -A
FORWARD -i ppp0 -o ppp0 -j REJECT" don't correspond.

B) You should add "iptables -A FORWARD -i ppp0 -o eth0 -j REJECT" and
"iptables -A INPUT -i ppp0 -j REJECT" after the line in (A) if your
policy is "ACCEPT".

Reply to:

References:
- Debian gateway problem
  - From: mett <mett@pmars.jp>

Prev by Date: Re: Grub2 menu editing
Next by Date: Re: Debian gateway problem
Previous by thread: Re: Debian gateway problem
Next by thread: Re: Debian gateway problem
Index(es):
- Date
- Thread