Re: Debian gateway problem

To: debian-user@lists.debian.org
Subject: Re: Debian gateway problem
From: Jarth Berilcosm <jarth@yahoo.com>
Date: Thu, 26 Dec 2013 23:22:16 +0000 (UTC)
Message-id: <[🔎] l9idn8$8jl$2@ger.gmane.org>
References: <[🔎] 20131226142700.4f9f1be6@asus.tamerr> <[🔎] 52BBDDA4.60106@walnut.gen.nz> <[🔎] 20131227012612.0f1073a6@hp.tamerr>

The only time i've seen this it was bad subnet / netmask configuration(s)

But it's working, so hey, good job ;-)

On Fri, 27 Dec 2013 01:26:12 +0900, mett wrote:

> On Thu, 26 Dec 2013 20:41:24 +1300 Richard Hector
> <richard@walnut.gen.nz> wrote:
> 
>> On 26/12/13 18:27, mett wrote:
>> > Hi,
>> > 
>> > I'm using a debian box as a router and multiserver between my LAN and
>> > the internet.
>> > 
>> > Everything was working fine till yesterday when I put the box down
>> > for upgrading memory, for a few hours.
>> > 
>> > Right now, the external interface of the gateway is fully accessible
>> > from the net, and I do not have any problem with the different
>> > services I am providing to the outside(mail, webserver. and dns for
>> > the web servers).
>> > 
>> > The problem is on the LAN side, I can access some sites but not all
>> > the sites as I used to do.
>> > 
>> > For example, I can access the "Start page" search engine but not
>> > "Duckduckgo".
>> 
>> That's really strange.
>> 
>> 
>> > iptables -A FORWARD -i ppp0 -o eth0 -m state --state
>> > ESTABLISHED,RELATED -j ACCEPT
>> 
>> I assume that's really on one line?
> Yes
>> 
>> 
>> > # Don't forward from the outside to the inside.
>> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>> 
>> That looks like outside to outside - you probably want "-i ppp0 -o
>> eth0"
>> 
>> Beyond that, I have no idea, sorry.
>> 
>> I'd be testing with tcpdump, as you have been. Possibly confirm that
>> the IP addresses you're getting from DNS inside and on the gateway are
>> the same?
>> 
>> Also perhaps try removing everything unrelated to the masquerading bit
>> from your script and see if that works, then add bits back in?
>> 
>> I also generally use a policy DROP rule (iptables -P INPUT DROP), which
>> I specify at the top of the file, rather than dropping through to a
>> DROP/REJECT rule at the end. That shouldn't make any difference,
>> though.
>> 
>> Richard
>> 
>> 
>> 
> Hi,
> 
> It seems I had many problems in fact...
> I couldn't check everything yet but now it's working
> 
> I did few dirty things like deleting all the rules one by one because
> even when moving the script somewhere else, it still acted when I
> restarted interfaces.
> 
> Finally I cleaned the original script,
> going one rule at a time.
> ------------------------------------------------------------------------
> #!/bin/sh
> 
> PATH=/usr/sbin:/sbin:/bin:/usr/bin
> 
> #
> # delete all existing rules.
> #
> iptables -F
> 
> # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT
> 
> #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG
> --log-level debug
> 
> #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT
> 
> #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT
> 
> #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables
> -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT
> 
> #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables
> -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0
> -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport
> 993 -j ACCEPT
> 
> #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables
> -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
> 
> #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT
> 
> 
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> 
> # Allow outgoing connections from the LAN side.
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> 
> # Masquerade.
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> # Don't forward from the outside to the inside.
> iptables -A FORWARD -i ppp0 -o eth0 -j REJECT
> 
> # Enable routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> ------------------------------------------------------------------------
> I realized that if I use the following rules at the beginning,
> even wih the POSTROUTING at the end, then it doesn't work.
> 
> [iptables -t nat -F]
> 
> Also, this one doesn't get accepted by iptables
> 
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT it's
> deprecated and you have to put it before the option,
> which I tried but the result scared me with words like nontracked, raw
> and similar.
> 
> I thought the ! was for "Not this one".
> 
> Anyway, I deleted this rule and changed the one with ppp0 to ppp0 for
> ppp0 to eth0.
> I thought it made sense ppp0 to ppp0 like "don't forward via this
> interface". Only INPUT to OUTPUT.
> 
> I'll have to check the whole more seriously cause I was planning to
> drop,as you advised, all the non accepted ones in the INPUT chain,
> before the masquerade problem happened.
>  
> Thanks for your comment.

Reply to:

References:
- Debian gateway problem
  - From: mett <mett@pmars.jp>
- Re: Debian gateway problem
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: Debian gateway problem
  - From: mett <mett@pmars.jp>

Prev by Date: Re: Debian gateway problem
Next by Date: Undocumented telnet access to Brother HL-2280DW
Previous by thread: Re: Debian gateway problem
Next by thread: Re: Debian gateway problem
Index(es):
- Date
- Thread