The only time i've seen this it was bad subnet / netmask configuration(s) But it's working, so hey, good job ;-)
On Fri, 27 Dec 2013 01:26:12 +0900, mett wrote: > On Thu, 26 Dec 2013 20:41:24 +1300 Richard Hector > <rich...@walnut.gen.nz> wrote: > >> On 26/12/13 18:27, mett wrote: >> > Hi, >> > >> > I'm using a debian box as a router and multiserver between my LAN and >> > the internet. >> > >> > Everything was working fine till yesterday when I put the box down >> > for upgrading memory, for a few hours. >> > >> > Right now, the external interface of the gateway is fully accessible >> > from the net, and I do not have any problem with the different >> > services I am providing to the outside(mail, webserver. and dns for >> > the web servers). >> > >> > The problem is on the LAN side, I can access some sites but not all >> > the sites as I used to do. >> > >> > For example, I can access the "Start page" search engine but not >> > "Duckduckgo". >> >> That's really strange. >> >> >> > iptables -A FORWARD -i ppp0 -o eth0 -m state --state >> > ESTABLISHED,RELATED -j ACCEPT >> >> I assume that's really on one line? > Yes >> >> >> > # Don't forward from the outside to the inside. >> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT >> >> That looks like outside to outside - you probably want "-i ppp0 -o >> eth0" >> >> Beyond that, I have no idea, sorry. >> >> I'd be testing with tcpdump, as you have been. Possibly confirm that >> the IP addresses you're getting from DNS inside and on the gateway are >> the same? >> >> Also perhaps try removing everything unrelated to the masquerading bit >> from your script and see if that works, then add bits back in? >> >> I also generally use a policy DROP rule (iptables -P INPUT DROP), which >> I specify at the top of the file, rather than dropping through to a >> DROP/REJECT rule at the end. That shouldn't make any difference, >> though. >> >> Richard >> >> >> > Hi, > > It seems I had many problems in fact... > I couldn't check everything yet but now it's working > > I did few dirty things like deleting all the rules one by one because > even when moving the script somewhere else, it still acted when I > restarted interfaces. > > Finally I cleaned the original script, > going one rule at a time. > ------------------------------------------------------------------------ > #!/bin/sh > > PATH=/usr/sbin:/sbin:/bin:/usr/bin > > # > # delete all existing rules. > # > iptables -F > > # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT > > #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG > --log-level debug > > #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT > > #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT > > #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT > > #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0 > -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport > 993 -j ACCEPT > > #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT > > #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT > > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED > -j ACCEPT > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o eth0 -j REJECT > > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward > > ------------------------------------------------------------------------ > I realized that if I use the following rules at the beginning, > even wih the POSTROUTING at the end, then it doesn't work. > > [iptables -t nat -F] > > Also, this one doesn't get accepted by iptables > > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT it's > deprecated and you have to put it before the option, > which I tried but the result scared me with words like nontracked, raw > and similar. > > I thought the ! was for "Not this one". > > Anyway, I deleted this rule and changed the one with ppp0 to ppp0 for > ppp0 to eth0. > I thought it made sense ppp0 to ppp0 like "don't forward via this > interface". Only INPUT to OUTPUT. > > I'll have to check the whole more seriously cause I was planning to > drop,as you advised, all the non accepted ones in the INPUT chain, > before the masquerade problem happened. > > Thanks for your comment. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/l9idn8$8jl$2...@ger.gmane.org
