Re: USB Networking vs. iptables
Hello, first I correct the DNS address at the both DNATs at the server side: [EMAIL PROTECTED] backup]# iptables -L -t nat --line-numbers -n -v Chain PREROUTING (policy ACCEPT 2829 packets, 171K bytes) num pkts bytes target prot opt in out source destination 10 0 DNAT tcp -- * * 192.168.0.202 192.168.0.200 tcp dpt:53 to:212.6.108.140 2 20 1248 DNAT udp -- * * 192.168.0.202 192.168.0.200 udp dpt:53 to:212.6.108.140 Chain POSTROUTING (policy ACCEPT 9133 packets, 641K bytes) num pkts bytes target prot opt in out source destination 1 59 6086 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 But I recognize no pos. At the FR I have still the same results: [EMAIL PROTECTED]:~# cat /etc/resolv.conf nameserver 192.168.0.200 [EMAIL PROTECTED]:~# nslookup www.google.com Server:192.168.0.200 Address 1: 192.168.0.200 nslookup: can't resolve 'www.google.com' I checked the filter table, I see no mistake. The most are standard rules by RH/FC. The input and the forward chains are affect no traffic, except the listed IPs:22 in private chain 'RH-Firewall-1-INPUT'. on server: [EMAIL PROTECTED] backup]# iptables -L -t nat --line-numbers -n -v Chain PREROUTING (policy ACCEPT 2812 packets, 170K bytes) num pkts bytes target prot opt in out source destination 10 0 DNAT tcp -- * * 192.168.0.202 192.168.0.200 tcp dpt:53 to:212.6.108.140 2 20 1248 DNAT udp -- * * 192.168.0.202 192.168.0.200 udp dpt:53 to:212.6.108.140 Chain POSTROUTING (policy ACCEPT 9082 packets, 638K bytes) num pkts bytes target prot opt in out source destination 1 59 6086 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 9097 packets, 640K bytes) num pkts bytes target prot opt in out source destination [EMAIL PROTECTED] backup]# iptables -L --line-numbers -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 592K 375M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 701 45828 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 613K packets, 261M bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 18 1488 DROP tcp -- * * 200.148.247.20 0.0.0.0/0 tcp dpt:22 2 23 1256 DROP tcp -- * * 85.114.135.61 0.0.0.0/0 tcp dpt:22 3 19 1420 DROP tcp -- * * 82.117.193.162 0.0.0.0/0 tcp dpt:22 4 16 1292 DROP tcp -- * * 218.240.15.45 0.0.0.0/0 tcp dpt:22 5 19 1552 DROP tcp -- * * 219.143.219.129 0.0.0.0/0 tcp dpt:22 6 21 1668 DROP tcp -- * * 211.20.200.24 0.0.0.0/0 tcp dpt:22 7 23 1836 DROP tcp -- * * 64.152.73.79 0.0.0.0/0 tcp dpt:22 8 19 1500 DROP tcp -- * * 203.112.151.49 0.0.0.0/0 tcp dpt:22 92 120 DROP tcp -- * * 91.121.162.172 0.0.0.0/0 tcp dpt:22 10 22 1732 DROP tcp -- * * 211.157.110.226 0.0.0.0/0 tcp dpt:22 11 17 1356 DROP tcp -- * * 219.94.180.143 0.0.0.0/0 tcp dpt:22 12 16 1296 DROP tcp -- * * 200.196.51.29 0.0.0.0/0 tcp dpt:22 13 20 1536 DROP tcp -- * * 222.221.12.13 0.0.0.0/0 tcp dpt:22 14 20 2800 DROP tcp -- * * 194.165.132.66 0.0.0.0/0 tcp dpt:22 15 21 1668 DROP tcp -- * * 58.253.67.58 0.0.0.0/0 tcp dpt:22 16 17 3048 DROP tcp -- * * 91.112.122.242 0.0.0.0/0 tcp dpt:22 17 19 1840 DROP tcp -- * * 125.206.243.126 0.0.0.0/0 tcp dpt:22 18 0 0 DROP tcp -- * * 72.29.77.144 0.0.0.0/0 tcp dpt:22 19 20 1636 DROP tcp -- * * 59.42.177.139 0.0.0.0/0 tcp dpt:22 20 18 1316 DROP tcp -- * * 212.14.37.2 0.0.0.0/0 tcp dpt:22 21246K 210M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 22 898 78034 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 23 0 0 ACCEPT esp -- * *
Re: USB Networking vs. iptables
Am Freitag, den 19.09.2008, 07:35 -0400 schrieb Joel Newkirk: Try iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT, or the same rule inserted at the top of INPUT and FORWARD chains. I will try. RH-Firewall-1-INPUT blocks SSH from various specific IPs, then accepts only very limited specific connections, including ICMP,http,https,ssh,CUPS and ipsec but NOT including DNS... That's right, but at the end if no rules of the chain affected, the police of the chain will affect. And the default police is ACCEPT. So, I guess that means that DNS is not blocked. Lack of a rule accepting DNS in INPUT keeps you from doing DNS lookups at 192.168.0.201, lack of a rule accepting DNS in FORWARD keeps you from doing DNS lookups at any other host. I will try to add DNS to the private chain. -- mfg/br, christian Flurstraße 14 29640 Schneverdingen Germany E-Mail: [EMAIL PROTECTED] Telefon: +49 5193 97 14 95 Mobile: +49 171 357 59 57 http://wesselch.homelinux.org signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: USB Networking vs. iptables
iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT That's it. Now I am able to install Debian by following wiki guide http://wiki.debian.org/DebianOnFreeRunner Thanx a lot. Am Freitag, den 19.09.2008, 07:35 -0400 schrieb Joel Newkirk: Try iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT, or the same rule inserted at the top of INPUT and FORWARD chains. -- mfg/br, christian weßel Flurstraße 14 29640 Schneverdingen Germany E-Mail: [EMAIL PROTECTED] Telefon: +49 5193 97 14 95 Mobile: +49 171 357 59 57 http://wesselch.homelinux.org signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: USB Networking vs. iptables
On Fri, 19 Sep 2008 16:21:13 +, Christian Weßel [EMAIL PROTECTED] wrote: iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT That's it. Now I am able to install Debian by following wiki guide http://wiki.debian.org/DebianOnFreeRunner Thanx a lot. Am Freitag, den 19.09.2008, 07:35 -0400 schrieb Joel Newkirk: Try iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT, or the same rule inserted at the top of INPUT and FORWARD chains. You're most welcome. The one problem with your reasoning regarding the default policy of ACCEPT is that the last rule in the RH-Firewall-1-INPUT chain is a 'drop all' rule... Every RedHat/Fedora/CentOS box I've ever set up nearly the first thing I do is delete the default firewall and construct my own - I don't like the way they structure theirs. IMHO best practice (and clearest logic) is to enable a DROP policy on INPUT and FORWARD chains, and add explicit ACCEPT rules for desired traffic. j ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: USB Networking vs. iptables
Instead of this: tables -t nat -A PREROUTING -p tcp -s 192.168.0.202 -d 192.168.0.200 --dport domain -j DNAT --to-destination 192.168.0.1 iptables -t nat -A PREROUTING -p udp -s 192.168.0.202 -d 192.168.0.200 --dport domain -j DNAT --to-destination 192.168.0.1 Did you do/would you try this (on your server): tables -t nat -A PREROUTING -p tcp -s 192.168.0.202 -d 192.168.0.200 --dport domain -j DNAT --to-destination 192.168.1.254 iptables -t nat -A PREROUTING -p udp -s 192.168.0.202 -d 192.168.0.200 --dport domain -j DNAT --to-destination 192.168.1.254 This assumes your router is set up as a DNS server. Then in resolv.conf, use your router at 192.168.1.254 as the DNS server, not any of those other values. That is (I think) similar to how I have mine configured at home. If you still have problems, I'll post my exact /etc conf files for you when I get home. On Thu, Sep 18, 2008 at 12:22 PM, Christian Weßel [EMAIL PROTECTED] wrote: Hello mokos, I just have a DNS problem, I try to configure my FC6 following the guide http://wiki.openmoko.org/wiki/USB_Networking#Proxying_with_iptables because I have a simple static environment for my FR. FR.usb.ip = 192.168.0.202 server.usb.ip = 192.168.0.200 server.eth.ip = 192.168.1.10 router.eth.ip = 192.168.1.254 DNS.ip = 212.6.108.140 on server: [EMAIL PROTECTED] ~]# cat /etc/resolv.conf search home nameserver 212.6.108.140 nameserver 212.6.108.141 [EMAIL PROTECTED] ~]# iptables -L -t nat --line-numbers -n Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1DNAT tcp -- 192.168.0.202192.168.0.200 tcp dpt:53 to:212.6.181.140 2DNAT udp -- 192.168.0.202192.168.0.200 udp dpt:53 to:212.6.181.140 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination on FR: [EMAIL PROTECTED]:~# cat /etc/resolv.conf nameserver 192.168.0.200 [EMAIL PROTECTED]:~# ping 74.125.19.147 -c 1 PING 74.125.19.147 (74.125.19.147): 56 data bytes 64 bytes from 74.125.19.147: seq=0 ttl=236 time=182.480 ms --- 74.125.19.147 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 182.480/182.480/182.480 ms [EMAIL PROTECTED]:~# nslookup www.google.com Server:192.168.0.200 Address 1: 192.168.0.200 nslookup: can't resolve 'www.google.com' For me the masqueration seems to be fine, just something with DNAT is wrong. If I change the FR.resolv.conf to 'nameserver 212.6.181.140' it also not working. But what's wrong? BTW: I got no SElinux security alerts, neither in secure nor in messages. -- mfg/br, christian Flurstraße 14 29640 Schneverdingen Germany E-Mail: [EMAIL PROTECTED] Telefon: +49 5193 97 14 95 Mobile: +49 171 357 59 57 http://wesselch.homelinux.org ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: USB Networking vs. iptables
I notice that you list the DNS server as 212.6.108.140 (resolver0.ewetel.de), but have the DNAT rules pointing at 212.6.181.140 (an unnamed IP that seems to be owned by 'claranet')... Checking from the 'outside' (IE I'm not on your ISP's network, and I presume you are within the ewetel.de network) 212.6.108.140 is a DNS server which won't let me do recursive lookups, which is normal, but 212.6.181.140 seems unoccupied at this time, or 100% firewalled. If that doesn't resolve it, what's in your FORWARD and INPUT chains? Can you post the output of iptables -vnL? (the -'v' for verbose means the output will include counts of packets/bytes that matched each rule - useful for debugging sometimes when unexpected zeros appear) iptables -vnL shows all the filter chains, INPUT/OUTPUT/FORWARD. (plus any custom chains) INPUT would affect packets from the Freerunner to the FC6 box (IE, when resolv.conf points at 192.168.0.200) while FORWARD would affect packets when you have the outside DNS server in resolv.conf. j On Thu, 18 Sep 2008 17:22:29 +, Christian Weßel [EMAIL PROTECTED] wrote: Hello mokos, I just have a DNS problem, I try to configure my FC6 following the guide http://wiki.openmoko.org/wiki/USB_Networking#Proxying_with_iptables because I have a simple static environment for my FR. FR.usb.ip = 192.168.0.202 server.usb.ip = 192.168.0.200 server.eth.ip = 192.168.1.10 router.eth.ip = 192.168.1.254 DNS.ip = 212.6.108.140 on server: [EMAIL PROTECTED] ~]# cat /etc/resolv.conf search home nameserver 212.6.108.140 nameserver 212.6.108.141 [EMAIL PROTECTED] ~]# iptables -L -t nat --line-numbers -n Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1DNAT tcp -- 192.168.0.202192.168.0.200 tcp dpt:53 to:212.6.181.140 2DNAT udp -- 192.168.0.202192.168.0.200 udp dpt:53 to:212.6.181.140 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination on FR: [EMAIL PROTECTED]:~# cat /etc/resolv.conf nameserver 192.168.0.200 [EMAIL PROTECTED]:~# ping 74.125.19.147 -c 1 PING 74.125.19.147 (74.125.19.147): 56 data bytes 64 bytes from 74.125.19.147: seq=0 ttl=236 time=182.480 ms --- 74.125.19.147 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 182.480/182.480/182.480 ms [EMAIL PROTECTED]:~# nslookup www.google.com Server:192.168.0.200 Address 1: 192.168.0.200 nslookup: can't resolve 'www.google.com' For me the masqueration seems to be fine, just something with DNAT is wrong. If I change the FR.resolv.conf to 'nameserver 212.6.181.140' it also not working. But what's wrong? BTW: I got no SElinux security alerts, neither in secure nor in messages. ___ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community