Gateway problem: have to add it manually after booting
I "solved" this problem by deleting the wireless connection and then adding it again. > On Debian Jessie I have to add the gateway to be able to get internet > over a wireless connection. I do this by the command: "route add default gw > 192.168.0.1 wlan0" > How to make the gateway available automatically on booting like it was > before? > > Extra info: > I managed to connect two computers on a network using SSH. In doing so I > had changed the wireless network connection IPv4 settings from DHCP to > manual to obtain a static IP address. I reverted it after the succesfull > test. I do not recall making any other changes to the network settings. > > Hope someone can help me on this one. Thanks. > > -- > Securely sent with Tutanota. Claim your encrypted mailbox today! > https://tutanota.com
Gateway problem: have to add it manually after booting
On Debian Jessie I have to add the gateway to be able to get internet over a wireless connection. I do this by the command: "route add default gw 192.168.0.1 wlan0" How to make the gateway available automatically on booting like it was before? Extra info: I managed to connect two computers on a network using SSH. In doing so I had changed the wireless network connection IPv4 settings from DHCP to manual to obtain a static IP address. I reverted it after the succesfull test. I do not recall making any other changes to the network settings. Hope someone can help me on this one. Thanks. -- Securely sent with Tutanota. Claim your encrypted mailbox today! https://tutanota.com
RE: [Solved] Re: Debian gateway problem
Hi Mett, > Just a final update on this thread. > > I end up with the script below working perfectly, except if I use both > following rules at the beginning of the script. > --- > iptables -t nat -F > iptables -t mangle -F > --- > > I don't fully understand why but I'll investigate that later. Do a iptables -t nat -L -v iptables -t mangle -L -v to see what is in those tables that you cannot delete You probably need those because > > script: > -- > #!/bin/sh > > PATH=/usr/sbin:/sbin:/bin:/usr/bin > > # > # delete all existing rules. > # > iptables -F > > iptables -X This does NOT delete ALL existing rules. Those lines just delete the rules in the default INPUT, FORWARD and OUTPUT chains in the table "filter". I have the following at the beginning of my firewall scripts to delete ALL rules in all chains in all tables. # Flush all rules in all chains and then delete all chains chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do $IPTABLES -t $i -F; done for i in $chains; do $IPTABLES -t $i -X; done # Reset all counters for default chains $IPTABLES -Z I do not set the PATH variable, I use the $IPTABLES variable which I set at the beginning of my script IPTABLES=/sbin/iptables # For testing #IPTABLES="echo iptables" The testing option allows me to easily see what the result of my script lines is as I use A LOT of variables. Spotting a typo can be hard sometimes. ;-) > ## nat/POSTROUTING > # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading > doc...). > iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source > EXT.FIX.IP.ADD > The "nat" table is not the default table which is why with this command you need to add the -t nat option. The same for the "mangle" table if you use it. > ## filter/FORWARD > > # Allow New outgoing connections from the LAN side. > iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT Although it is not wrong, you do not need the -t filter option here. The "filter" table is the default table. > [] > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward I have a # Disable routing. echo 0 > /proc/sys/net/ipv4/ip_forward at the beginning of my script too, that way when I run the script for a second time forwarding is turned off before removing all firewall rules.
Re: [Solved] Re: Debian gateway problem
mett wrote: > I end up with the script below working perfectly, > except if I use both following rules at the beginning of the script. > iptables -t nat -F > iptables -t mangle -F I would imagine it's because something else (your PPP connection, perhaps) has already placed necessary rules in those two tables: iptables -t nat --line-numbers -nvL > # Masquerade <=> Changed to SNAT(seemed wiser in my situation after > # reading doc...). > iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT > --to-source EXT.FIX.IP.ADD MASQUERADE is required for dynamic IP addresses, as it does not maintain its connnection table if the interface drops. It can be useful for static ones if you want the same behaviour. The advantage of SNAT is really for long-lived connections forwarding through the firewall device that don't need to worry if the interface momentarily drops. Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/v2jvpaxf86@news.roaima.co.uk
[Solved] Re: Debian gateway problem
On Fri, 27 Dec 2013 10:15:04 +0100 Nemeth Gyorgy wrote: > 2013-12-26 06:27 keltezéssel, mett írta: > > Hi, > > > > I'm using a debian box as a router and multiserver between my LAN > > and the internet. (cut) > > It seems(according to tcpdump on both interface) that replies from > > some sites get lost or get an ICMP destination unreachable from the > > gateway somehow. > > For me it seems a PMTU problem. Insert the following line in the > proper place: > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > Hi and HNY everybody! Just a final update on this thread. I end up with the script below working perfectly, except if I use both following rules at the beginning of the script. --- iptables -t nat -F iptables -t mangle -F --- I don't fully understand why but I'll investigate that later. script: -- #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -X ## nat/POSTROUTING # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading doc...). iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source EXT.FIX.IP.ADD ## filter/FORWARD # Allow New outgoing connections from the LAN side. iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT # Allow Established outgoing connections from the LAN side. iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow forwarding of established connection from WAN side. iptables -t filter -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Don't forward from the outside to the inside (icmp Port_U). iptables -t filter -A FORWARD -i ppp0 -o eth0 -j REJECT ## filter/INPUT # Always accept loopback traffic iptables -t filter -A INPUT -i lo -j ACCEPT #log udp port 5060 iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug #asterisk iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT #tor iptables -t filter -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT #postfix iptables -t filter -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT #dovecot iptables -t filter -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT #apache iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT #maradns iptables -t filter -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT #vsftp iptables -t filter -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 5:50010 -j ACCEPT # Allow established connections iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Proto_U everything else on outside interface (-input ppp0) iptables -t filter -A INPUT -i ppp0 -j REJECT --reject-with icmp-proto-unreachable # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward -- Thanks a lot for all the comments. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140108161658.121d9606@asus.tamerr
Re: Debian gateway problem
2013-12-26 06:27 keltezéssel, mett írta: > Hi, > > I'm using a debian box as a router and multiserver between my LAN and > the internet. > > Everything was working fine till yesterday when I put the box down for > upgrading memory, for a few hours. > > Right now, the external interface of the gateway is fully accessible > from the net, and I do not have any problem with the different services > I am providing to the outside(mail, webserver. and dns for the web > servers). > > The problem is on the LAN side, I can access some sites but not all the > sites as I used to do. > > For example, I can access the "Start page" search engine but not > "Duckduckgo". > > The gateway can access everything, it's the hosts behind the gateway > that cannot. > > > I have 2 interfaces on this box: > eth0 which is used as the LAN interface and > eth1 which is used as ppp0 with a static IP from my ISP. > > --- > /etc/sysctl.conf has the forwarding rule for ipv4 > net.ipv4.ip_forward=1 > net.ipv4.conf.default.forwarding=1 (maybe useless but I'm kind of > trying everything) > net.ipv4.conf.all.forwarding=1 (maybe useless but I'm kind of > trying everything) > --- > cat cat /proc/sys/net/ipv4/ip_forward > 1 > --- > Iptables rules are as follows > # delete all existing rules. > # > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X > > # Always accept loopback traffic > iptables -A INPUT -i lo -j ACCEPT > > > #log udp port 5060 > iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug > > #asterisk > iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT > > > #tor > iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT > > #postfix > iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT > > #dovecot > iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT > > #apache > iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT > > #maradns > iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT > > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT > > > > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward > > > I am totally at loss and was wondering if somebody has an idea about > where the problem might be coming from. > > It seems(according to tcpdump on both interface) that replies from some > sites get lost or get an ICMP destination unreachable from the > gateway somehow. For me it seems a PMTU problem. Insert the following line in the proper place: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52bd4518.6010...@freemail.hu
Re: Debian gateway problem
The only time i've seen this it was bad subnet / netmask configuration(s) But it's working, so hey, good job ;-) On Fri, 27 Dec 2013 01:26:12 +0900, mett wrote: > On Thu, 26 Dec 2013 20:41:24 +1300 Richard Hector > wrote: > >> On 26/12/13 18:27, mett wrote: >> > Hi, >> > >> > I'm using a debian box as a router and multiserver between my LAN and >> > the internet. >> > >> > Everything was working fine till yesterday when I put the box down >> > for upgrading memory, for a few hours. >> > >> > Right now, the external interface of the gateway is fully accessible >> > from the net, and I do not have any problem with the different >> > services I am providing to the outside(mail, webserver. and dns for >> > the web servers). >> > >> > The problem is on the LAN side, I can access some sites but not all >> > the sites as I used to do. >> > >> > For example, I can access the "Start page" search engine but not >> > "Duckduckgo". >> >> That's really strange. >> >> >> > iptables -A FORWARD -i ppp0 -o eth0 -m state --state >> > ESTABLISHED,RELATED -j ACCEPT >> >> I assume that's really on one line? > Yes >> >> >> > # Don't forward from the outside to the inside. >> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT >> >> That looks like outside to outside - you probably want "-i ppp0 -o >> eth0" >> >> Beyond that, I have no idea, sorry. >> >> I'd be testing with tcpdump, as you have been. Possibly confirm that >> the IP addresses you're getting from DNS inside and on the gateway are >> the same? >> >> Also perhaps try removing everything unrelated to the masquerading bit >> from your script and see if that works, then add bits back in? >> >> I also generally use a policy DROP rule (iptables -P INPUT DROP), which >> I specify at the top of the file, rather than dropping through to a >> DROP/REJECT rule at the end. That shouldn't make any difference, >> though. >> >> Richard >> >> >> > Hi, > > It seems I had many problems in fact... > I couldn't check everything yet but now it's working > > I did few dirty things like deleting all the rules one by one because > even when moving the script somewhere else, it still acted when I > restarted interfaces. > > Finally I cleaned the original script, > going one rule at a time. > > #!/bin/sh > > PATH=/usr/sbin:/sbin:/bin:/usr/bin > > # > # delete all existing rules. > # > iptables -F > > # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT > > #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG > --log-level debug > > #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT > > #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT > > #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT > > #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0 > -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport > 993 -j ACCEPT > > #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables > -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT > > #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT > > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED > -j ACCEPT > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o eth0 -j REJECT > > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward > > > I realized that if I use the following rules at the beginning, > even wih the POSTROUTING at the end, then it doesn't work. > > [iptables -t nat -F] > > Also, this one doesn't get accepted by iptables > > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT it's > deprecated and you have to put it before the option, > which I tried but the result scared me with words like nontracked, raw > and similar. > > I thought the ! was for "Not this one". > > Anyway, I deleted this rule and changed the one with ppp0 to ppp0 for > ppp0 to eth0. > I thought it made sense ppp0 to ppp0 like "don't forward via this > interface". Only INPUT to OUTPUT. > > I'll have to check the whole more seriously cause I was planning to > drop,as you advised, all the non accepted ones in the INPUT chain, > before the masquerade problem happened. > > Thanks for your comment. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: htt
Re: Debian gateway problem
On Thu, Dec 26, 2013 at 5:27 AM, mett wrote: > > I'm using a debian box as a router and multiserver between my LAN and > the internet. > > Everything was working fine till yesterday when I put the box down for > upgrading memory, for a few hours. > > Right now, the external interface of the gateway is fully accessible > from the net, and I do not have any problem with the different services > I am providing to the outside(mail, webserver. and dns for the web > servers). > > The problem is on the LAN side, I can access some sites but not all the > sites as I used to do. > > For example, I can access the "Start page" search engine but not > "Duckduckgo". > > The gateway can access everything, it's the hosts behind the gateway > that cannot. > > I have 2 interfaces on this box: > eth0 which is used as the LAN interface and > eth1 which is used as ppp0 with a static IP from my ISP. > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT 1) Add logging to these rules to see which one(s) is(are) blocking your access. 2) "iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT" should be "iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT" or (better since you have two nics) "iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT" 3) OT: A) "# Don't forward from the outside to the inside" and "iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT" don't correspond. B) You should add "iptables -A FORWARD -i ppp0 -o eth0 -j REJECT" and "iptables -A INPUT -i ppp0 -j REJECT" after the line in (A) if your policy is "ACCEPT". -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=szvydfze27t2dekmvzuwy7vnzqupl1+b_0djuyqamb...@mail.gmail.com
Re: Debian gateway problem
On Thu, 26 Dec 2013 20:41:24 +1300 Richard Hector wrote: > On 26/12/13 18:27, mett wrote: > > Hi, > > > > I'm using a debian box as a router and multiserver between my LAN > > and the internet. > > > > Everything was working fine till yesterday when I put the box down > > for upgrading memory, for a few hours. > > > > Right now, the external interface of the gateway is fully accessible > > from the net, and I do not have any problem with the different > > services I am providing to the outside(mail, webserver. and dns for > > the web servers). > > > > The problem is on the LAN side, I can access some sites but not all > > the sites as I used to do. > > > > For example, I can access the "Start page" search engine but not > > "Duckduckgo". > > That's really strange. > > > > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > > ESTABLISHED,RELATED -j ACCEPT > > I assume that's really on one line? Yes > > > > # Don't forward from the outside to the inside. > > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT > > That looks like outside to outside - you probably want "-i ppp0 -o > eth0" > > Beyond that, I have no idea, sorry. > > I'd be testing with tcpdump, as you have been. Possibly confirm that > the IP addresses you're getting from DNS inside and on the gateway > are the same? > > Also perhaps try removing everything unrelated to the masquerading bit > from your script and see if that works, then add bits back in? > > I also generally use a policy DROP rule (iptables -P INPUT DROP), > which I specify at the top of the file, rather than dropping through > to a DROP/REJECT rule at the end. That shouldn't make any difference, > though. > > Richard > > Hi, It seems I had many problems in fact... I couldn't check everything yet but now it's working I did few dirty things like deleting all the rules one by one because even when moving the script somewhere else, it still acted when I restarted interfaces. Finally I cleaned the original script, going one rule at a time. #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i ppp0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward I realized that if I use the following rules at the beginning, even wih the POSTROUTING at the end, then it doesn't work. [iptables -t nat -F] Also, this one doesn't get accepted by iptables iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT it's deprecated and you have to put it before the option, which I tried but the result scared me with words like nontracked, raw and similar. I thought the ! was for "Not this one". Anyway, I deleted this rule and changed the one with ppp0 to ppp0 for ppp0 to eth0. I thought it made sense ppp0 to ppp0 like "don't forward via this interface". Only INPUT to OUTPUT. I'll have to check the whole more seriously cause I was planning to drop,as you advised, all the non accepted ones in the INPUT chain, before the masquerade problem happened. Thanks for your comment. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131227012612.0f1073a6@hp.tamerr
Re: Debian gateway problem
On 26/12/13 18:27, mett wrote: > Hi, > > I'm using a debian box as a router and multiserver between my LAN and > the internet. > > Everything was working fine till yesterday when I put the box down for > upgrading memory, for a few hours. > > Right now, the external interface of the gateway is fully accessible > from the net, and I do not have any problem with the different services > I am providing to the outside(mail, webserver. and dns for the web > servers). > > The problem is on the LAN side, I can access some sites but not all the > sites as I used to do. > > For example, I can access the "Start page" search engine but not > "Duckduckgo". That's really strange. > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT I assume that's really on one line? > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT That looks like outside to outside - you probably want "-i ppp0 -o eth0" Beyond that, I have no idea, sorry. I'd be testing with tcpdump, as you have been. Possibly confirm that the IP addresses you're getting from DNS inside and on the gateway are the same? Also perhaps try removing everything unrelated to the masquerading bit from your script and see if that works, then add bits back in? I also generally use a policy DROP rule (iptables -P INPUT DROP), which I specify at the top of the file, rather than dropping through to a DROP/REJECT rule at the end. That shouldn't make any difference, though. Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52bbdda4.60...@walnut.gen.nz
Debian gateway problem
Hi, I'm using a debian box as a router and multiserver between my LAN and the internet. Everything was working fine till yesterday when I put the box down for upgrading memory, for a few hours. Right now, the external interface of the gateway is fully accessible from the net, and I do not have any problem with the different services I am providing to the outside(mail, webserver. and dns for the web servers). The problem is on the LAN side, I can access some sites but not all the sites as I used to do. For example, I can access the "Start page" search engine but not "Duckduckgo". The gateway can access everything, it's the hosts behind the gateway that cannot. I have 2 interfaces on this box: eth0 which is used as the LAN interface and eth1 which is used as ppp0 with a static IP from my ISP. --- /etc/sysctl.conf has the forwarding rule for ipv4 net.ipv4.ip_forward=1 net.ipv4.conf.default.forwarding=1 (maybe useless but I'm kind of trying everything) net.ipv4.conf.all.forwarding=1 (maybe useless but I'm kind of trying everything) --- cat cat /proc/sys/net/ipv4/ip_forward 1 --- Iptables rules are as follows # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward I am totally at loss and was wondering if somebody has an idea about where the problem might be coming from. It seems(according to tcpdump on both interface) that replies from some sites get lost or get an ICMP destination unreachable from the gateway somehow. Thanks a lot. mett -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131226142700.4f9f1be6@asus.tamerr
Defualt Gateway Problem
Hi debian, I have a problem connecting with my Defualt Gateway Address when i used a Voip IAD Box which i configured before now and it worked. Right now my default gateway is failling in terms of connections. Kindly tell me how to break the firewalls in a WAN Network with a default gateway. Thanks. Peters = Visit http//:www.osapuk.singlescrowd.com for your dating soln __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Please HELP: def gateway problem on eth0 and eth1
On Tue, 29 Oct 2002 09:26:09 +0200 "José" <[EMAIL PROTECTED]> wrote: > hello people, > > I'm using debian potato 2.2r5 on compaq proliant server with kernel > 2.4.19 compiled by hand. all runs fine until i added a second ethernet > controller to address 2 different networks. both controllers are Intel > 100 Mb ( eepro100 as a module) (snip) > root@myhost: route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 11.199.194.160 0.0.0.0 255.255.255.224 U 0 0 0 eth1 > 192.202.193.0 0.0.0.0 255.255.255.0U 0 0 0 eth0 > 0.0.0.0 192.202.193.1 0.0.0.0 UG0 0 0 eth0 > 0.0.0.0 11.199.194.161 0.0.0.0 UG0 0 0 eth1 I don't think you're allowed 2 default gateways. It seems logical that the system gets confused not knowing where to send packets for networks other than the 2 configured ones, since it has a choice of to interfaces with no criteria to apply. Try specifying just one default gateway (the one that'll give you Internet access, for instance). HTH. -- Carlos Sousa http://vbc.dyndns.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Please HELP: def gateway problem on eth0 and eth1
hello people, I'm using debian potato 2.2r5 on compaq proliant server with kernel 2.4.19 compiled by hand. all runs fine until i added a second ethernet controller to address 2 different networks. both controllers are Intel 100 Mb ( eepro100 as a module) the 2 controllers are found by the kernel. eth0 already existent and the new as eth1. my /etc/network/interfaces looks like : iface eth0 inet static address 192.202.193.135 netmask 255.255.255.0 network 192.202.193.0 broadcast 192.202.193.255 gateway 192.202.193.1 iface eth1 inet static address 11.199.194.165 netmask 255.255.255.224 network 11.199.194.160 broadcast 11.199.194.192 gateway 11.199.194.161 my route table looks like : root@myhost: route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 11.199.194.160 0.0.0.0 255.255.255.224 U 0 00 eth1 192.202.193.00.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0192.202.193.1 0.0.0.0 UG 0 0 0 eth0 0.0.0.011.199.194.161 0.0.0.0 UG 0 00 eth1 as we can see there a now 2 default gateways. Now the problem: When i run /etc/init.d/networking restart the config is updated and interfaces reconfigured correctly but they stop responding ( i mean interface eth0 receives traffic but nothing goes outside) i did somme tests with tcpdump. i think is cause of there are 2 def gateways and the kernel don't know on which one he must respond !? ifaces are setted 100 Mb/FDX and switch is in autonegociate mode. What i need is the 2 infaces working and to address the 2 differents networks with the right gateway. Any idea ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LAN to Internet gateway problem [solved]
On Mon, 25 Feb 2002 23:21:47 +0100 "Tony Crawford" <[EMAIL PROTECTED]> wrote: > Stephan Hachinger wrote (on 25 Feb 2002 at 17:36): > > > machine I want to configure as router is 192.168.90.95 (stephan). > > Stephan has a second network card inside (192.168.37.95) and > > connects to the internet over this card and dsl (pppoE). Now, > > this is what I've tried: > > > > -Modifying the route table on pentiumdioxid (see attached route > > output)-Installing dnrd, a dns forwarder, on stephan (dns > > resulution seems to work without problems now)-setting ip_forward > > to "yes" in /etc/network/options on stephan > > > > I've also attached hosts.allow and hosts.deny. > > Been up for over four hours and no answers yet? Well then: > > I don't see anything in the above about any NAT, which you need > if those private-IP hosts are going to talk to the Internet. > > You didn't say what kernel version you're running, so read the > documentation on either ipchains or iptables--or go straight to > the IP-masquerading Howto. Hi! Ok, I just had to setup masquerading and now it works, thx. Didn't know this was necessary because I've got no knowledge of IP networking *g*. Cheers and thanks, Stephan
Re: LAN to Internet gateway problem
On Mon, 25 Feb 2002 17:36:31 +0100, Stephan Hachinger wrote: >Hi! > >I'm trying to configure one of my machines as a router to the >internet, so that I can access the internet from my LAN. My second >computer in my lan is 192.168.90.5 (pentiumdioxid), this machine I >want to configure as router is 192.168.90.95 (stephan). Stephan has a >second network card inside (192.168.37.95) and connects to the ^ Shouldn't this card (eth1?) have a WAN address rather than a reserved block address? If your DSL ISP assigns dynamic addresses, /etc/network/interfaces should probably contain: auto eth1 iface eth1 inet dhcp As I understand it, if you have auto eth1 iface eth1 inet static address 192.168.37.95 netmask 255.255.255.0 then the internet (WAN) cannot see your address as it is reserved for intranets (LAN). >internet over this card and dsl (pppoE). Now, this is what I've >tried: > >-Modifying the route table on pentiumdioxid (see attached route >output)-Installing dnrd, a dns forwarder, on stephan (dns resulution >seems to work without problems now)-setting ip_forward to "yes" in >/etc/network/options on stephan > >I've also attached hosts.allow and hosts.deny. Due to acute attacks of paranoia, I am unable to open your non-plain-text attachments. Your default gateway in pentiumdioxid's route should be 192.168.90.95. At this point, my hardware router/switch/gateway/firewall takes over and I can add nothing. > >The problem is, when I try to ping www.debian.org from pentiumdioxid, >pentiumdioxid gets the ip adress of debian.org (198.186.203.20) but >it doesn't get any packages back. > >I'd be very glad if anyoune can help me. > >Cheers, > >Stephan > >P.S.: Into which file can I put the routing table modifications so >that the modified routing table is automatically loadad at startup? man route gt Yes I fear I am living beyond my mental means--Nash
Re: LAN to Internet gateway problem
Stephan Hachinger wrote (on 25 Feb 2002 at 17:36): > machine I want to configure as router is 192.168.90.95 (stephan). > Stephan has a second network card inside (192.168.37.95) and > connects to the internet over this card and dsl (pppoE). Now, > this is what I've tried: > > -Modifying the route table on pentiumdioxid (see attached route > output)-Installing dnrd, a dns forwarder, on stephan (dns > resulution seems to work without problems now)-setting ip_forward > to "yes" in /etc/network/options on stephan > > I've also attached hosts.allow and hosts.deny. Been up for over four hours and no answers yet? Well then: I don't see anything in the above about any NAT, which you need if those private-IP hosts are going to talk to the Internet. You didn't say what kernel version you're running, so read the documentation on either ipchains or iptables--or go straight to the IP-masquerading Howto. > The problem is, when I try to ping www.debian.org from > pentiumdioxid, pentiumdioxid gets the ip adress of debian.org > (198.186.203.20) but it doesn't get any packages back. Well, you have a name server on your gateway machine, so that's where you're getting the IP address from. The internal computer apparently made no contact with the Internet at all. > P.S.: Into which file can I put the routing table modifications > so that the modified routing table is automatically loadad at > startup? If there's an /etc/init.d/ppp*, that might be an appropriate place. If not, there's always /etc/init.d/networking, or copy that to a new name, edit it a lot, and read man update-rc.d about the order of execution of the init scripts and see how to set your routes after the interfaces are up. T. -- -- Tony Crawford -- [EMAIL PROTECTED] -- +49-3341-30 99 99 --
LAN to Internet gateway problem
Hi! I'm trying to configure one of my machines as a router to the internet, so that I can access the internet from my LAN. My second computer in my lan is 192.168.90.5 (pentiumdioxid), this machine I want to configure as router is 192.168.90.95 (stephan). Stephan has a second network card inside (192.168.37.95) and connects to the internet over this card and dsl (pppoE). Now, this is what I've tried: -Modifying the route table on pentiumdioxid (see attached route output)-Installing dnrd, a dns forwarder, on stephan (dns resulution seems to work without problems now)-setting ip_forward to "yes" in /etc/network/options on stephan I've also attached hosts.allow and hosts.deny. The problem is, when I try to ping www.debian.org from pentiumdioxid, pentiumdioxid gets the ip adress of debian.org (198.186.203.20) but it doesn't get any packages back. I'd be very glad if anyoune can help me. Cheers, Stephan P.S.: Into which file can I put the routing table modifications so that the modified routing table is automatically loadad at startup? pentiumdioxid.route Description: Binary data stephan.route Description: Binary data hosts.allow Description: Binary data hosts.deny Description: Binary data
Re: Gateway problem...
On Wed, 23 Dec 1998, Tun Yang wrote: > # ping www.yahoo.com > ping: unknown host www.yahoo.com Do you have your DNS IP address(es) on /etc/resolv.conf !? > I then got one of yahoo's ip addresses from the windows bootup and tried > this: > > # ping 204.71.200.74 > PING 204.71.200.74 (204.71.200.74): 56 data bytes > ping: sendto: Operation not permitted > ping: wrote 204.71.200.74 64 chars, ret=-1 > ping: sendto: Operation not permitted > ping: wrote 204.71.200.74 64 chars, ret=-1 > > if I do the ping without doing the route, ping replies with "no route to > host" > > I have no idea why it come up with "operation not permitted"? It could happens if you can't send/receive icmp packets ! Do you have any firewall installed ? Check it for icmp packets ... Best regards, Nuno Carvalho ?? Nuno Emanuel F. Carvalho Dep. Informatics Engineering University of Coimbra PGP key available at finger ??
Gateway problem...
Hi... I'm having problems with routing for a gateway... I have a gateway machine that works with the win9x setup, and used to work with debian... but it no longer works with debian for some reason.. Here's what I do: route add default gw tom (tom is in hosts) I also tried a: route add default gw tom metric 1 (which I found in /etc/init.d/network (or some init file)) After doing the route, I tried pinging yahoo.. # ping www.yahoo.com ping: unknown host www.yahoo.com I then got one of yahoo's ip addresses from the windows bootup and tried this: # ping 204.71.200.74 PING 204.71.200.74 (204.71.200.74): 56 data bytes ping: sendto: Operation not permitted ping: wrote 204.71.200.74 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 204.71.200.74 64 chars, ret=-1 if I do the ping without doing the route, ping replies with "no route to host" I have no idea why it come up with "operation not permitted"?