All of lore.kernel.org
 help / color / mirror / Atom feed
* Cant get internet access on my router (sent again)
@ 2004-10-21 18:59 Ole Martin Handeland
  2004-10-21 21:16 ` Ray Olszewski
  0 siblings, 1 reply; 3+ messages in thread
From: Ole Martin Handeland @ 2004-10-21 18:59 UTC (permalink / raw)
  To: linux-newbie


sending this again, since im still having problems...




  well... here comes my "iptables -nvL":

Chain INPUT (policy DROP 980 packets, 127K bytes)
  pkts bytes target     prot opt in     out     source 
destination
  2061  408K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:10000
15955 1602K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:22
   853  111K ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:80
   991  150K ACCEPT     udp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:138
  271K   37M ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:139
     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:445
     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:8080
     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:443
     0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           udp dpt:443
67131 3090K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
0.0.0.0/0           tcp dpts:5900:5902
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0
  2416  167K LOG_DROP   all  --  *      *       0.0.0.0/0 
0.0.0.0/0

and for my forward and output chains, there is no rules...

thank you so much for your answers!

Ray Olszewski wrote:

 > At 12:29 PM 10/17/2004 +0200, Ole Martin Handeland wrote:
 >
 >> Hi,
 >>
 >> I cant seem to get internet access on my gateway machine, using fc2 and
 >> iptables firewall. I have a eth0 connection (and a ppp0 connection using
 >> eth0 to connect to my adsl provider) and a eth1 connection which i use
 >> to connect to my local network (with a dhcp server on this gateway).
 >>
 >> i have gotten this gateway to connect to the net, and the network from
 >> eth1 gets internet access. my problem is that my gateway dont get net
 >> access itself. when i set default action to allow in my iptable,
 >> everything works.
 >> anyone knows which rule(s) i should apply to get internet access working
 >> on this gateway?
 >
 >
 >
 > The core problem you face is that different chains, not just 
different rules, are involved.
 >
 > When other hosts on your LAN use this gateway to connect to the 
Internet, the packets are processed by the FORWARD chain in the default 
table (and by the  PREROUTING and POSTROUTING chains in the nat table).
 >
 > When the host itself tries to connect to the Internet, the packets 
are processed by the INPUT and OUTPUT chains in the default table.
 >
 > So ... if "everything works" when you set the default action to 
ACCEPT (there is no action "allow", so I assume you mean ACCEPT), then 
it probably means you do not have specific ACCEPT rules in suitable 
places in the INPUT and OUTPUT chains. That's not odd for a router ... 
mine is set up that way, allowing direct access for only a few things 
the router absolutely needs, like DNS resolution. But it is inconvenient 
for a general-purpose host that is also acting as a router.
 >
 > The exact rules you need to add, and where you need to add them, 
depends on what you do have in the INPUT and OUTPUT chains (which you 
can check best with "iptables -nvL"). If you want finer control than a 
genrealized ACCEPT policy, the actual rules need to be tailored to what 
you want to allow, what to disallow, and you haven't told us your 
situation in that regard.
 >
 > Describe more what you want to accomplish, and tell us the rules you 
currently have in the INPUT and OUTPUT chains, and I -- or someone here 
-- may be able to give you more specific advice that fits your needs. As 
it is, anything anybody suggests will be guesswork.
 >
 > Oh, one final thing. Since you are using PPPoE for your Internet 
connection, iptables does need to know to update its ruleset after PPPoE 
negotiation is complete. It also needs to know that ppp0, not eth0, is 
your external interface. It probably does all of this, since NATing the 
LAN works, but it is always *possible* that you have a problem there. 
Once again, only examination of the rulesets in the relevant 
tables/chains will tell.
 >
 >

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Cant get internet access on my router (sent again)
  2004-10-21 18:59 Cant get internet access on my router (sent again) Ole Martin Handeland
@ 2004-10-21 21:16 ` Ray Olszewski
  2004-10-22 22:34   ` Ole Martin Handeland
  0 siblings, 1 reply; 3+ messages in thread
From: Ray Olszewski @ 2004-10-21 21:16 UTC (permalink / raw)
  To: linux-newbie

At 08:59 PM 10/21/2004 +0200, Ole Martin Handeland wrote:

>sending this again, since im still having problems...

I'm sorry, but to get real help, you need to answer ALL of the questions, 
not just some of them.

The list below of INPUT chain rules has entries ONLY for an eth1 interface, 
which you have not previously mentioned (but which I will guess is your LAN 
interface). For that reason, it wil DROP all packets intended for a ppp0 
interface. (Notice that its final rule, a DROP rule, has matched a lot of 
packets.)

Since you have no entries in the OUTPUT chain and (you previously said) its 
default policy is DROP, no traffic will go out on ANY interface.

And if you have no entries in the FORWARD chain and its policy too is DROP 
... well, you get the idea.

OK, this time around we need to know --

         1. How do you update your firewall ruleset when the PPPoE (ppp0) 
interface is set up (or when it gets a new address)? The PPPoE daemon 
probably calls a script for this, but you need to tell us the details, so 
we can figure out why it (apparently) isn't working.

         2. Am I correct in assuming that you are NATing the LAN? If so, 
the nat table (probably its POSTROUTING chain) is doing the SNAT or MASQ 
needed. What does
         iptables -nvL -t nat
report about this? (This is probably OK, if your prior report that setting 
the default-table policies to ACCEPT makes "everything" work.)

         3. More generally, what script is setting these rules up in the 
firat place? Are you using some routing capability that comes as part of 
FC2? Or are you using a drop-in firewall/router package of some sort (like 
Shorewall -- though it is plain from the ruleset that you are not using 
Shorewall, so I mention it only as an example)? Or did you craft something 
yourself?

         4. What actual failures are you encountering? "im still having 
problems" is on the vague end of descriptions.

         5. How do you *want* this router to operate? Just using default 
ACCEPT policies isn't really very good firewalling ... but in practice, it 
isn't usually all that vulnerable, since most breakins target Windows, not 
Linux, and the NATing makes the Windows machines invisible to connections 
that initiate from outside.




>  well... here comes my "iptables -nvL":
>
>Chain INPUT (policy DROP 980 packets, 127K bytes)
>  pkts bytes target     prot opt in     out     source destination
>  2061  408K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:10000
>15955 1602K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>0.0.0.0/0           tcp dpt:22
>   853  111K ACCEPT     tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:80
>   991  150K ACCEPT     udp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           udp dpts:137:138
>  271K   37M ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:139
>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:445
>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:8080
>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:443
>     0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0 
> 0.0.0.0/0           udp dpt:443
>67131 3090K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>0.0.0.0/0           tcp dpts:5900:5902
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0
>  2416  167K LOG_DROP   all  --  *      *       0.0.0.0/0 0.0.0.0/0
>
>and for my forward and output chains, there is no rules...
>
>thank you so much for your answers!
>
>Ray Olszewski wrote:
>
> > At 12:29 PM 10/17/2004 +0200, Ole Martin Handeland wrote:
> >
> >> Hi,
> >>
> >> I cant seem to get internet access on my gateway machine, using fc2 and
> >> iptables firewall. I have a eth0 connection (and a ppp0 connection using
> >> eth0 to connect to my adsl provider) and a eth1 connection which i use
> >> to connect to my local network (with a dhcp server on this gateway).
> >>
> >> i have gotten this gateway to connect to the net, and the network from
> >> eth1 gets internet access. my problem is that my gateway dont get net
> >> access itself. when i set default action to allow in my iptable,
> >> everything works.
> >> anyone knows which rule(s) i should apply to get internet access working
> >> on this gateway?
> >
> >
> >
> > The core problem you face is that different chains, not just different 
> rules, are involved.
> >
> > When other hosts on your LAN use this gateway to connect to the 
> Internet, the packets are processed by the FORWARD chain in the default 
> table (and by the  PREROUTING and POSTROUTING chains in the nat table).
> >
> > When the host itself tries to connect to the Internet, the packets are 
> processed by the INPUT and OUTPUT chains in the default table.
> >
> > So ... if "everything works" when you set the default action to ACCEPT 
> (there is no action "allow", so I assume you mean ACCEPT), then it 
> probably means you do not have specific ACCEPT rules in suitable places 
> in the INPUT and OUTPUT chains. That's not odd for a router ... mine is 
> set up that way, allowing direct access for only a few things the router 
> absolutely needs, like DNS resolution. But it is inconvenient for a 
> general-purpose host that is also acting as a router.
> >
> > The exact rules you need to add, and where you need to add them, 
> depends on what you do have in the INPUT and OUTPUT chains (which you can 
> check best with "iptables -nvL"). If you want finer control than a 
> genrealized ACCEPT policy, the actual rules need to be tailored to what 
> you want to allow, what to disallow, and you haven't told us your 
> situation in that regard.
> >
> > Describe more what you want to accomplish, and tell us the rules you 
> currently have in the INPUT and OUTPUT chains, and I -- or someone here 
> -- may be able to give you more specific advice that fits your needs. As 
> it is, anything anybody suggests will be guesswork.
> >
> > Oh, one final thing. Since you are using PPPoE for your Internet 
> connection, iptables does need to know to update its ruleset after PPPoE 
> negotiation is complete. It also needs to know that ppp0, not eth0, is 
> your external interface. It probably does all of this, since NATing the 
> LAN works, but it is always *possible* that you have a problem there. 
> Once again, only examination of the rulesets in the relevant 
> tables/chains will tell.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Cant get internet access on my router (sent again)
  2004-10-21 21:16 ` Ray Olszewski
@ 2004-10-22 22:34   ` Ole Martin Handeland
  0 siblings, 0 replies; 3+ messages in thread
From: Ole Martin Handeland @ 2004-10-22 22:34 UTC (permalink / raw)
  To: linux-newbie

well... i figured it out myself.... did a accept all from ppp0....

pretty embarrased...:P

thanx anyway!

Ray Olszewski wrote:
> At 08:59 PM 10/21/2004 +0200, Ole Martin Handeland wrote:
> 
>> sending this again, since im still having problems...
> 
> 
> I'm sorry, but to get real help, you need to answer ALL of the 
> questions, not just some of them.
> 
> The list below of INPUT chain rules has entries ONLY for an eth1 
> interface, which you have not previously mentioned (but which I will 
> guess is your LAN interface). For that reason, it wil DROP all packets 
> intended for a ppp0 interface. (Notice that its final rule, a DROP rule, 
> has matched a lot of packets.)
> 
> Since you have no entries in the OUTPUT chain and (you previously said) 
> its default policy is DROP, no traffic will go out on ANY interface.
> 
> And if you have no entries in the FORWARD chain and its policy too is 
> DROP ... well, you get the idea.
> 
> OK, this time around we need to know --
> 
>         1. How do you update your firewall ruleset when the PPPoE (ppp0) 
> interface is set up (or when it gets a new address)? The PPPoE daemon 
> probably calls a script for this, but you need to tell us the details, 
> so we can figure out why it (apparently) isn't working.
> 
>         2. Am I correct in assuming that you are NATing the LAN? If so, 
> the nat table (probably its POSTROUTING chain) is doing the SNAT or MASQ 
> needed. What does
>         iptables -nvL -t nat
> report about this? (This is probably OK, if your prior report that 
> setting the default-table policies to ACCEPT makes "everything" work.)
> 
>         3. More generally, what script is setting these rules up in the 
> firat place? Are you using some routing capability that comes as part of 
> FC2? Or are you using a drop-in firewall/router package of some sort 
> (like Shorewall -- though it is plain from the ruleset that you are not 
> using Shorewall, so I mention it only as an example)? Or did you craft 
> something yourself?
> 
>         4. What actual failures are you encountering? "im still having 
> problems" is on the vague end of descriptions.
> 
>         5. How do you *want* this router to operate? Just using default 
> ACCEPT policies isn't really very good firewalling ... but in practice, 
> it isn't usually all that vulnerable, since most breakins target 
> Windows, not Linux, and the NATing makes the Windows machines invisible 
> to connections that initiate from outside.
> 
> 
> 
> 
>>  well... here comes my "iptables -nvL":
>>
>> Chain INPUT (policy DROP 980 packets, 127K bytes)
>>  pkts bytes target     prot opt in     out     source destination
>>  2061  408K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:10000
>> 15955 1602K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:22
>>   853  111K ACCEPT     tcp  --  *      *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:80
>>   991  150K ACCEPT     udp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           udp dpts:137:138
>>  271K   37M ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:139
>>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:445
>>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:8080
>>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpt:443
>>     0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           udp dpt:443
>> 67131 3090K ACCEPT     tcp  --  eth1   *       0.0.0.0/0 
>> 0.0.0.0/0           tcp dpts:5900:5902
>>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
>> 0.0.0.0
>>  2416  167K LOG_DROP   all  --  *      *       0.0.0.0/0 0.0.0.0/0
>>
>> and for my forward and output chains, there is no rules...
>>
>> thank you so much for your answers!
>>
>> Ray Olszewski wrote:
>>
>> > At 12:29 PM 10/17/2004 +0200, Ole Martin Handeland wrote:
>> >
>> >> Hi,
>> >>
>> >> I cant seem to get internet access on my gateway machine, using fc2 
>> and
>> >> iptables firewall. I have a eth0 connection (and a ppp0 connection 
>> using
>> >> eth0 to connect to my adsl provider) and a eth1 connection which i use
>> >> to connect to my local network (with a dhcp server on this gateway).
>> >>
>> >> i have gotten this gateway to connect to the net, and the network from
>> >> eth1 gets internet access. my problem is that my gateway dont get net
>> >> access itself. when i set default action to allow in my iptable,
>> >> everything works.
>> >> anyone knows which rule(s) i should apply to get internet access 
>> working
>> >> on this gateway?
>> >
>> >
>> >
>> > The core problem you face is that different chains, not just 
>> different rules, are involved.
>> >
>> > When other hosts on your LAN use this gateway to connect to the 
>> Internet, the packets are processed by the FORWARD chain in the 
>> default table (and by the  PREROUTING and POSTROUTING chains in the 
>> nat table).
>> >
>> > When the host itself tries to connect to the Internet, the packets 
>> are processed by the INPUT and OUTPUT chains in the default table.
>> >
>> > So ... if "everything works" when you set the default action to 
>> ACCEPT (there is no action "allow", so I assume you mean ACCEPT), then 
>> it probably means you do not have specific ACCEPT rules in suitable 
>> places in the INPUT and OUTPUT chains. That's not odd for a router ... 
>> mine is set up that way, allowing direct access for only a few things 
>> the router absolutely needs, like DNS resolution. But it is 
>> inconvenient for a general-purpose host that is also acting as a router.
>> >
>> > The exact rules you need to add, and where you need to add them, 
>> depends on what you do have in the INPUT and OUTPUT chains (which you 
>> can check best with "iptables -nvL"). If you want finer control than a 
>> genrealized ACCEPT policy, the actual rules need to be tailored to 
>> what you want to allow, what to disallow, and you haven't told us your 
>> situation in that regard.
>> >
>> > Describe more what you want to accomplish, and tell us the rules you 
>> currently have in the INPUT and OUTPUT chains, and I -- or someone 
>> here -- may be able to give you more specific advice that fits your 
>> needs. As it is, anything anybody suggests will be guesswork.
>> >
>> > Oh, one final thing. Since you are using PPPoE for your Internet 
>> connection, iptables does need to know to update its ruleset after 
>> PPPoE negotiation is complete. It also needs to know that ppp0, not 
>> eth0, is your external interface. It probably does all of this, since 
>> NATing the LAN works, but it is always *possible* that you have a 
>> problem there. Once again, only examination of the rulesets in the 
>> relevant tables/chains will tell.
> 
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-10-22 22:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-10-21 18:59 Cant get internet access on my router (sent again) Ole Martin Handeland
2004-10-21 21:16 ` Ray Olszewski
2004-10-22 22:34   ` Ole Martin Handeland

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.