On Thu, 26 Dec 2013 20:41:24 +1300 Richard Hector <rich...@walnut.gen.nz> wrote:
> On 26/12/13 18:27, mett wrote: > > Hi, > > > > I'm using a debian box as a router and multiserver between my LAN > > and the internet. > > > > Everything was working fine till yesterday when I put the box down > > for upgrading memory, for a few hours. > > > > Right now, the external interface of the gateway is fully accessible > > from the net, and I do not have any problem with the different > > services I am providing to the outside(mail, webserver. and dns for > > the web servers). > > > > The problem is on the LAN side, I can access some sites but not all > > the sites as I used to do. > > > > For example, I can access the "Start page" search engine but not > > "Duckduckgo". > > That's really strange. > > > > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > > ESTABLISHED,RELATED -j ACCEPT > > I assume that's really on one line? Yes > > > > # Don't forward from the outside to the inside. > > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT > > That looks like outside to outside - you probably want "-i ppp0 -o > eth0" > > Beyond that, I have no idea, sorry. > > I'd be testing with tcpdump, as you have been. Possibly confirm that > the IP addresses you're getting from DNS inside and on the gateway > are the same? > > Also perhaps try removing everything unrelated to the masquerading bit > from your script and see if that works, then add bits back in? > > I also generally use a policy DROP rule (iptables -P INPUT DROP), > which I specify at the top of the file, rather than dropping through > to a DROP/REJECT rule at the end. That shouldn't make any difference, > though. > > Richard > > Hi, It seems I had many problems in fact... I couldn't check everything yet but now it's working I did few dirty things like deleting all the rules one by one because even when moving the script somewhere else, it still acted when I restarted interfaces. Finally I cleaned the original script, going one rule at a time. ------------------------------------------------------------------------ #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT #log udp port 5060 iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug #asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT #tor iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT #postfix iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT #dovecot iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT #apache iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT #maradns iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i ppp0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward ------------------------------------------------------------------------ I realized that if I use the following rules at the beginning, even wih the POSTROUTING at the end, then it doesn't work. [iptables -t nat -F] Also, this one doesn't get accepted by iptables iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT it's deprecated and you have to put it before the option, which I tried but the result scared me with words like nontracked, raw and similar. I thought the ! was for "Not this one". Anyway, I deleted this rule and changed the one with ppp0 to ppp0 for ppp0 to eth0. I thought it made sense ppp0 to ppp0 like "don't forward via this interface". Only INPUT to OUTPUT. I'll have to check the whole more seriously cause I was planning to drop,as you advised, all the non accepted ones in the INPUT chain, before the masquerade problem happened. Thanks for your comment. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131227012612.0f1073a6@hp.tamerr
