iptables on Debian or Ubuntu

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 2:44 pm

I need to deploy a new firewall at work. Now, I'm a total iptables noob, so be gentle. For the last two days I've been getting learned-up, and here's the script I've built so far:
Code: Select all
# LAN on eth0
# Internet on eth1

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush iptables
iptables -F
iptables -t nat -F
iptables -X

# Set chain policies
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

# Enable masquerade
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Accept all connections not from eth1
iptables -A INPUT ! -i eth1 -j ACCEPT

# Accept loopback
iptables -A INPUT -i lo -j ACCEPT

# Accept already established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Filter forwarding
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Accept all ICMP
iptables -A INPUT -p ICMP -j ACCEPT

# Accept SSH on eth1
# Accept FTP on eth1
# Accept http on eth1


I have a couple of comments down there at the bottom for what I want to do next.
Have I missed anything obvious?
I think I need the #!/bin/bash line to start the script and I need to have the script run automatically at startup or when eth1 comes up... yes?

And, is it necessary to have both of these:
iptables -A INPUT ! -i eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 4:38 pm

First off take a look at iptables-save and iptables-restore, that way you can tweak things by hand and then save and restore. See http://www.debian-administration.org/articles/445 or http://wiki.debian.org/iptables for examples on how to do this.

I'll dig in to the actual rules a bit later heading out shortly...
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 5:13 pm

Stuff like Webmin is made precisely for this kind of routine fudging, just as look as you don't rely too much on the clickly interface and, well, know what you're doing.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9986
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 5:26 pm

notfred wrote:First off take a look at iptables-save and iptables-restore, that way you can tweak things by hand and then save and restore. See http://www.debian-administration.org/articles/445 or http://wiki.debian.org/iptables for examples on how to do this.

I'll dig in to the actual rules a bit later heading out shortly...

I saw those and used them at first but then I figured it was just as easy to make a script file and keep tweaking inside the file and re-executing the script.

Thanks for taking a look when you can!
morphine wrote:Stuff like Webmin is made precisely for this kind of routine fudging, just as look as you don't rely too much on the clickly interface and, well, know what you're doing.


Well, that is probably a very sensible thing to use. I wanted to have some CLI fun and at the moment I've got a little bit of spare time at work to use toward this end.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 8:12 pm

Have you looked at ufw? It is still CLI-based, but easier to understand than raw iptables rules. There's also a GUI-based front end to ufw (gufw).

Although ufw is a Canonical (Ubuntu) product, it is also available in the Debian repositories.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: iptables on Debian or Ubuntu

Postposted on Thu Feb 24, 2011 11:08 pm

Rather than bash, shell scripts should have #!/bin/sh as their first line and you'll also need to make sure that it is executable (chmod 755 <>).

One thing I just realised, you didn't specify whether the internal network uses public address (in which case all you are doing is firewalling and routing) or uses private addresses (in which case you want to firewall and NAT). Given that you have the "Enable masquerade" line then I think you are looking for the private address scenario.

Here's my iptables.save, it's in a slightly different format than the raw commands but you should be able to work out the raw commands from it
Code: Select all
# Generated by iptables-save v1.4.2 on Sun Jun 28 19:33:52 2009
*nat
:PREROUTING ACCEPT [16:927]
:POSTROUTING ACCEPT [1:76]
:OUTPUT ACCEPT [2:152]
-A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.1
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sun Jun 28 19:33:52 2009
# Generated by iptables-save v1.4.2 on Sun Jun 28 19:33:52 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22234:281341606]
:block - [0:0]
-A INPUT -i ppp0 -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
-A INPUT -j block
-A FORWARD -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -p udp -m udp --dport 10000 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -j block
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Sun Jun 28 19:33:52 2009
# Generated by iptables-save v1.4.2 on Sun Jun 28 19:33:52 2009
*mangle
:PREROUTING ACCEPT [22408:281332084]
:INPUT ACCEPT [22348:281321477]
:FORWARD ACCEPT [60:10607]
:OUTPUT ACCEPT [22234:281341606]
:POSTROUTING ACCEPT [22275:281351273]
COMMIT
# Completed on Sun Jun 28 19:33:52 2009
# Generated by iptables-save v1.4.2 on Sun Jun 28 19:33:52 2009
*raw
:PREROUTING ACCEPT [22408:281332084]
:OUTPUT ACCEPT [22234:281341606]
COMMIT
# Completed on Sun Jun 28 19:33:52 2009

So to start with I run private IP addresses internally on my LAN and my Internet facing interface is ppp0 rather than your eth1. If you need to run NAT you can probably adapt what I have simply by replacing ppp0 with eth1. The numbers in square brackets are just counter values at the time I ran iptables-save.

First block is for the nat table, it sets the policies and then port forwards UDP 10000 and TCP 1723 to the box I use for downloading torrents which is 192.168.1.1

Next block is the main one. It first of all sets up the policies for the chains including introducing a new chain called "block" of which more later.
First rule is to rate limit ICMP - ICMP is needed for Path MTU Discovery and other stuff so we want it working, but rate limit it to avoid being flooded with it leading to a Denial-of Service
Next rules are to accept SSH, SMTP, HTTPS and HTTP - the services I expose to the Internet.
The next rule says any other invalid or new connections from the Internet get dropped (i.e. stealth the ports).
Everything else goes to the block chain.

The FORWARD chain has rules for accepting the forwarded ports, dropping the invalid or new connections from the Internet and going to the block chain for everything else.

The block chain says to accept everything related or established. Then anything not from the Internet (i.e. loopback or LAN) in state NEW also gets accepted, finally everything else (which should be new or invalid from the Internet) gets dropped.

The mangle and raw chains are just left at their defaults.

This should help, if not I can try and decode to raw commands for you. The one area I think might be a little tricky is ftp as it does funny things with command and data, but SSH and HTTP should be a copy of what I have.

I found a guide years ago to securing your Linux server, I forget the name - it was something controversial that happened to also be a mountain range in Utah or similar, but that put me on to the basics of the iptables. Maybe someone has better Google-fu than me and can find it.

Let me know how it goes!
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Fri Feb 25, 2011 9:44 am

notfred - that's brilliant! thanks! I'm going to go through it line by line.

As for FTP, I have found a couple different things. The simplest thing I've seen suggested is to do this:
modprobe ip_conntrack_ftp
iptables -A INPUT -m helper --helper ftp -j ACCEPT
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Fri Feb 25, 2011 2:29 pm

OK, here's the latest. I still need to add some forwarding rules for email. I'm going to server http and ftp off of the firewall machine, so no need to forward those.
Code: Select all
# Generated by iptables-save v1.4.4 on Fri Feb 25 13:59:18 2011
*nat
:PREROUTING ACCEPT [15598:2864826]
:POSTROUTING ACCEPT [609:74901]
:OUTPUT ACCEPT [775:108941]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Feb 25 13:59:18 2011
# Generated by iptables-save v1.4.4 on Fri Feb 25 13:59:18 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [57:7014]
-A INPUT ! -i eth1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m helper --helper "ftp" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -m state --state INVALID,NEW -j DROP
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Feb 25 13:59:18 2011


That's obviously the iptables-save output, but I'm probably going to use the actual script to implement it because the script contains the "modprobe ip_conntrack_ftp" command in it. I need to drop that script some place where it will run at boot.

The script also says:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter

but, I have a feeling that those settings just need to be done once, not every time there is a reboot. Can anyone confirm? If that's the case, then I'll remove them from the script.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Fri Feb 25, 2011 4:23 pm

I can confirm that those echos will be permanent until a reboot, you could just set the appropriate things in sysctl.conf instead and they will get set on boot.

I can't spot anything wrong in your iptables at the moment. It's worth trying it and give it a test with ShieldsUp! to see if it stealths all ports apart from the ones you need.
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Thu Mar 03, 2011 4:06 pm

OK, I'm annoyed. :D Trying to do a simple port forward for port 443. I've added the following two rules to make it happen:

iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT -to 10.1.1.246:443

This is my first port forwarding rule - only other nat rule is MASQUERADE.

I added the INPUT rule before the end of my chain where I have a rule to drop any INVALID,NEW packet that hasn't already been accepted, so that shouldn't be the problem.
:-? Maybe I should try ufw? I don't want to just throw in the towel, but this seems more complicated than it needs to be.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Thu Mar 03, 2011 4:28 pm

flip-mode wrote: :-? Maybe I should try ufw? I don't want to just throw in the towel, but this seems more complicated than it needs to be.

I am of the opinion that iptables was never really meant to be used by mere mortals. That's why higher level tools like ufw were invented... :wink:
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: iptables on Debian or Ubuntu

Postposted on Thu Mar 03, 2011 4:35 pm

just brew it! wrote:
flip-mode wrote: :-? Maybe I should try ufw? I don't want to just throw in the towel, but this seems more complicated than it needs to be.

I am of the opinion that iptables was never really meant to be used by mere mortals. That's why higher level tools like ufw were invented... :wink:

I was aiming for immortality :cry:
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Thu Mar 03, 2011 4:40 pm

OK, so how do I gracefully back out of iptables and step into ufw? Just delete my iptables startup script and do an iptables flush and that's that?
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sat Mar 05, 2011 8:23 pm

I gotta say that ufw is kinda disappointing. Port forwarding with ufw is essentially just as complicated as with iptables. :-? It's easy enough to open ports but really that was pretty easy with iptables too. :sigh: I'll just keep banging on this stuff till I get it to work.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 8:37 am

if you don't like ufw have a look at shorewall (shoreline)

I can't claim to really understand how to use it properly but it's well documented and doing the basic firewall tasks I need on my home network is a piece of piss.

While it's still very complicated I found it much easier to understand than both IP tables and a cisco 5505 that I had to setup recently.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2267
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 9:03 am

Thanks, cheesy, I'll take a look :P
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 9:39 am

I've also had reasonable results in the past using Firestarter for simple Linux firewall setups. I hesitated to recommend it in this case because it is A) GUI-based (and you seem to want to stick to command line); and B) apparently no longer in active development (though still available in the Debian/Ubuntu repositories). But if you want something that behaves more like the admin interface in a typical consumer router it may be worth a look.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 2:32 pm

I'm probably going to end up going back to iptables. ufw looks good for simple stuff like opening a port, but if you want to do port forwarding then you have to do it with "preload" statements that are almost the same as what one would have to type up for iptables. I am bummed that there's not a web interface for iptables. It's all good though.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 4:52 pm

I'm wondering if your port forward of HTTPS is maybe more of an issue with the way HTTPS and security certificates work. That's why you can't do HTTPS on multiple virtual hosts. Are you sure that it's the port forwarding that's actually not working or is it something higher up in the HTTPS security stack?
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 06, 2011 6:35 pm

notfred wrote:I'm wondering if your port forward of HTTPS is maybe more of an issue with the way HTTPS and security certificates work. That's why you can't do HTTPS on multiple virtual hosts. Are you sure that it's the port forwarding that's actually not working or is it something higher up in the HTTPS security stack?

I am most definitely not sure. 8)
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Mon Mar 07, 2011 9:12 pm

I cannot crack this nut :cry:

I did a fresh install of Ubuntu 10.04 server. I wanted a clean state.
I did # echo 1 > /proc/sys/net/ipv4/ip_forward
Then I set up iptables again, and here's the output of iptables-save
Code: Select all
# Generated by iptables-save v1.4.4 on Mon Mar  7 19:50:34 2011
*nat
:PREROUTING ACCEPT [311:76468]
:POSTROUTING ACCEPT [12:741]
:OUTPUT ACCEPT [6:429]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:80
COMMIT
# Completed on Mon Mar  7 19:50:34 2011
# Generated by iptables-save v1.4.4 on Mon Mar  7 19:50:34 2011
*filter
:INPUT DROP [880:116463]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4348:1010786]
-A INPUT ! -i eth1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m helper --helper "ftp" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d x.x.x.x/32 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Mar  7 19:50:34 2011


So I have a PREROUTING rule in the NAT table and a FORWARD rule in the filter table, all based upon some guidance from here.

No dice. I tried multiple variations of the PREROUTING rule. I tried adding a rule to accept all --dport 80 traffic on the internet interface and I also tried it without that rule.

Either my PREROUTING rule is wrong or my FORWARD rule is wrong or BOTH or it could still be something else entirely. I'm absolutely no closer to successfully forwarding a port.

Anybody see anything obvious?

Hold on, wait, what's that /32 mask on the -d address of the FORWARD rule? Don't I want a /24 mask (255.255.255.0)? Could that be it or am I getting my masks confused? Bah, no, that's not the problem.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Mon Mar 07, 2011 9:33 pm

OK, comparing it with mine that works:

1) On the PREROUTING rule I don't have an interface specified so try dropping the "-i eth1" from yours.

2) On the FORWARD I don't have the address or interface specified so remove the "-d x.x.x.x/32 -i eth1" from yours.

To fix this, do the following as root
Code: Select all
iptables-save /etc/network/iptables.save
vi /etc/network/iptables.save (or whatever editor you prefer to make your changes
iptables-restore < /etc/network/iptables.save


You also seem to be missing a "-A POSTROUTING -o eth1 -j MASQUERADE" line from the end of your NAT table.
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Tue Mar 08, 2011 4:17 pm

notfred, a thought hit me on the way home and I'm pretty sure this could be the problem. Does the web server behind the firewall need to point to the firewall as it's gateway as well? My thought is that these connections coming in from the internet are making it to the server but the server is sending it's response out through the other gateway. :oops: Too darn bad I'm not at work anymore so all I can do right now is hypothesize.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Wed Mar 09, 2011 9:14 am

Good golly, that was the problem. That's about 4 days of misery over the most ridiculous setting to forget. I'm a jack wagon. :roll:
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Wed Mar 09, 2011 1:05 pm

I'd still consider using something on top of iptables as it would make modifying the firewall a lot easier a year or two down the line if you're not a frequent iptables user.

It's always a good idea to know how to do it the hard way first so you can debug problems easier.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2267
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: iptables on Debian or Ubuntu

Postposted on Wed Mar 09, 2011 1:54 pm

cheesyking wrote:I'd still consider using something on top of iptables as it would make modifying the firewall a lot easier a year or two down the line if you're not a frequent iptables user.

It's always a good idea to know how to do it the hard way first so you can debug problems easier.

That is a good point cheesy. I will be keeping my eyes open. And for what it is worth, I've been taking very precise notes during this process.
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 13, 2011 9:42 am

Troubles again :cry:

Everything was working perfectly. Then I took the hard drive and moved it to and identical machine - except for the video card and one of the NICs. Everything outside of the networking stuff works fine. Some of the networking stuff works fine too. But some does not work fine.

From the box, I can ping out to anything on either the internet or the LAN. Everything outbound seems to work just fine, but no inbound connections are accepted.

So, I wiped iptables clean, reset all chain policies to ACCEPT - so with no rules at all and a full accept policy, I still cannot ping TO the box. FROM the box, everything works. TO the box, nothing works.

I don't even remotely understand.

Does iptables/netfilter have some undocumented policy towards new network interfaces? Technically, even though only one of my NICs is a different model, they are both "new" since they are different MACs.

Oh, and the other thing I did was wipe out my /etc/udev/rules.d/70-persistent-net.rules to get the NICs properly named to eth0 and eth1 instead of eth2 and eth3. So NIC names are not an issue.

WHY IS THIS SO COMPLICATED? Changing NICs should not be such a big deal!

#######################
I don't know much about netstat, but I did run a couple of netstat commands.

netstat -s tells me some interesting things:
80 outgoing packets dropped
16 dropped because of missing route
13 ICMP messages received
0 input ICMP message failed

#####################
from in the box I can ping the ip address of each of the network interfaces successfully - eth0, eth1, and lo ............. if I can successfully ping from inside the box, why not from outside the box?

Woah, wait, something changed and now I can ping from outside.... what changed? WTF did I do?
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 13, 2011 10:23 am

Two thoughts:
1) Rather than wiping /etc/udev/rules.d/70-persistent-net.rules it's often better to just edit it to ensure you end up with the correct cards being eth0 and eth1. Given that everything is now working, that's not your problem this time, just a useful heads up for next time.

2) I suspect something in your network had a stale ARP entry that eventually timed out and re-ARP'd for the correct MAC address, or similarly stale switch port MAC entry. It can be a real nightmare chasing those down and trying to flush ARP tables. It's often best to use new IPs or leave 24hrs between powering down the old hardware and powering up the new stuff.
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 13, 2011 10:37 am

Things are getting better but they are also getting weirder.

I can now successfully ping the box. I can also now succesfully ping the internet from a host behind the box. And I can also successfully ping the box over the internet. But, I cannot connect to the web from behind the box. How is it possible that I can ping and internet host from behind the box but not be able to access any websites?

##################
Even stranger, I can get to a webserver on a host behind the box from the internet.

##################
OK, it's not that strange actually. This just means that everything but masquerading is working. I just have to figure out why...
flip-mode
Gerbil Khan
Silver subscriber
 
 
Posts: 9084
Joined: Thu May 08, 2003 12:42 pm
Location: Cincinnati, OH

Re: iptables on Debian or Ubuntu

Postposted on Sun Mar 13, 2011 1:37 pm

From earlier in the thread
notfred wrote:You also seem to be missing a "-A POSTROUTING -o eth1 -j MASQUERADE" line from the end of your NAT table.

Did you fix that?
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Next

Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 2 guests