2

I am not sure what's going on, but I have setup a gateway debian box with iptables and dhcpd server. The server is handing out the ip addresses to the clients just fine, gateway being set to the debian box and dns set to the ISP dns. Now I can't figure out why the net isn't working on the clients computers. The box is configured as eth0 (192.168.0.1) being the internal LAN and eth1 being the external to the internet. I have ip_forwarding set to 1, on as well. Here is my output from the iptables-save command. If anyone can help, please let me know!

UPDATE 1: I redid the rules to very very basic and it still is happening... tracert times out on the client and can't ping google on the client but can ping the gateway and other clients...and NET works fine on router box

UPDATE 2: As per Patricks suggestion, set forward to accept and still having same issues.

# Generated by iptables-save v1.4.8 on Mon Mar  5 20:46:23 2012
*mangle
:PREROUTING ACCEPT [8:608]
:INPUT ACCEPT [8:608]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:528]
:POSTROUTING ACCEPT [4:528]
COMMIT
# Completed on Mon Mar  5 20:46:23 2012
# Generated by iptables-save v1.4.8 on Mon Mar  5 20:46:23 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Mon Mar  5 20:46:23 2012
# Generated by iptables-save v1.4.8 on Mon Mar  5 20:46:23 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:628]
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT 
-A FORWARD -d 192.168.0.0/24 -i eth1 -j ACCEPT 
COMMIT
# Completed on Mon Mar  5 20:46:23 2012
John
  • 157
  • 3
  • 10
  • Can you ping the gateway. What results do you get from a tracerote? Can the gateway get out? – Zoredache Mar 07 '12 at 16:14
  • Yes I can ping the gateway from he clients. The gateway can get out to the internet fine. Results from tracert on the client isn't good... request times out on the first hop and all other hops. – John Mar 07 '12 at 16:18
  • Your firewall is pretty involved. Have you tried replacing it with the bare-minimum rule-set? Perhaps just a MASQ statement, and setting all the policies to ACCEPT? – Zoredache Mar 07 '12 at 17:16
  • Even after the edit you just did, you still have forward set to drop. – phemmer Mar 07 '12 at 18:35
  • Youre sure /proc/sys/net/ipv4/ip_forward is enabled? (you did say `ip_forwarding` not `ip_forward` so I'm just making sure) – phemmer Mar 07 '12 at 18:58
  • yes sir.. 1 being the output of cat. :# cat /proc/sys/net/ipv4/ip_forward - 1 - :~# – John Mar 07 '12 at 19:00
  • it should be working, everything is configured properly. I'd do a `tcpdump` to verify the traffic from the clients is even making it to the server. Also, I'm sorry for my previous comment about FORWARD still being set to DROP. I didnt see that you added the rules in my answer below. So changing to ACCEPT wasnt required. – phemmer Mar 07 '12 at 19:06
  • Just a quick thing before i do tcpdump, the packets must be getting to the server because on the client, the DNS is set to the router/gateway and it is resolving names/ip addresses. – John Mar 07 '12 at 19:10
  • @john but thats just DNS. DNS could be completely functional while the default route is broken. – phemmer Mar 07 '12 at 19:53
  • sorry for the late reply...been swamped. here is tcpdump output when i open a browser on client: 18:30:09.346514 IP 192.168.0.10.61544 > GW001.INTRA.LOCAL.domain: 2415+ A? www.google.ca. (31) 18:30:09.421759 IP GW001.INTRA.LOCAL.domain > 192.168.0.10.61544: 2415 2/4/4 CNAME www-cctld.l.google.com., A 74.125.226.56 (219) – John Mar 08 '12 at 16:38
  • now what i am experiencing, if i set the clients DNS to the ISP dns, i can't see any requests going through tcpdump....still clients can't access the net either. – John Mar 08 '12 at 20:21
  • Not to sure what is going on...i did a test setup and install of packetfence and it is allowing clients on to the net...i am stumped!!! – John Mar 09 '12 at 14:32

1 Answers1

5

You have the FORWARD filter set to DROP. So iptables is dropping all forwarding. If you want to keep it set to DROP, you need to add the following rule

iptables -I FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -I FORWARD -i eth1 -d 192.168.0.0/24 -j ACCEPT
phemmer
  • 5,909
  • 2
  • 27
  • 36