0

I have set up a local linux (14.0.4 Ubuntu) machine as a router and can do the following:

  • ping server/router from the clients
  • ping clients from server/router
  • ping one client from the other
  • ping the modem/router behind the server/router

But I can't ping google or 8.8.8.8. I get the following errors:

ping: unknown host www.google.com
connect: network is unreachable

But I can issue both of those commands on the server/router, without problem, which leads me to believe it is an iptables related issue. Can someone have a look at the below code, which I use to initialize iptables, and tell me if there are any glaring mistakes.

#!/bin/bash

ethInternal=eth1
ethExternal=eth0

sudo iptables --flush 
sudo iptables --table nat --flush
sudo iptables --delete-chain 
sudo iptables --table nat --delete-chain 

sudo iptables -t nat -A POSTROUTING -o $ethExternal -j MASQUERADE
sudo iptables -A FORWARD -i $ethExternal -o $ethInternal -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $ethInternal -o $ethExternal -j ACCEPT

EDIT 1

client: netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.168.66.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0

EDIT 2

client: route add -net default gw 192.168.66.254
client: netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.66.254  0.0.0.0         UG        0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.168.66.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0

EDIT 3

SV-01: vi /var/log/kern.log

Relevant section of log file can be found here.

peterh
  • 4,953
  • 13
  • 30
  • 44
puk
  • 285
  • 1
  • 6
  • 18

2 Answers2

5

The client has no default route via your router box. Try 

route add -net default gw a.b.c.d

on the client, where a.b.c.d is the client-facing address of the firewall.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • That made some progress (in a moment I will update question to show new `netstat -rn` output), now it at least tries to ping google.com, but fails after a few seconds – puk Jul 17 '15 at 08:07
  • Can you show us that, too? The *nature* of the failure is important. – MadHatter Jul 17 '15 at 09:48
  • `ping www.google.com` tries for 10-15s then outputs `ping: unknown host www.google.com`. `ping 8.8.8.8` outputs `PING 8.8.8.8 (8.8.8.8) 56 (84) bytes of data` then just hangs and I have to issue a CTL+C and for ping statistics it outputs `163 packets transmitted, 0 received, 100% packet loss, time 163294 ms` – puk Jul 17 '15 at 16:04
  • What settings do I have to change on the server such that I don't have to issue this command on every client? For example, on one of my windows machines I can't access the internet because this default gateway is not set (strangely, it is setting it to 192.158.66.254) – puk Jul 17 '15 at 22:50
2

Well, you configuration seems to be a bit short. I'm attaching the configuration of my router as a working example.

Also, you are using '-m state' to track related and established connections, while I usually utilise '-m conntrack'.

What you can try - to log dropped packets and see what and why is getting dropped by iptables. I'm writing my configuration (with logging and also including default ACCEPT policy for OUTPUT chain) below. To enable it, save it to file (e.g., 'iptables_test_rules.txt') and apply them using 'iptables-restore iptables_test_rules.txt'. See 'iptables -L -v' for rules overview and your syslog for dropped connections (attention: you syslog could grow very fast!).

*filter

# 1. Logging.
# 1.1. logdrop chain
-N logdrop                                                                   
-A logdrop -j LOG --log-prefix "dropped: "
-A logdrop -j DROP

# 2. Set default policies for INPUT, OUTPUT and FORWARD chains
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

# 3. INPUT CHAIN
# 3.0. Allow loopback
-A INPUT -i lo -j ACCEPT
# 3.1. Allow already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
# 3.2. log and drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j logdrop
# 3.3. Allow DHCP renew on eth0
-A INPUT -p udp -m udp --dport 68 -i eth0 -j ACCEPT
# 3.4. Allow any connections from lan
-A INPUT -i eth1 -j ACCEPT
# 3.5. Log and drop the rest
-A INPUT -j logdrop

# 4. Forwarding
# 4.0. Allow forwarding from lan to wan
-A FORWARD -i eth1 -o eth0 -j ACCEPT
# 4.1. Allow forwarding from lan to lan
-A FORWARD -i eth1 -o eth1 -j ACCEPT
# 4.2. Allow forwarding from wan to lan, but only for already established connections
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# 4.4. log and drop the rest in FORWARD chain
-A FORWARD -j logdrop

COMMIT

*nat

# Set default NAT policies to accept
-P PREROUTING ACCEPT                                           
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT

# 5. NAT
# 5.1. Enable NAT                                                                    
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*raw
COMMIT
Andrey Sapegin
  • 1,201
  • 2
  • 12
  • 27
  • 1
    The `OUTPUT` chain on the firewall won't affect forwarded traffic. – MadHatter Jul 17 '15 at 10:06
  • I agree, still the main idea in my answer is to see what is being dropped. I will fix the answer now. And the config attached is the working configuration example as I have it on my router. – Andrey Sapegin Jul 17 '15 at 10:11
  • Now that I applied your version, I can't ping or ssh **SV-01**, but the open ssh connection still works for some reason. – puk Jul 17 '15 at 16:46
  • Appologies, that was my mistake. I mixed up eth0 with eth1. I know, rookie mistake. Thanks Andrey. Thanks MadHatter – puk Jul 17 '15 at 17:32