[arch-general] iptables not working well?
Javier Vasquez
j.e.vasquez.v at gmail.com
Sun Jul 10 10:37:52 EDT 2011
Hi,
I've configured a 2-nics gateway (one internal nic and an external usb
nic hooked to the adsl modem). I configured iptables as I'm used to
do:
++++++
iptables-restore < /etc/iptables/empty.rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o
eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
/etc/rc.d/iptables save
/etc/rc.d/iptables restart
++++++
Notice that I have IP forwarding enabled through:
++++++
% 'grep' forward /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
++++++
And also through:
++++++
% 'grep' FORWARD /etc/conf.d/iptables
IPTABLES_FORWARD=1
++++++
But I can confirm by:
+++++++
% cat /proc/sys/net/ipv4/ip_forward
1
+++++++
This is based upon:
http://www.debian-administration.org/articles/23
And it's working on a debian box. I remember some time back it also
worked on a arch box, only thing I was not using pppd directly but
wvdial instead...
OK, on machines at the internal side of my LAN, I can ping everywhere.
But I can not use the browser with all addresses, for example I can't
get to www.archlinux.org through frirefox or midori, neither
www.debian.org.
Weird thing www.google.com, and some other sites can be reached
through firefox on machines inside the LAN.
When I try accessing those sites on the gateway (not the machines
inside the LAN) of course I have no problem. I checked
/etc/resolv.con, and it's OK, besides ping has clear access
everywhere.
I have no clue what's going on. I noticed the following under
/var/log/messages.log:
+++++++
Jul 9 23:32:33 mini-0 pppd[1974]: Plugin rp-pppoe.so loaded.
Jul 9 23:32:33 mini-0 pppd[1974]: RP-PPPoE plugin version 3.8p
compiled against pppd 2.4.5
Jul 9 23:32:34 mini-0 kernel: NET: Registered protocol family 10
Jul 9 23:32:34 mini-0 pppd[1974]: pppd 2.4.5 started by root, uid 0
Jul 9 23:32:34 mini-0 pppd[1974]: PPP session is 45128
Jul 9 23:32:34 mini-0 pppd[1974]: Connected to 00:12:7f:33:eb:3c via
interface eth1
Jul 9 23:32:34 mini-0 pppd[1974]: Using interface ppp0
Jul 9 23:32:34 mini-0 pppd[1974]: Connect: ppp0 <--> eth1
Jul 9 23:32:34 mini-0 pppd[1974]: PAP authentication succeeded
Jul 9 23:32:34 mini-0 pppd[1974]: peer from calling number
00:12:7F:33:EB:3C authorized
Jul 9 23:32:34 mini-0 pppd[1974]: kernel does not support PPP filtering
Jul 9 23:32:34 mini-0 pppd[1974]: local IP address 201.200.139.27
Jul 9 23:32:34 mini-0 pppd[1974]: remote IP address 200.91.104.9
Jul 9 23:32:34 mini-0 pppd[1974]: primary DNS address 200.91.75.6
Jul 9 23:32:34 mini-0 pppd[1974]: secondary DNS address 200.91.75.5
Jul 9 23:32:35 mini-0 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jul 9 23:32:35 mini-0 kernel: nf_conntrack version 0.5.0 (7628
buckets, 30512 max)
+++++++
It sounded curious that kernel does not support PPP filtering, but I'm
almost certain that's not the issue, given that on the gateway (not
the forwarded internal LAN), I can access all pages through
firefox...
Any help you can provide is very welcome... It might be the iptables
is not working well. I missed to indicate this is running on a lemote
mini-pc (archloong on mipsel), which of course has no official
support, but I wanted to see first if I'm missing any configuration
particular to arch (as I said this worked before also on a x86 arch
box, but things change), so just in case perhaps someone identified
the miss...
Thanks,
--
Javier.
More information about the arch-general
mailing list