Lan to Wan reprise

Sun Mar 13 23:38:58 UTC 2005

On Sunday 13 Mar 2005 23:02, Claude Jones wrote:
> Claude Jones wrote:
> > The web server works.
> > The box has internet access.
> > Machines on the Lan are getting DHCP assigned IP addresses. They are
> > also able to see my lone web page.
> > However, the machines on the Lan can't get past the firewall. It's not
> > a DNS problem because it doesn't go away if you put an IP address in.
> > I can ping the Wan NIC from the LAN but nothing further than that.
> > I've reviewed the procedures over and over  that I used successfully,
> > and I can't find the problem.
> > DHCPD loads without errors.
> > I've checked and rechecked the firewall and SELinux settings, and they
> > appear to be the same as at the office.
> > I've reviewed the network settings for my NICs twenty times.
> > IP forwarding and masquerade have been set up.
>
> I add the following detail in case someone has the time to pore through
> it. I continue to be stuck. The above conditions still hold.
> The following is my firewall script:
>
>
> #!/bin/bash
> # An enhanced stateful firewall for a workstation, laptop or router that
> isn't
> # running any network services like a web server, SMTP server, ftp
> server, etc.
> #change this to the name of the interface that provides your "WAN"
> #(connection to the Internet)
> WAN="eth0"
> #if you're a router (and thus should forward IP packets between
> interfaces), #you want ROUTER="yes"; otherwise, ROUTER="no"
> ROUTER="yes"
> #change this next line to the static IP of your WAN interface for static
> SNAT,
> #"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT
> to ""
> #disable it.
> NAT="66.225.207.87"
> #change this next line so it lists all your network interfaces, including
> lo INTERFACES="lo eth0 eth1"
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables -P INPUT DROP
> iptables -A INPUT -i ! ${WAN} -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
> iptables -A INPUT -p tcp -i ${WAN} -j REJECT --reject-with tcp-reset
> iptables -A INPUT -p udp -i ${WAN} -j REJECT --reject-with
> icmp-port-unreachable
> #explicitly disable ECN
> if [ -e /proc/sys/net/ipv4/tcp_ecn ]
> then
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> fi
> #disable spoofing on all interfaces
> for x in ${INTERFACES}
> do
> echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
> done
> if [ "$ROUTER" = "yes" ]
> then
> #we're a router of some kind, enable IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> #static IP, use SNAT
> echo "Enabling SNAT (static ip)..."
> iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to 66.225.207.87
> fi
> elif [ "$1" = "stop" ]
> then
> echo "Stopping firewall..."
> iptables -F INPUT
> iptables -P INPUT ACCEPT
> #turn off NAT/masquerading, if any
> iptables -t nat -F POSTROUTING
> fi
>
>
> This is my dhcpd.conf:
>
> ddns-update-style interim;
> ignore client-updates;
>
> subnet 192.168.2.0 netmask 255.255.255.0 {
>
> # --- default gateway
>     option routers            192.168.2.1;
>     option subnet-mask        255.255.255.0;
>
> #    option nis-domain        "domain.org";
>     option domain-name        viewridgeproductions;
>     option domain-name-servers    64.202.97.2, 69.31.31.2;
>
>     option time-offset        -18000;    # Eastern Standard Time
> #    option ntp-servers        192.168.1.1;
> #    option netbios-name-servers    192.168.1.1;
> # --- Selects point-to-point node (default is hybrid). Don't change this
> unless
> # -- you understand Netbios very well
> #    option netbios-node-type 2;
>
>     range dynamic-bootp 192.168.2.128 192.168.2.254;
>     default-lease-time 21600;
>     max-lease-time 43200;
>
>     # we want the lan router to appear at a fixed address
>     host viewridgeproductions {
>         hardware ethernet 00:C0:F0:49:79:31;
>         fixed-address 192.168.2.1;
>     }
> }
>
> Both of these can be started and stopped without error messages. I've
> visited and revisited NIC configurations, and they are fine. I'm
> mystified. If one of you has the time to pour through all this and see a
> problem, thanks in advance.

This may seem silly, but it the WAN NIC actually connecting to the 'net?  Is 
it picking up an address from your ISP?

What happens if you connect a machine direct to the external NIC?

-- 
Tony Dietrich
-------------
I'm having an EMOTIONAL OUTBURST!!  But, uh, WHY is there a WAFFLE in
my PAJAMA POCKET??