[lug] iptables, windows & ipmasq

Zan Lynx zlynx at acm.org
Wed Mar 24 10:38:28 MST 2004 

On Wed, 2004-03-24 at 09:52, Ben Luey wrote:
> Take 2 on weird routing problems. I took out my PRE and POSTROUTING NAT
> options and that fixed the ping problems. But now windows boxes
> *sometimes* can't access the internet.
> 
[snip]
> 
> How can this be? Why is the linux box without problems? How can things
> magically start working? And when things aren't, why can't I see the
> packets getting to the firewall? Any ideas greatly appreciated.

When I see intermittent network problems, I've found it is often a
problem with ARP and duplicate IP addresses.  "arpwatch" is a handy tool
for discovering these things.

I've also seen problems like this when a network has two (or more!) NICs
with duplicate MAC addresses.

It could also be a bad hub, switch or NIC.  Try disconnecting things
until it starts working.

It wasn't clear to me from your message if your network has worked in
the past.  If it has, and the only new thing is your Linux firewall,
then focus on that.

Some comments on your iptables file:
1. Why do people use $IPTABLES?  It's not just you, I see it many
times.  I'd just use the actual command.  If it's a typing shortcut, why
not use $x or $ipt?  Heh.

2. Your "Clear every rule" part is strange.  I like this myself:
for T in $(cat /proc/net/ip_tables_names)
do
	iptables -t $T -F
	iptables -t $T -X
done

3. You have a question about the "lo" interface in your comments.  You
have to allow "lo" traffic because your default rules are DROP and that
includes "lo."  Programs sometimes use loopback to communicate and it's
important to allow it or you'll be seeing some very strange behavior.

4. I think you might also want:
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

Just to make sure nothing in there is messing you up.
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20040324/29847cf5/attachment.pgp>

More information about the LUG mailing list