[lug] iptables, windows & ipmasq

Ben Luey lueyb at jilau1.Colorado.EDU
Wed Mar 24 17:32:26 MST 2004 

Thanks for the suggestions: New information is that I have confirmed that
the problem is intermittent. I didn't touch anything and the connect came
and went and came and went on the windows boxes.

> When I see intermittent network problems, I've found it is often a
> problem with ARP and duplicate IP addresses.  "arpwatch" is a handy tool
> for discovering these things.

I installed arpwatch, and it is listening to both eth0 and eth1. So far I
don't see anything in /var/lib/arpwatch/ethX -- I'm not sure if that is
normal, but I'm not seeing any errors.

> I've also seen problems like this when a network has two (or more!) NICs
> with duplicate MAC addresses.

> It could also be a bad hub, switch or NIC.  Try disconnecting things
> until it starts working.

I have this problem with just the firewall and one windows box installed.
I've switched hubs, and get the same problem.

> It wasn't clear to me from your message if your network has worked in
> the past.  If it has, and the only new thing is your Linux firewall,
> then focus on that.

Before all the computers had a static routable IP address. I'm trying to
migrate them to be behind a firewall. So this internal network never
existed before.


> Some comments on your iptables file:
> 1. Why do people use $IPTABLES?  It's not just you, I see it many
> times.  I'd just use the actual command.  If it's a typing shortcut, why
> not use $x or $ipt?  Heh.

I had "iptables" but at somepoint I thought I needed to change it to
"/sbin/iptables" and just copied $IPTABLES from an example. Yes, $ipt is
nicers and shorter.


> 2. Your "Clear every rule" part is strange.  I like this myself:
> for T in $(cat /proc/net/ip_tables_names)
> do
> 	iptables -t $T -F
> 	iptables -t $T -X
> done

I think mine does the trick though.


> 4. I think you might also want:
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT

I put that in, and it started working. But then later the internet was
very slow on the windows machines (maybe DNS resolution). And then it
stopped working again. And then later it was back, but slow. All the while
the linux box was rock solid.

So then I installed shorewall, and same problem: internet from the linux
box works fine, but the windows boxes weren't working.

So, I'm thinking that the problem isn't iptables. But I don't know what
else it could be. Maybe a strange windows setting (XP Professional and win
2000)? But they are setup with external DNS, 10.0.0.1 (firewall, internal)
as the gateway and an internal ip address. What else is there that
matters? Internal networking stuff not realating to the firewall works --
(windows file sharing, etc) but I can't ssh from the windows boxes to the
firewall, so it isn't just the ip masq that is the problem.

Any ideas on what is going on, or what else to look for?

Thanks for the help,


Ben

More information about the LUG mailing list