SOLVED: Re: [lug] iptables, windows & ipmasq

Ben Luey lueyb at jilau1.Colorado.EDU
Wed Mar 24 18:10:18 MST 2004


Thanks for all the help! I finally got some logs in arpwatch and it showed
another MAC with the ip 10.0.0.1 (ip of the firewall). Turns out I have a
"smart" hub that has an IP address which unfortunately was that of my
firewall. The windows machines kept asking the HUB to route their packets
(thus I could ping the firewall, but nothing else). I don't know why the
linux box was unaffected, but oh well. I reconfigured it to take another
IP address, and everything looks good. I must have had some setting error
when I tried a different hub.

Thanks again!

Ben

Ben Luey
lueyb at jilau1.colorado.edu
On Wed, 24 Mar 2004, Ben Luey wrote:

> Thanks for the suggestions: New information is that I have confirmed that
> the problem is intermittent. I didn't touch anything and the connect came
> and went and came and went on the windows boxes.
>
> > When I see intermittent network problems, I've found it is often a
> > problem with ARP and duplicate IP addresses.  "arpwatch" is a handy tool
> > for discovering these things.
>
> I installed arpwatch, and it is listening to both eth0 and eth1. So far I
> don't see anything in /var/lib/arpwatch/ethX -- I'm not sure if that is
> normal, but I'm not seeing any errors.
>
> > I've also seen problems like this when a network has two (or more!) NICs
> > with duplicate MAC addresses.
>
> > It could also be a bad hub, switch or NIC.  Try disconnecting things
> > until it starts working.
>
> I have this problem with just the firewall and one windows box installed.
> I've switched hubs, and get the same problem.
>
> > It wasn't clear to me from your message if your network has worked in
> > the past.  If it has, and the only new thing is your Linux firewall,
> > then focus on that.
>
> Before all the computers had a static routable IP address. I'm trying to
> migrate them to be behind a firewall. So this internal network never
> existed before.
>
>
> > Some comments on your iptables file:
> > 1. Why do people use $IPTABLES?  It's not just you, I see it many
> > times.  I'd just use the actual command.  If it's a typing shortcut, why
> > not use $x or $ipt?  Heh.
>
> I had "iptables" but at somepoint I thought I needed to change it to
> "/sbin/iptables" and just copied $IPTABLES from an example. Yes, $ipt is
> nicers and shorter.
>
>
> > 2. Your "Clear every rule" part is strange.  I like this myself:
> > for T in $(cat /proc/net/ip_tables_names)
> > do
> > 	iptables -t $T -F
> > 	iptables -t $T -X
> > done
>
> I think mine does the trick though.
>
>
> > 4. I think you might also want:
> > iptables -t nat -P PREROUTING ACCEPT
> > iptables -t nat -P POSTROUTING ACCEPT
> > iptables -t nat -P OUTPUT ACCEPT
>
> I put that in, and it started working. But then later the internet was
> very slow on the windows machines (maybe DNS resolution). And then it
> stopped working again. And then later it was back, but slow. All the while
> the linux box was rock solid.
>
> So then I installed shorewall, and same problem: internet from the linux
> box works fine, but the windows boxes weren't working.
>
> So, I'm thinking that the problem isn't iptables. But I don't know what
> else it could be. Maybe a strange windows setting (XP Professional and win
> 2000)? But they are setup with external DNS, 10.0.0.1 (firewall, internal)
> as the gateway and an internal ip address. What else is there that
> matters? Internal networking stuff not realating to the firewall works --
> (windows file sharing, etc) but I can't ssh from the windows boxes to the
> firewall, so it isn't just the ip masq that is the problem.
>
> Any ideas on what is going on, or what else to look for?
>
> Thanks for the help,
>
>
> Ben
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>



More information about the LUG mailing list