Re: Connection through gateway fails in a random basis

[list user <xktnniuymlla@mailinator.com>]

Pedro Werneck wrote:
> Hi all
> 
> 
> Something that seems simple here, but I cannot find anything wrong
> 
> I have two machines here, A and B. A have eth0 and eth1, and a DSL
> connection (ppp0) with the modem connected to eth0. B have eth0. I have
> A.eth1 connected to B.eth0, and I'm trying to use A as a gateway for B.
> 
> It works, from B I can reach anything I can do from A, with ping,
> tracereroute and resolve names, but I can't use other protocols like
> HTTP, FTP, IRC, and it seems to happen on a random basis. Sometimes it
> works, sometimes it waits for data until timeout... I tried to find a 
> pattern on it but I couldn't. I tried to use LOG and netwatch on ppp0
> and eth1 to debug it, there's no data coming from the remote on these 
> cases.
> 
> Someone suggested I should upgrade the kernel, so I'm using the latest
> version, 2.6.17.7 #4, but still doesn't work...
> 
> 
> Here's the ruleset I'm using on the gateway... pretty simple
> 
> <code>
> #!/bin/bash 
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward 
> 
> IPT="iptables --verbose"
> 
> $IPT -F
> $IPT -t nat -F
> 
> $IPT -P INPUT ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> 
> $IPT -A INPUT -j ACCEPT -i lo
> $IPT -A INPUT -j ACCEPT -s 192.168.1.0/24
> $IPT -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A INPUT -j ACCEPT -p tcp --dport 3306
> $IPT -A INPUT -j ACCEPT -p tcp --dport 3690
> $IPT -A INPUT -j ACCEPT -p tcp --dport 8000:8010
> $IPT -A INPUT -j ACCEPT -p tcp --dport 8021
> $IPT -A INPUT -j ACCEPT -p tcp --dport 8022
> $IPT -A INPUT -j ACCEPT -p tcp --dport 8080
> 
> $IPT -A FORWARD -j ACCEPT -i ppp0 
> $IPT -A FORWARD -j ACCEPT -s 192.168.1.0/24
> $IPT -A FORWARD -j DROP
> 
> $IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
> </code>
> 
> And here's the modules I have loaded (lsmod | grep ip), in case
> something is missing and I haven't noticed:
> 
> ipt_LOG                 5440  0 
> ipt_MASQUERADE          2560  1 
> iptable_mangle          2240  0 
> iptable_nat             5636  1 
> ip_nat                 12844  2 ipt_MASQUERADE,iptable_nat
> ip_conntrack           36564  4 ipt_MASQUERADE,xt_state,iptable_nat,ip_nat
> iptable_filter          2240  1 
> ip_tables               9944  3 iptable_mangle,iptable_nat,iptable_filter
> x_tables                9668  6 ipt_LOG,xt_tcpudp,ipt_MASQUERADE,xt_state,iptable_nat,ip_tables
> 
> 
> Since it seems something very weird, I'm asking for your help here.
> Any idea about what's wrong here ?

Hi Pedro,

I can't answer your question but I can point out what looks like a 
serious error in your rules -- the firewall is wide open.  You should 
either change your default policy on the INPUT chain to DROP, or you 
should append a rule "-A INPUT -j DROP".

For my personal preference I always start with no rules and default 
policy of DROP on both INPUT and FORWARD, then begin adding rules to 
allow specific traffic.

Mike Wright

> 
> 
> Thanks...
>