# ip tables problem [Solved]

## krenshala

I've got the following setup:

```
modem -> (eth1) Box1 (eth0)- > wireless router (as switch) -> (wlan0) Box2
```

Box1 is working properly (and has been for a while) as my router with iptables doing forwarding and NAT.  That box does DHCP for my network, and none of the computers have problems getting to the internet.  Then I brought box2 into the mix ...

Box2 is supposed to do the same thing as Box1 (for someone else) but use wlan0 as its WAN port.  First, I got Box2 connected to the network and getting out to the internet before setting up iptables on it.  Then I copied my firewall script from Box1 to Box2, and changed the internal and external address ranges to be appropriate for Box2 (Box1 uses 192.168.1.0 while Box2 will be using 192.168.4.0).

The problem I'm running into is that while Box2 can ping any of my computers in the 192.168.1.0 network, when I tried to ping either Box1 external (WAN) IP address or anything past it (e.g., google.com) I get messages telling me that either the network is unreachable or the operation is not permitted (depending on what settings I've been playing with in Box2's iptables settings).

The iptables settings (built from an iptables tutorial i found a few years ago) I've used are:

```
# IIF == internal interface (eth0 on Box1 & Box2)

# EIF == external interface (eth1 on Box1, wlan0 on Box2)

# Box1 : INET == 192.168.1.0/24, ENET == x.x.x.x/24

# Box2 : INET == 192.168.4.0/24, ENET == 192.168.1.22/24

# Both : ANET == 0.0.0.0/0

$IPTABLES -P INPUT DROP

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT DROP

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

$IPTABLES -X

$IPTABLES -Z

# Creating drop-log chain ...

$IPTABLES -N drop-log

$IPTABLES -A drop-log -j LOG --log-level info

$IPTABLES -A drop-log -j DROP

#Loading INPUT rulesets ...

$IPTABLES -A INPUT -s $ANET -d $ANET -j drop-log

$IPTABLES -A INPUT -i $EIF -s $INET -d $ANET -j drop-log

$IPTABLES -A INPUT -i lo -s $ANET -d $ANET -j ACCEPT

$IPTABLES -A INPUT -i $IIF -s $INET -d $ANET -j ACCEPT

$IPTABLES -A INPUT -i $EIF -p ICMP -s $ANET -d $ENET -j ACCEPT

$IPTABLES -A INPUT -i $EIF -s $ANET -d $ENET -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $EIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $ANET -d $ENET --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $EIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $ANET -d $ENET --dport 25 -j ACCEPT

$IPTABLES -A INPUT -i $EIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $ANET -d $ENET --dport 80 -j ACCEPT

#Loading OUTPUT rulesets ...

$IPTABLES -A OUTPUT -o $EIF -s $ANET -d $INET -j drop-log

$IPTABLES -A OUTPUT -o lo -s $ANET -d $ANET -j ACCEPT

$IPTABLES -A OUTPUT -o $IIF -s $ENET -d $INET -j ACCEPT

$IPTABLES -A OUTPUT -o $IIF -s $INET -d $INET -j ACCEPT

$IPTABLES -A OUTPUT -o $EIF -s $ENET -d $ANET -j ACCEPT

#Loading FORWARD rulesets ...

$IPTABLES -A FORWARD -i $EIF -o $IIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $IIF -o $EIF -j ACCEPT

$IPTABLES -A FORWARD -j drop-log

#Enabling SourceNAT (masquerade) functionality on $EIF

$IPTABLES -t nat -A POSTROUTING -o $EIF -j MASQUERADE
```

So, is my problem because Box1 doesn't recognize traffic from 192.168.4.1 as valid, or did I do something else that would keep it from working?  I've tried adding a -A INPUT option on Box1 that would allow another source network ($IPTABLES -A INPUT -i $IIF -s $ONET -d $ANET -j ACCEPT where $ONET is 192.168.4.0/24) but that didn't work.

I've poured over a bunch of stuff both here and on other sites, but haven't been able to find anything that helps me out.  At this point, anything you guys can suggest is appreciated.

----------

## Inodoro_Pereyra

Can you please post the output of route -n on box2?

Cheers!

----------

## krenshala

 *Inodoro_Pereyra wrote:*   

> Can you please post the output of route -n on box2?

 

Thank you for looking into this.

route -n gives:

```
Kernel IP routing table

Destination  Gateway      Genmask        Flags Metric Ref  Use Iface

192.168.4.0  0.0.0.0      255.255.255.0  U     0      0      0 eth0

192.168.1.0  0.0.0.0      255.255.255.0  U     2000   0      0 wlan0

127.0.0.0    0.0.0.0      255.0.0.0      U     0      0      0 lo

0.0.0.0      192.168.4.1  0.0.0.0        UG    0      0      0 eth0

0.0.0.0      192.168.1.5  0.0.0.0        UG    2000   0      0 wlan0
```

wlan0 is 192.168.1.22 while the wired NIC (internal IF) is 192.168.4.1, if it matters.  Compairing it with Box1:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

x.x.x.0         0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0 eth0

0.0.0.0         192.168.1.5     0.0.0.0         UG    1      0        0 eth1
```

It appears to me to show the right info, except maybe for the Metric part (which I'm not sure how it was configured on Box2 to get a metric of 2000; wpa_supplicant?).

----------

## krenshala

Well, I just tried the computer in it's proper home, and it had the same problem.  This tells me it isn't the iptables config on Box1 that is the problem, but instead either the iptables config, route or network config problem on Box2.

Does anyone have suggestions on where I should look to find my mistake?  I'm thinking at this point that I'm too close to the problem, unfortunately.

Thank you in advance for any help or suggestions.

----------

## krenshala

Nobody has any suggestions on this?

----------

## scherz0

It seems there is a routing problem.  Why two 0.0.0.0 routes on each box ?

I guess that it may sometimes work, depending on which interface got up first.

By the way, you wrote that eth0 is connected to the lan on box1, but the routing table seems to indicate something different...

----------

## krenshala

 *scherz0 wrote:*   

> It seems there is a routing problem.  Why two 0.0.0.0 routes on each box ?
> 
> I guess that it may sometimes work, depending on which interface got up first.
> 
> By the way, you wrote that eth0 is connected to the lan on box1, but the routing table seems to indicate something different...

 

I misremembered which interface did what on box1 since I haven't had to play with its configuration in a few years. I thought I'd corrected myself, but I guess i did that incorrectly.

Yeah, the more I fight with this the more I'm convinced its a routing problem and not necessarily an iptables problem.

I'm not sure why I have two 0.0.0.0 routes for each box, but thats what I end up with based on the network configuration.  Is there a way to get the configuration set up where it doesn't do that?  I wouldn't be surprised if that was the problem, although it doesn't cause a problem with Box1, just with Box2.  I know Box2 works if I down eth0 and only use wlan0 for network, with the firewall down.  The network unreachable errors would seem to back up that being the problem ...

----------

## scherz0

 *krenshala wrote:*   

> I'm not sure why I have two 0.0.0.0 routes for each box, but thats what I end up with based on the network configuration.  Is there a way to get the configuration set up where it doesn't do that?  I wouldn't be surprised if that was the problem, although it doesn't cause a problem with Box1, just with Box2.  I know Box2 works if I down eth0 and only use wlan0 for network, with the firewall down.  The network unreachable errors would seem to back up that being the problem ...

 

Sure : you should have only one default route on each box.  One box2, this route is problematic :

```
0.0.0.0      192.168.4.1  0.0.0.0        UG    0      0      0 eth0 
```

1 - 192.168.4.1 is a local address

2 - the real default route is via wlan0

You should post you conf.d/net if you need some more help.

----------

## krenshala

 *scherz0 wrote:*   

>  *krenshala wrote:*   I'm not sure why I have two 0.0.0.0 routes for each box, but thats what I end up with based on the network configuration.  Is there a way to get the configuration set up where it doesn't do that?  I wouldn't be surprised if that was the problem, although it doesn't cause a problem with Box1, just with Box2.  I know Box2 works if I down eth0 and only use wlan0 for network, with the firewall down.  The network unreachable errors would seem to back up that being the problem ... 
> 
> Sure : you should have only one default route on each box.  One box2, this route is problematic :
> 
> ```
> ...

 

So, taking a guess based on the comments, I need to remove the route_eth0 (or eth1 if thats the internal network address) in /etc/conf.d/net so on Box1 the only route option is on the external NIC, and on Box2 its the wireless.  This makes sense to me.  I can't change Box1 right now (though I've already updated /etc/conf.d/net) but I'm testing Box2 now with the change.

If this does it I'm going to feel quite a bit silly.   :Confused: 

[edit1]

Yup, after remembering to change the external IP address the firewall expects, removing the route line from /etc/conf.d/net cleared up the routing problem.  I'm now able to tracepath google.com and actually get 7 or 8 hops out (couldn't get past Box1 before).

Thank you for pointing me in the correct direction on this you guys. Very much appreciated.  :Smile: 

[edit2]

Muahahahah ! Success at last!  I'm typing on Box3, which is hardwired to Box2's eth0 port, then through wlan0 on Box2 to my AP, wired from there through the switch to Box1, and then to my ISP and out.

Thank you! Thank you! Thank you! Thank you! Thank you! Thank you!

----------

