# [SOLVED] Help linux router no internet, yet clients do

## mrbig4545

Hi i have a server that has an adsl modem, this is shared via ip_forwarding. On the client i have full internet, and ping works fine. However on the server i have no internet, although it obviously is working as its being shared.

on the server using ping, dns lookup works, but then theres 100% packet loss

Anybody know what could be causing this?

Thanks

MarkLast edited by mrbig4545 on Fri Sep 21, 2007 7:01 pm; edited 1 time in total

----------

## gerdesj

 *mrbig4545 wrote:*   

> Hi i have a server that has an adsl modem, this is shared via ip_forwarding. On the client i have full internet, and ping works fine. However on the server i have no internet, although it obviously is working as its being shared.
> 
> on the server using ping, dns lookup works, but then theres 100% packet loss
> 
> 

 

We need more detail, for starters:

What sort of modem?

Firewall?

Cheers

Jon

----------

## mrbig4545

Sorry, posetd in a rush, ill give a little background as well, yesterday i upgraded my internet from dynamic ip to static, so i adjusted /etc/conf.d/net accordingly, however then this issue arose. After speaking to my coleague he says it might be becasue iptables is setup for masquerading, and becasue of the static ip it should now be set to snat, now im not actually at the comp so i cant test this. 

 heres my iptables config:

```
# Generated by iptables-save v1.3.8 on Tue Aug 14 18:03:56 2007

*nat

:PREROUTING ACCEPT [353915:31345384]

:POSTROUTING ACCEPT [378671:35781088]

:OUTPUT ACCEPT [14928:2461187]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Tue Aug 14 18:03:56 2007

# Generated by iptables-save v1.3.8 on Tue Aug 14 18:03:56 2007

*mangle

:PREROUTING ACCEPT [28866493:17776166297]

:INPUT ACCEPT [1252361:925553482]

:FORWARD ACCEPT [27616020:16850609162]

:OUTPUT ACCEPT [1305166:888909569]

:POSTROUTING ACCEPT [28925231:17740838231]

COMMIT

# Completed on Tue Aug 14 18:03:56 2007

# Generated by iptables-save v1.3.8 on Tue Aug 14 18:03:56 2007

*filter

:INPUT ACCEPT [570198:770079623]

:FORWARD ACCEPT [31:11342]

:OUTPUT ACCEPT [1305166:888909569]

-A INPUT -i lo -j ACCEPT

-A INPUT -i br0 -j ACCEPT

-A INPUT -i eth0 -p icmp -j DROP

-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 0:15000 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 0:15000 -j DROP

#-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

-A FORWARD -d 10.0.0.0/255.255.255.0 -i br0 -j DROP

-A FORWARD -s 10.0.0.0/255.255.255.0 -i br0 -j ACCEPT

-A FORWARD -d 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT

COMMIT
```

and heres my /etc/conf.d/net

```
config_eth0=( "87.194.100.68 netmask 255.255.252.0" )

routes_eth0=( "default via 87.194.100.1" )

config_eth1=( "null" )

config_eth2=( "null" )

bridge_br0="eth1 eth2"

config_br0=( "10.0.0.1 netmask 255.255.255.0" )

RC_NEED_br0="net.eth1 net.eth2"

mtu_br0="1492"

mtu_eth0="1492"
```

The modem is a netgear dm111p, set in full bridged mode, the ISP is be broadband.

let me know if you need any more info, 

All help greatly appreacated.

Thanks

Mark

----------

## gerdesj

Is this correct:

config_eth0=( "87.194.100.68 netmask 255.255.252.0" )

That netmask seems a bit large but may be normal for your pppoe connection.  Perhaps it might be 255.255.255.252.

Your f/w rules seem to be a little wide open with a default of accept set for each chain.

As you now have a static IP address you don't need to use masquerade.  You can use NAT as your colleague suggested.

For managing f/w rules I can really recommend fwbuilder.  The 2.1 series (currently ~x86) are able to do some really clever stuff with iptables n netfilter all from the comfort of a GUI! The 2.0 is still really good and I use it for all my firewalls.  With fwb, setting up NAT is easy, it is also happy with bridging (an option so look out for the checkbox).  There are loads of recipes on their website as well.

Shorewall is another good package but (IMHO) not so powerful nor pretty but has a devoted following.  There are lots of others but these two I have used in anger for several years.

Cheers

Jon

----------

## mrbig4545

Thanks Jon,

The firewall rules are just hacked together from many examples, i just needed it to work and didnt really understand it, so ill try fwbuilder as soon as im home. As for the netmask it is correct, stange i know but i dont have any control over it.   :Very Happy: 

Mark

----------

## gerdesj

 *mrbig4545 wrote:*   

> Thanks Jon,
> 
> The firewall rules are just hacked together from many examples, i just needed it to work and didnt really understand it, so ill try fwbuilder as soon as im home. As for the netmask it is correct, stange i know but i dont have any control over it.  
> 
> Mark

 

Good stuff.  It is a bit urgent because your PC is effectively naked on the interweb.  You need to cover its modesty!

The only gotchas I can think of with fwb are deciding how to run the thing.  You can either set up its own init script and remove iptables from running or after each run you can iptables save.  In the second case make sure you load all the modules for things like ftp, masq etc - I put these into local.start with a copy n paste from the fwb script.  One day I'll get around to writing an init script for it.

Cheers

Jon

----------

## mrbig4545

Thanks for the warning. Ive killed me internet till i can get home and sort it

Mark

----------

## Hu

If I understand your problem description correctly, the issue is not related to using MASQUERADE instead of SNAT.  To be clear, the Gentoo system has difficulty accessing services on the Internet, but the systems behind the NAT device have the desired access?  If not, disregard the rest of this post.

Your problem is that you are missing a rule for ESTABLISHED traffic.  Consider a connection from your system to an HTTP server, such as https://forums.gentoo.org/.  Further suppose that your system chooses an ephemeral port in the 1-15000 range.  The incoming traffic is from eth0 (Internet), so it does not match the first two rules.  It is not ICMP (HTTP is over TCP), so it does not match rule 3.  Rule 4 and rule 5 refer to a destination port, which for the INPUT chain means a port on your system.  We presumed this to be an ephemeral port for a non-privileged client connection, so it will not be in the range reserved for root (1-1023), so the destination port is in the range 1024-15000.  Thus, rule 4 and rule 5 do not match.  Rule 6 refers to UDP, so it does not match.  Rule 7 then drops the traffic, preventing your HTTP connection from working correctly.  To fix this, you should add a rule which permits traffic in the ESTABLISHED state.

----------

## mrbig4545

Hu - amazing, i think that was one of the most helpful things anyone has ever told me. Ive also added a drop policy on all incoming traffic, and switch to SNAT, because it has less cpu overhead if you have static a ip, so the important bit not looks like;

```
*nat

:PREROUTING ACCEPT [965:114335]

:POSTROUTING ACCEPT [13:2105]

:OUTPUT ACCEPT [83:6714]

-A POSTROUTING -o eth0 -j SNAT --to-source 87.194.100.68

COMMIT

*filter

:INPUT ACCEPT [566:251847]

:FORWARD ACCEPT [1316:206672]

:OUTPUT ACCEPT [6169705:8762672656]

-A INPUT -i lo -j ACCEPT

-A INPUT -i br0 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 999 -j ACCEPT

-A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable

COMMIT

```

----------

