# Unable to route local network?

## Starblazer

Has anyone encountered the following problem?

I currently have a firewall/proxy/dhcp server with an internal address of 192.168.1.1

My PC is Windows XP Pro.

The dhcp server is able to grant me a lease in the 192.168.1.x subnet (mask 255.255.255.0) with default gw of 192.168.1.1

Now, web browsing through the proxy (192.168.1.1:3128) works fine.  IPTables forwarding (no proxy) works fine.

My problem is when I try to connect to the internal NIC via SSH.  I've included the correct statement to open up incoming connections, but I get connection refused.  The error does not show up when I log all connections that go through iptables.

It looks like my PC does not know how to handle routing for the local subnet.  The following is an example error using telnet to the proxy server's port:

```
telnet proxy 3128

Connecting To proxy...Could not open connection to the host, on port 3128.

No connection could be made because the target machine actively refused it.

```

When I use Nmap, i get this:

```
WARNING:  Could not determine what interface to route packets through to 192.168.1.1, changing ping scantype to ICMP only

```

This is my routing table:

```
Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.102       20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.1.0    255.255.255.0    192.168.1.102   192.168.1.102       20

    192.168.1.102  255.255.255.255        127.0.0.1       127.0.0.1       20

    192.168.1.255  255.255.255.255    192.168.1.102   192.168.1.102       20

        224.0.0.0        240.0.0.0    192.168.1.102   192.168.1.102       20

  255.255.255.255  255.255.255.255    192.168.1.102   192.168.1.102       1

Default Gateway:       192.168.1.1
```

Anyone have any ideas?  This is a big pain since I can't remotely administer the firewall.

----------

## Nitro

I don't think it is a routing problem.  If it was a routing problem, you wouldn't be able to touch any of the services on that box at all.  Simple test is a ping.  As long as you don't have an explicit rule in your firewall disallowing pings or have pings shut off in your kernel this will tell us the story about routing.

Ping both interfaces tell us the results, and ping from each computer to the other.  If the pings work, scratch routing problems.  You might want to try flushing your iptables rules to see if that fixes it. The following should flush all rules and chains:

```

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F

iptables -X
```

----------

## Starblazer

I personally don't think it's a routing problem either.  But it's just plain weird.  I've already tried turning off the firewall and just have it behave as a DHCP server.  I can ping from both machines.  But I can't telnet/ssh in.  The part that gets me, is that it obviously finds the proxy server somehow, otherwise, I won't be able to post this message (the logs do confirm that I'm using the proxy).

----------

## Nitro

 *Starblazer wrote:*   

> I personally don't think it's a routing problem either.  But it's just plain weird.  I've already tried turning off the firewall and just have it behave as a DHCP server.  I can ping from both machines.  But I can't telnet/ssh in.  The part that gets me, is that it obviously finds the proxy server somehow, otherwise, I won't be able to post this message (the logs do confirm that I'm using the proxy).

 

 :Smile:  You are using TCP wrappers huh? Well, you are by default.

Try putting the followingin hosts.allow:

```
sshd:ALL
```

 and the following in hosts.deny: 

```
ALL:ALL
```

----------

## Starblazer

That was a pretty good idea... but it didn't pan out.   :Crying or Very sad: 

I went a step further and sniffed my connection.  I can see the traffic go out to the proxy server and back, but that's it.  If I use telnet/ssh/nmap, no traffic whatsoever.  

When I try a ping, I can see my ping packets go out.  I also see the bootp protocol going back and forth.

----------

## Nitro

You wouldn't happen to have ECN turned on in your kernel would you?

Networking options  ---> IP: TCP Explicit Congestion Notification support

Have you tried recompiling your kernel? Perhaps even trying the vanilla sources kernel to rule out any problems with a patch gone bad on your gentoo-sources?

----------

## Starblazer

I've recompiled a few times already, and no ECN isn't enabled.  I haven't tried using the vanilla-sources yet, but I strongly suspect that my problem isn't gentoo related since traffic never even leaves my PC.

I think it has something to do with the network layer on XP.  I'm going to try something else tonight.  But if you think of anything, please let me know!  Thanks for the help so far.

----------

## Starblazer

ALRIGHT!!!

It's kinda silly really, but I've figured out what was blocking me.  I had to uninstall Zonealarm.  Apparently, even though I thought it wasn't running, it had some sort of hook into the OS that must've prevented me from connecting directly to the firewall.  All's good now.  Thanks for the all the help.

----------

## Nitro

Ack, don't you hate it when that happens?   :Laughing:   :Laughing: 

----------

