# iptables LAN, but no WAN. [/CLOSED]

## dustfinger

I have been trying for quite sometime now to get my gentoo router working.

Here is the problem:

I can ssh to the router from the LAN, but computers in my LAN cannot communicate to the internet.  

The gentoo router however, can communicate to the internet.  I have searched the forums and tried different iptable rules to try and get my network working, but so far with no success.  Here is my setup.

Router configuration:

firewall.sh - Was taken from another thread.

```

IPTABLES='/sbin/iptables'

#set interface values

EXTIF='eth1'

INTIF='eth0'

#enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

#flush rules and delete chains

$IPTABLES -F FORWARD

$IPTABLES -P FORWARD DROP

# Drop Internet traffic from private IP ranges

$IPTABLES -A FORWARD -i EXTIF -s 10.0.0.0/8 -j DROP

$IPTABLES -A FORWARD -i EXTIF -s 172.16.0.0/12 -j DROP

$IPTABLES -A FORWARD -i EXTIF -s 192.168.0.0/16 -j DROP

# Drop traffic which should stay in the local network

$IPTABLES -A FORWARD -i INTIF -d 192.168.0.0/16 -j DROP

# Drop traffic which is trying to leave the local network, but appears

# not to have originated locally

$IPTABLES -A FORWARD -i INTIF -s ! 192.168.0.0/24 -j DROP

# Drop traffic which the kernel thinks is INVALID

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Allow traffic for existing connections to pass

# Note: requires stateful match support in the kernel

$IPTABLES -A FORWARD -i EXTIF -p tcp -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i EXTIF -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow internal hosts to use TCP and UDP freely

$IPTABLES -A FORWARD -i INTIF -p tcp -j ACCEPT

$IPTABLES -A FORWARD -i INTIF -p udp -j ACCEPT

```

```

# iptables -L -v

Chain INPUT (policy ACCEPT 6508 packets, 521K bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  EXTIF  any     10.0.0.0/8           anywhere            

    0     0 DROP       all  --  EXTIF  any     172.16.0.0/12        anywhere            

    0     0 DROP       all  --  EXTIF  any     192.168.0.0/16       anywhere            

    0     0 DROP       all  --  INTIF  any     anywhere             192.168.0.0/16      

    0     0 DROP       all  --  INTIF  any    !192.168.0.0/24       anywhere            

    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 

    0     0 ACCEPT     tcp  --  EXTIF  any     anywhere             anywhere            state ESTABLISHED 

    0     0 ACCEPT     udp  --  EXTIF  any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  INTIF  any     anywhere             anywhere            

    0     0 ACCEPT     udp  --  INTIF  any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 6100 packets, 1255K bytes)

 pkts bytes target     prot opt in     out     source               destination

```

I have two NIC's eth0, eth1.

eth1 is not configured so that it uses DHCP to get an ip from my ISP.

eth0 is a static IP for my LAN.

/etc/conf.d/net

```

config_eth0=( "192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0" )

```

Desktop inside LAN: 

eth0 is a static ip address for communicating to the router.

/etc/conf.d/net

```

config_eth0=( "192.168.1.77 broadcast 192.168.1.255 netmask 255.255.255.0" )

gateway_eth0=( "default via 192.168.1.1" )

```

Thank you very much to anyone that is kind enough to help me resolve this matter.

Sincerely,

dustfinger.

----------

## Hu

Your first problem is you are specifying the interface names incorrectly.  Since you are not putting a $ in front of the variable reference, the variable is not expanded.  So instead of matching an interface named eth0, you are trying to match an interface named INTIF.  Fix that up and report back whether it works.

----------

## dustfinger

To Hu,

Thank you for helping me and for pointing out my mistake regarding variable usage.  I made the changes:

```

 # iptables -L -v

Chain INPUT (policy ACCEPT 117 packets, 8399 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth1   any     10.0.0.0/8           anywhere            

    0     0 DROP       all  --  eth1   any     172.16.0.0/12        anywhere            

    0     0 DROP       all  --  eth1   any     192.168.0.0/16       anywhere            

    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/16      

    0     0 DROP       all  --  eth0   any    !192.168.0.0/24       anywhere            

    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 

    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            state ESTABLISHED 

    0     0 ACCEPT     udp  --  eth1   any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            

    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 69 packets, 8075 bytes)

 pkts bytes target     prot opt in     out     source               destination  

```

However, I am still unable to communicate to the internet from within my LAN.

dustfinger.

----------

## Hu

Sorry, I should have recognized this second problem sooner.  There is something wrong in some configuration that you have not shown.  According to the packet counters, no traffic has traversed your FORWARD chain since it was last reset.  If your inability to use the WAN was due to a bad rule in the FORWARD chain, we would see a packet hitting either a rule or the default policy.  Neither has occurred.

How does your PREROUTING chain in the nat table look?  You can get a list of all tables at once by running iptables-save -c.

----------

## dustfinger

To Hu,

Here is the results from iptables-save -c

```
# iptables-save -c

# Generated by iptables-save v1.3.5 on Mon Jun 11 11:42:20 2007

*filter

:INPUT ACCEPT [899:68350]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [625:77617]

[0:0] -A FORWARD -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP 

[0:0] -A FORWARD -s ! 192.168.0.0/255.255.255.0 -i eth0 -j DROP 

[0:0] -A FORWARD -m state --state INVALID -j DROP 

[0:0] -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -i eth1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -i eth0 -p tcp -j ACCEPT 

[0:0] -A FORWARD -i eth0 -p udp -j ACCEPT 

COMMIT

# Completed on Mon Jun 11 11:42:20 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 11:42:20 2007

*nat

:PREROUTING ACCEPT [24:2233]

:POSTROUTING ACCEPT [12:840]

:OUTPUT ACCEPT [12:840]

COMMIT

# Completed on Mon Jun 11 11:42:20 2007
```

Later tonight I will continue to experiment and hopefully I will stumble across something.  Thank you very much for your help so far.

dustfinger.

----------

## Hu

This is easy, then.  Your router is not rewriting the IP headers, so hosts on the Internet are getting connections from 192.168.0.x.  Those hosts have no reliable way to get their responses back to you, so your connection never completes.  You need to configure the POSTROUTING chain in the nat table to MASQUERADE traffic that originated on the LAN and is leaving onto the WAN.

----------

## dustfinger

To Hu,

Bellow is my updated firewall.sh with masquerading, but unfortunately I am still unable to communicate to the internet from inside the lan.  I.e:  I cannot browse the internet, nor can I ping a computer outside of the LAN.  I tried commenting out all of the lines that drop connections, but I am still unable to connect to the internet.

```
IPTABLES='/sbin/iptables'

#set interface values

EXTIF='eth1'

INTIF='eth0'

#enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

#flush rules and delete chains

$IPTABLES -F FORWARD

$IPTABLES -P FORWARD DROP

# Drop Internet traffic from private IP ranges

$IPTABLES -A FORWARD -i $EXTIF -s 10.0.0.0/8 -j DROP

$IPTABLES -A FORWARD -i $EXTIF -s 172.16.0.0/12 -j DROP

$IPTABLES -A FORWARD -i $EXTIF -s 192.168.0.0/16 -j DROP

# Drop traffic which should stay in the local network

$IPTABLES -A FORWARD -i $INTIF -d 192.168.0.0/16 -j DROP

# Drop traffic which is trying to leave the local network, but appears

# not to have originated locally

$IPTABLES -A FORWARD -i $INTIF -s ! 192.168.0.0/24 -j DROP

# Drop traffic which the kernel thinks is INVALID

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Allow traffic for existing connections to pass

# Note: requires stateful match support in the kernel

$IPTABLES -A FORWARD -i $EXTIF -p tcp -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow internal hosts to use TCP and UDP freely

$IPTABLES -A FORWARD -i $INTIF -p tcp -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -p udp -j ACCEPT

#echo -e "--> enable masquerading to allow LAN internet access"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#echo -e "--> forward LAN traffic from $INTIF to Internet interface $EXTIF"

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
```

```
# iptables -L -v 

Chain INPUT (policy ACCEPT 3082 packets, 231K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth1   any     10.0.0.0/8           anywhere            

    0     0 DROP       all  --  eth1   any     172.16.0.0/12        anywhere            

    0     0 DROP       all  --  eth1   any     192.168.0.0/16       anywhere            

    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/16      

    0     0 DROP       all  --  eth0   any    !192.168.0.0/24       anywhere            

    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 

    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            state ESTABLISHED 

    0     0 ACCEPT     udp  --  eth1   any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            

    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            

    0     0 ACCEPT     all  --  eth0   eth1    anywhere             anywhere            state NEW,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 2104 packets, 279K bytes)

 pkts bytes target     prot opt in     out     source               destination
```

```
# iptables-save -c

# Generated by iptables-save v1.3.5 on Mon Jun 11 17:35:51 2007

*filter

:INPUT ACCEPT [3140:235753]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2150:285065]

[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 

[0:0] -A FORWARD -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 

[0:0] -A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP 

[0:0] -A FORWARD -s ! 192.168.0.0/255.255.255.0 -i eth0 -j DROP 

[0:0] -A FORWARD -m state --state INVALID -j DROP 

[0:0] -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -i eth1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -i eth0 -p tcp -j ACCEPT 

[0:0] -A FORWARD -i eth0 -p udp -j ACCEPT 

[0:0] -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED -j ACCEPT 

COMMIT

# Completed on Mon Jun 11 17:35:51 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 17:35:51 2007

*nat

:PREROUTING ACCEPT [53:5627]

:POSTROUTING ACCEPT [15:1041]

:OUTPUT ACCEPT [18:1242]

[3:201] -A POSTROUTING -o eth1 -j MASQUERADE 

[0:0] -A POSTROUTING -o eth1 -j MASQUERADE 

[0:0] -A POSTROUTING -o eth1 -j MASQUERADE 

[0:0] -A POSTROUTING -o eth1 -j MASQUERADE 

COMMIT

# Completed on Mon Jun 11 17:35:51 2007
```

dustfinger.

----------

## Hu

For reference, iptables-save -c is a superset of iptables -L -v, so you only need to post the output from iptables-save -c.  That said, I appreciate that you erred on the side of extra information.

Your configuration looks fine, but as I noted earlier, traffic is never reaching the FORWARD chain.  What is the output of sysctl -a | grep net.ipv4; ifconfig -a; route -n?

----------

## dustfinger

sysctl -a | grep net.ipv4

```
net.ipv4.netfilter.ip_conntrack_log_invalid = 0

net.ipv4.netfilter.ip_conntrack_checksum = 1

net.ipv4.netfilter.ip_conntrack_buckets = 4063

net.ipv4.netfilter.ip_conntrack_count = 1

net.ipv4.netfilter.ip_conntrack_max = 32504

net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30

net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180

net.ipv4.netfilter.ip_conntrack_udp_timeout = 30

net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3

net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0

net.ipv4.netfilter.ip_conntrack_tcp_loose = 3

net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300

net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10

net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120

net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30

net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60

net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000

net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60

net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120

net.ipv4.netfilter.ip_conntrack_generic_timeout = 600

net.ipv4.conf.eth1.promote_secondaries = 0

net.ipv4.conf.eth1.force_igmp_version = 0

net.ipv4.conf.eth1.disable_policy = 0

net.ipv4.conf.eth1.disable_xfrm = 0

net.ipv4.conf.eth1.arp_accept = 0

net.ipv4.conf.eth1.arp_ignore = 0

net.ipv4.conf.eth1.arp_announce = 0

net.ipv4.conf.eth1.arp_filter = 0

net.ipv4.conf.eth1.tag = 0

net.ipv4.conf.eth1.log_martians = 0

net.ipv4.conf.eth1.bootp_relay = 0

net.ipv4.conf.eth1.medium_id = 0

net.ipv4.conf.eth1.proxy_arp = 0

net.ipv4.conf.eth1.accept_source_route = 1

net.ipv4.conf.eth1.send_redirects = 1

net.ipv4.conf.eth1.rp_filter = 1

net.ipv4.conf.eth1.shared_media = 1

net.ipv4.conf.eth1.secure_redirects = 1

net.ipv4.conf.eth1.accept_redirects = 1

net.ipv4.conf.eth1.mc_forwarding = 0

net.ipv4.conf.eth1.forwarding = 1

net.ipv4.conf.eth0.promote_secondaries = 0

net.ipv4.conf.eth0.force_igmp_version = 0

net.ipv4.conf.eth0.disable_policy = 0

net.ipv4.conf.eth0.disable_xfrm = 0

net.ipv4.conf.eth0.arp_accept = 0

net.ipv4.conf.eth0.arp_ignore = 0

net.ipv4.conf.eth0.arp_announce = 0

net.ipv4.conf.eth0.arp_filter = 0

net.ipv4.conf.eth0.tag = 0

net.ipv4.conf.eth0.log_martians = 0

net.ipv4.conf.eth0.bootp_relay = 0

net.ipv4.conf.eth0.medium_id = 0

net.ipv4.conf.eth0.proxy_arp = 0

net.ipv4.conf.eth0.accept_source_route = 1

net.ipv4.conf.eth0.send_redirects = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.eth0.shared_media = 1

net.ipv4.conf.eth0.secure_redirects = 1

net.ipv4.conf.eth0.accept_redirects = 1

net.ipv4.conf.eth0.mc_forwarding = 0

net.ipv4.conf.eth0.forwarding = 1

net.ipv4.conf.lo.promote_secondaries = 0

net.ipv4.conf.lo.force_igmp_version = 0

net.ipv4.conf.lo.disable_policy = 1

net.ipv4.conf.lo.disable_xfrm = 1

net.ipv4.conf.lo.arp_accept = 0

net.ipv4.conf.lo.arp_ignore = 0

net.ipv4.conf.lo.arp_announce = 0

net.ipv4.conf.lo.arp_filter = 0

net.ipv4.conf.lo.tag = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.lo.bootp_relay = 0

net.ipv4.conf.lo.medium_id = 0

net.ipv4.conf.lo.proxy_arp = 0

net.ipv4.conf.lo.accept_source_route = 1

net.ipv4.conf.lo.send_redirects = 1

net.ipv4.conf.lo.rp_filter = 0

net.ipv4.conf.lo.shared_media = 1

net.ipv4.conf.lo.secure_redirects = 1

net.ipv4.conf.lo.accept_redirects = 1

net.ipv4.conf.lo.mc_forwarding = 0

net.ipv4.conf.lo.forwarding = 1

net.ipv4.conf.default.promote_secondaries = 0

net.ipv4.conf.default.force_igmp_version = 0

net.ipv4.conf.default.disable_policy = 0

net.ipv4.conf.default.disable_xfrm = 0

net.ipv4.conf.default.arp_accept = 0

net.ipv4.conf.default.arp_ignore = 0

net.ipv4.conf.default.arp_announce = 0

net.ipv4.conf.default.arp_filter = 0

net.ipv4.conf.default.tag = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.bootp_relay = 0

net.ipv4.conf.default.medium_id = 0

net.ipv4.conf.default.proxy_arp = 0

net.ipv4.conf.default.accept_source_route = 1

net.ipv4.conf.default.send_redirects = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.shared_media = 1

net.ipv4.conf.default.secure_redirects = 1

net.ipv4.conf.default.accept_redirects = 1

net.ipv4.conf.default.mc_forwarding = 0

net.ipv4.conf.default.forwarding = 1

net.ipv4.conf.all.promote_secondaries = 0

net.ipv4.conf.all.force_igmp_version = 0

net.ipv4.conf.all.disable_policy = 0

net.ipv4.conf.all.disable_xfrm = 0

net.ipv4.conf.all.arp_accept = 0

net.ipv4.conf.all.arp_ignore = 0

net.ipv4.conf.all.arp_announce = 0

net.ipv4.conf.all.arp_filter = 0

net.ipv4.conf.all.tag = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.all.bootp_relay = 0

net.ipv4.conf.all.medium_id = 0

net.ipv4.conf.all.proxy_arp = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.send_redirects = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.shared_media = 1

net.ipv4.conf.all.secure_redirects = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.mc_forwarding = 0

net.ipv4.conf.all.forwarding = 1

net.ipv4.neigh.eth1.base_reachable_time_ms = 30000

net.ipv4.neigh.eth1.retrans_time_ms = 1000

net.ipv4.neigh.eth1.locktime = 99

net.ipv4.neigh.eth1.proxy_delay = 79

net.ipv4.neigh.eth1.anycast_delay = 99

net.ipv4.neigh.eth1.proxy_qlen = 64

net.ipv4.neigh.eth1.unres_qlen = 3

net.ipv4.neigh.eth1.gc_stale_time = 60

net.ipv4.neigh.eth1.delay_first_probe_time = 5

net.ipv4.neigh.eth1.base_reachable_time = 30

net.ipv4.neigh.eth1.retrans_time = 99

net.ipv4.neigh.eth1.app_solicit = 0

net.ipv4.neigh.eth1.ucast_solicit = 3

net.ipv4.neigh.eth1.mcast_solicit = 3

net.ipv4.neigh.eth0.base_reachable_time_ms = 30000

net.ipv4.neigh.eth0.retrans_time_ms = 1000

net.ipv4.neigh.eth0.locktime = 99

net.ipv4.neigh.eth0.proxy_delay = 79

net.ipv4.neigh.eth0.anycast_delay = 99

net.ipv4.neigh.eth0.proxy_qlen = 64

net.ipv4.neigh.eth0.unres_qlen = 3

net.ipv4.neigh.eth0.gc_stale_time = 60

net.ipv4.neigh.eth0.delay_first_probe_time = 5

net.ipv4.neigh.eth0.base_reachable_time = 30

net.ipv4.neigh.eth0.retrans_time = 99

net.ipv4.neigh.eth0.app_solicit = 0

net.ipv4.neigh.eth0.ucast_solicit = 3

net.ipv4.neigh.eth0.mcast_solicit = 3

net.ipv4.neigh.lo.base_reachable_time_ms = 30000

net.ipv4.neigh.lo.retrans_time_ms = 1000

net.ipv4.neigh.lo.locktime = 99

net.ipv4.neigh.lo.proxy_delay = 79

net.ipv4.neigh.lo.anycast_delay = 99

net.ipv4.neigh.lo.proxy_qlen = 64

net.ipv4.neigh.lo.unres_qlen = 3

net.ipv4.neigh.lo.gc_stale_time = 60

net.ipv4.neigh.lo.delay_first_probe_time = 5

net.ipv4.neigh.lo.base_reachable_time = 30

net.ipv4.neigh.lo.retrans_time = 99

net.ipv4.neigh.lo.app_solicit = 0

net.ipv4.neigh.lo.ucast_solicit = 3

net.ipv4.neigh.lo.mcast_solicit = 3

net.ipv4.neigh.default.base_reachable_time_ms = 30000

net.ipv4.neigh.default.retrans_time_ms = 1000

net.ipv4.neigh.default.gc_thresh3 = 1024

net.ipv4.neigh.default.gc_thresh2 = 512

net.ipv4.neigh.default.gc_thresh1 = 128

net.ipv4.neigh.default.gc_interval = 30

net.ipv4.neigh.default.locktime = 99

net.ipv4.neigh.default.proxy_delay = 79

net.ipv4.neigh.default.anycast_delay = 99

net.ipv4.neigh.default.proxy_qlen = 64

net.ipv4.neigh.default.unres_qlen = 3

net.ipv4.neigh.default.gc_stale_time = 60

net.ipv4.neigh.default.delay_first_probe_time = 5

net.ipv4.neigh.default.base_reachable_time = 30

net.ipv4.neigh.default.retrans_time = 99

net.ipv4.neigh.default.app_solicit = 0

net.ipv4.neigh.default.ucast_solicit = 3

net.ipv4.neigh.default.mcast_solicit = 3

net.ipv4.tcp_allowed_congestion_control = cubic reno

net.ipv4.tcp_available_congestion_control = cubic reno

net.ipv4.tcp_slow_start_after_idle = 1

net.ipv4.tcp_workaround_signed_windows = 0

net.ipv4.tcp_base_mss = 512

net.ipv4.tcp_mtu_probing = 0

net.ipv4.tcp_abc = 0

net.ipv4.tcp_congestion_control = cubic

net.ipv4.tcp_tso_win_divisor = 3

net.ipv4.tcp_moderate_rcvbuf = 1

net.ipv4.tcp_no_metrics_save = 0

net.ipv4.ipfrag_max_dist = 64

net.ipv4.ipfrag_secret_interval = 600

net.ipv4.tcp_low_latency = 0

net.ipv4.tcp_frto = 0

net.ipv4.tcp_tw_reuse = 0

net.ipv4.icmp_ratemask = 6168

net.ipv4.icmp_ratelimit = 1000

net.ipv4.tcp_adv_win_scale = 2

net.ipv4.tcp_app_win = 31

net.ipv4.tcp_rmem = 4096        87380   4083712

net.ipv4.tcp_wmem = 4096        16384   4083712

net.ipv4.tcp_mem = 95712        127616  191424

net.ipv4.tcp_dsack = 1

net.ipv4.tcp_ecn = 0

net.ipv4.tcp_reordering = 3

net.ipv4.tcp_fack = 1

net.ipv4.tcp_orphan_retries = 0

net.ipv4.inet_peer_gc_maxtime = 120

net.ipv4.inet_peer_gc_mintime = 10

net.ipv4.inet_peer_maxttl = 600

net.ipv4.inet_peer_minttl = 120

net.ipv4.inet_peer_threshold = 65664

net.ipv4.igmp_max_msf = 10

net.ipv4.igmp_max_memberships = 20

net.ipv4.route.secret_interval = 600

net.ipv4.route.min_adv_mss = 256

net.ipv4.route.min_pmtu = 552

net.ipv4.route.mtu_expires = 600

net.ipv4.route.gc_elasticity = 8

net.ipv4.route.error_burst = 5000

net.ipv4.route.error_cost = 1000

net.ipv4.route.redirect_silence = 20480

net.ipv4.route.redirect_number = 9

net.ipv4.route.redirect_load = 20

net.ipv4.route.gc_interval = 60

net.ipv4.route.gc_timeout = 300

net.ipv4.route.gc_min_interval_ms = 500

net.ipv4.route.gc_min_interval = 0

net.ipv4.route.max_size = 524288

net.ipv4.route.gc_thresh = 32768

net.ipv4.route.max_delay = 10

net.ipv4.route.min_delay = 2

net.ipv4.icmp_errors_use_inbound_ifaddr = 0

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_echo_ignore_all = 0

net.ipv4.ip_local_port_range = 32768    61000

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_rfc1337 = 0

net.ipv4.tcp_stdurg = 0

net.ipv4.tcp_abort_on_overflow = 0

net.ipv4.tcp_tw_recycle = 0

net.ipv4.tcp_fin_timeout = 60

net.ipv4.tcp_retries2 = 15

net.ipv4.tcp_retries1 = 3

net.ipv4.tcp_keepalive_intvl = 75

net.ipv4.tcp_keepalive_probes = 9

net.ipv4.tcp_keepalive_time = 7200

net.ipv4.ipfrag_time = 30

net.ipv4.ip_dynaddr = 0

net.ipv4.ipfrag_low_thresh = 196608

net.ipv4.ipfrag_high_thresh = 262144

net.ipv4.tcp_max_tw_buckets = 180000

net.ipv4.tcp_max_orphans = 65536

net.ipv4.tcp_synack_retries = 5

net.ipv4.tcp_syn_retries = 5

net.ipv4.ip_nonlocal_bind = 0

net.ipv4.ip_no_pmtu_disc = 0

net.ipv4.ip_default_ttl = 64

net.ipv4.ip_forward = 1

net.ipv4.tcp_retrans_collapse = 1

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_timestamps = 1

```

ifconfig -a

```
                        

eth0      Link encap:Ethernet  HWaddr 00:0E:0C:A2:DF:22  

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20e:cff:fec2:cf26/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1887 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1799 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:165996 (162.1 Kb)  TX bytes:412604 (402.9 Kb)

          Base address:0xcc00 Memory:ff8e0000-ff900000 

eth1      Link encap:Ethernet  HWaddr 00:15:DC:2B:1E:11  

          inet addr:72.74.136.12  Bcast:255.255.255.255  Mask:255.255.254.0

          UP BROADCAST MULTICAST  MTU:576  Metric:1

          RX packets:314 errors:0 dropped:0 overruns:0 frame:0

          TX packets:76 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:22370 (21.8 Kb)  TX bytes:7298 (7.1 Kb)

          Interrupt:20 Base address:0x2c00 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

sit0      Link encap:IPv6-in-IPv4  

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

 # route -n

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

72.74.136.0     0.0.0.0         255.255.254.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         72.74.136.1     0.0.0.0         UG    0      0        0 eth1
```

dustfinger.

-- EDIT --

I am going to build all of the netfilter modules for the kernel; currently I have only built the following modules:

```
grep -i netfilter /usr/src/linux/.config

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

# Core Netfilter Configuration

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_NETFILTER_XTABLES=m

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_DSCP is not set

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set

# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set

# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

# CONFIG_NETFILTER_XT_MATCH_DCCP is not set

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set

# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_MAC is not set

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

CONFIG_NETFILTER_XT_MATCH_STATE=m

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

# CONFIG_NETFILTER_XT_MATCH_STRING is not set

# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

# IP: Netfilter Configuration

# IPv6: Netfilter Configuration (EXPERIMENTAL)

```

-----------

----------

## Hu

Your internal subnet is 192.168.1.x, but your iptables rules cover 192.168.0.x.  I requested the sysctl information because I suspected a strange configuration confusing the reverse path filter, but that appears not to be the case.

----------

## dustfinger

I built all of the modules to no avail.  I must have made every mistake in the book.  I really appreciate all of your help and I am sorry if I have frustrated you with my ignorance.  Once I get this configured and working I am going to continue to study and understand how this all works.  Anyways, I made the following changes: (I am only showing the lines that have been altered).

```
# Drop Internet traffic from private IP ranges

$IPTABLES -A FORWARD -i $EXTIF -s 192.168.1.0/16 -j DROP

# Drop traffic which should stay in the local network

$IPTABLES -A FORWARD -i $INTIF -d 192.168.1.0/16 -j DROP

# Drop traffic which is trying to leave the local network, but appears

# not to have originated locally

$IPTABLES -A FORWARD -i $INTIF -s ! 192.168.1.0/24 -j DROP
```

  I think that only the last line actually needed to be changed since, I believe, the lines with /16 cover the 192.168.x.x.

So now:

```
 # iptables -L -v 

Chain INPUT (policy ACCEPT 12828 packets, 885K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth1   any     10.0.0.0/8           anywhere            

    0     0 DROP       all  --  eth1   any     172.16.0.0/12        anywhere            

    0     0 DROP       all  --  eth1   any     192.168.0.0/16       anywhere            

    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/16      

    0     0 DROP       all  --  eth0   any    !192.168.1.0/24       anywhere            

    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 

    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            state ESTABLISHED 

    0     0 ACCEPT     udp  --  eth1   any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            

    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            

    0     0 ACCEPT     all  --  eth0   eth1    anywhere             anywhere            state NEW,ESTABLISHED 
```

 and ...

```
# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

72.74.136.0    0.0.0.0         255.255.254.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         72.74.136.1     0.0.0.0         UG    0      0        0 eth1
```

 dustfinger.

-- EDIT #1 --

Perhaps the problem now is on the client side.  Perhaps I need to look at resolv.conf or perhaps I need to use route add default gw 192.168.1.1? I will play with that tonight.

---------------

-- EDIT #2 --

Shouldn't my Gateway be 192.168.1.1 rather than what route -n shows (72.74.136.1)?

----------------

----------

## Hu

 *dustfinger wrote:*   

> I must have made every mistake in the book.  I really appreciate all of your help and I am sorry if I have frustrated you with my ignorance.

 

You have responded accurately and promptly to every request I made.  People usually come to the forum when they need help, so a lack of knowledge about the tools is to be expected.  You have nothing to be sorry for.  :Smile: 

 *dustfinger wrote:*   

> 
> 
> ```
> # Drop Internet traffic from private IP ranges
> 
> ...

 

Correct, /16 covers 192.168.x.x.  The important change was the third one, since it was previously directing the filter to drop traffic which did not originate from 192.168.0.x.  Since your subnet was 192.168.1.x, this would have refused all traffic.  The change you made is correct to fix that.

 *dustfinger wrote:*   

> So now:
> 
> ```
>  # iptables -L -v 
> 
> ...

 

This still bothers me.  The output says that no traffic is ever reaching the FORWARD chain.  The changes we have made so far have fixed problems you would have encountered, but not the one you are encountering.

 *dustfinger wrote:*   

> 
> 
> ```
> # route -n
> 
> ...

 

No, that gateway is right.  This routing table says that traffic for 192.168.1.x goes out eth0 (LAN), traffic for 72.74.136/23 goes out eth1 to the target host (WAN), traffic for 127.x.x.x goes out lo (loopback), and everything else goes out eth1 to 72.74.136.1 (WAN).  If your gateway was 192.168.1.1, all traffic not otherwise covered would be sent to 192.168.1.1.  Since this is the address of eth0, the results would be undesirable.

To check whether it is a client problem, emerge net-analyzer/tcpdump on the Gentoo router and use it to monitor traffic.  First, we want to know if traffic is coming in eth0 destined for an Internet IP address with tcpdump -i eth0 -n -v -e.  If it is, then the next step is to check whether traffic is leaving eth1 for that address and, if so, check the value of the source address on the outbound datagram with tcpdump -i eth1 -n -v -e.  Based on our results so far, I doubt the traffic is leaving on eth1, but it may not even be coming in eth0.

----------

## dustfinger

dumping the traffic for eth0 resulted in a whole lot of output that looked like the following:

tcpdump -i eth0 -n -v -e

```
19:49:12.490178 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 386: (tos 0x10, ttl  64, id 57657, offset 0, flags [DF], proto: TCP (6), length: 372) 192.168.1.1.22 > 192.168.1.77.44311: P 51818544:51818864(320) ack 70225 win 161 <nop,nop,timestamp 6485 275002>

19:49:12.490229 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 386: (tos 0x10, ttl  64, id 57658, offset 0, flags [DF], proto: TCP (6), length: 372) 192.168.1.1.22 > 192.168.1.77.44311: P 51818864:51819184(320) ack 70225 win 161 <nop,nop,timestamp 6485 275002>

19:49:12.490279 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 386: (tos 0x10, ttl  64, id 57659, offset 0, flags [DF], proto: TCP (6), length: 372) 192.168.1.1.22 > 192.168.1.77.44311: P 51819184:51819504(320) ack 70225 win 161 <nop,nop,timestamp 6485 275002>

19:49:12.490330 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 386: (tos 0x10, ttl  64, id 57660, offset 0, flags [DF], proto: TCP (6), length: 372) 192.168.1.1.22 > 192.168.1.77.44311: P 51819504:51819824(320) ack 70225 win 161 <nop,nop,timestamp 6486 275002>

19:49:12.490375 00:04:4b:01:17:6d > 00:0e:0c:c2:cf:26, ethertype IPv4 (0x0800), length 66: (tos 0x10, ttl  64, id 41309, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.77.44311 > 192.168.1.1.22: ., cksum 0x93be (correct), ack 51819504 win 3902 <nop,nop,timestamp 275007 6480>

19:49:12.490382 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 290: (tos 0x10, ttl  64, id 57661, offset 0, flags [DF], proto: TCP (6), length: 276) 192.168.1.1.22 > 192.168.1.77.44311: P 51819824:51820048(224) ack 70225 win 161 <nop,nop,timestamp 6486 275002>

19:49:12.490725 00:04:4b:01:17:6d > 00:0e:0c:c2:cf:26, ethertype IPv4 (0x0800), length 162: (tos 0x10, ttl  64, id 41310, offset 0, flags [DF], proto: TCP (6), length: 148) 192.168.1.77.44311 > 192.168.1.1.22: P 70225:70321(96) ack 51820048 win 3885 <nop,nop,timestamp 275008 6486>

19:49:12.490825 00:0e:0c:c2:cf:26 > 00:04:4b:01:17:6d, ethertype IPv4 (0x0800), length 210: (tos 0x10, ttl  64, id 57662, offset 0, flags [DF], proto: TCP (6), length: 196) 192.168.1.1.22 > 192.168.1.77.44311: P 51820048:51820192(144) ack 70321 win 161 <nop,nop,timestamp 6486 275008>
```

While dumping eth1 I tried to ping google.  The output came much slower and below is the result.

tcpdump -i eth1 -n -v -e

```
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

19:50:38.800515 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.1 tell 72.74.136.1

19:50:39.870488 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.59 tell 72.74.136.1

19:50:41.271327 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.213 tell 72.74.136.1

19:50:42.332874 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.190 tell 72.74.136.1

19:50:43.751407 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.73 tell 72.74.136.1

19:50:46.540805 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.158 tell 72.74.136.1

19:50:47.541038 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.99 tell 72.74.136.1

19:50:47.780896 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.55 tell 72.74.151.1

19:50:48.580797 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.35 tell 72.74.136.1

19:50:49.380708 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.136.191 tell 72.74.136.1

19:50:50.661006 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.145 tell 72.74.136.1

19:50:50.761377 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.55 tell 72.74.151.1

19:50:51.751212 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.78 tell 72.74.136.1

19:50:52.275038 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.136.191 tell 72.74.136.1

19:50:53.331371 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.242 tell 72.74.136.1

19:50:54.350830 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.72 tell 72.74.136.1

19:50:55.598196 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 77: (tos 0x0, ttl 115, id 22905, offset 0, flags [none], proto: UDP (17), length: 63) 71.72.11.236.16896 > 72.74.136.55.2427: UDP, length 35

19:50:55.598229 00:15:dc:2b:1e:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 105: (tos 0xc0, ttl  64, id 9880, offset 0, flags [none], proto: ICMP (1), length: 91) 72.74.136.55 > 71.72.11.236: ICMP 72.74.136.55 udp port 2427 unreachable, length 71

        (tos 0x0, ttl 115, id 22905, offset 0, flags [none], proto: UDP (17), length: 63) 71.72.11.236.16896 > 72.74.136.55.2427: UDP, length 35

19:50:55.692514 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.77 tell 72.74.136.1

19:50:56.990899 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.136.105 tell 72.74.136.1

19:50:58.720906 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.77 tell 72.74.136.1

19:51:00.021438 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.136.105 tell 72.74.136.1

19:51:00.321529 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.80 tell 72.74.151.1

19:51:01.321899 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.8 tell 72.74.136.1

19:51:02.331017 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.2 tell 72.74.136.1

19:51:03.231259 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.80 tell 72.74.151.1

19:51:03.941238 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.143 tell 72.74.136.1

19:51:05.270593 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.2 tell 72.74.136.1

19:51:06.405095 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.143 tell 72.74.136.1

19:51:08.163764 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.136.110 tell 72.74.136.1

19:51:09.621827 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.71 tell 72.74.136.1

19:51:09.751069 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.33 tell 72.74.151.1

19:51:11.441893 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.119 tell 72.74.136.1

19:51:12.671317 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.71 tell 72.74.136.1

19:51:12.711537 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.151.33 tell 72.74.151.1

19:51:14.451259 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.160 tell 72.74.136.1
```

dustfinger.

-- EDIT --

tcpdump -i eth1 -n -v -e - a more interesting sample.

```
20:18:18.317400 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.124 tell 72.74.136.1

20:18:20.377834 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.51 tell 72.74.136.1

20:18:21.887378 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.69 tell 72.74.136.1

20:18:22.851283 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 113, id 4725, offset 0, flags [DF], proto: TCP (6), length: 48) 189.164.93.112.1271 > 72.74.136.55.6346: S, cksum 0x54f2 (correct), 4125151755:4125151755(0) win 64240 <mss 1452,nop,nop,sackOK>

20:18:22.851312 00:15:DC:2B:1E:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 72.74.136.55.6346 > 189.164.93.112.1271: R, cksum 0x7c8b (correct), 0:0(0) ack 4125151756 win 0

20:18:23.248317 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.51 tell 72.74.136.1

20:18:23.712065 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 113, id 4731, offset 0, flags [DF], proto: TCP (6), length: 48) 189.164.93.112.1271 > 72.74.136.55.6346: S, cksum 0x54f2 (correct), 4125151755:4125151755(0) win 64240 <mss 1452,nop,nop,sackOK>

20:18:23.712084 00:15:DC:2B:1E:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 72.74.136.55.6346 > 189.164.93.112.1271: R, cksum 0x7c8b (correct), 0:0(0) ack 1 win 0

20:18:24.363349 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 113, id 4735, offset 0, flags [DF], proto: TCP (6), length: 48) 189.164.93.112.1271 > 72.74.136.55.6346: S, cksum 0x54f2 (correct), 4125151755:4125151755(0) win 64240 <mss 1452,nop,nop,sackOK>

20:18:24.363366 00:15:DC:2B:1E:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 72.74.136.55.6346 > 189.164.93.112.1271: R, cksum 0x7c8b (correct), 0:0(0) ack 1 win 0

20:18:25.168711 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.201 tell 72.74.136.1

20:18:26.927719 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.158 tell 72.74.136.1

20:18:29.977577 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.158 tell 72.74.136.1

20:18:31.250552 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 73: (tos 0x0, ttl 117, id 1170, offset 0, flags [none], proto: UDP (17), length: 59) 203.91.85.82.4132 > 72.74.136.55.6346: UDP, length 31

20:18:31.250589 00:15:DC:2B:1E:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 101: (tos 0xc0, ttl  64, id 21340, offset 0, flags [none], proto: ICMP (1), length: 87) 72.74.136.55 > 203.91.85.82: ICMP 72.74.136.55 udp port 6346 unreachable, length 67

        (tos 0x0, ttl 117, id 1170, offset 0, flags [none], proto: UDP (17), length: 59) 203.91.85.82.4132 > 72.74.136.55.6346: UDP, length 31

20:18:32.727782 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.191 tell 72.74.136.1

20:18:33.778068 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.192 tell 72.74.136.1

20:18:35.457734 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.191 tell 72.74.136.1

20:18:35.556741 00:e0:0c:b9:f2:6f > 00:15:DC:2B:1E:11, ethertype IPv4 (0x0800), length 77: (tos 0x0, ttl  41, id 18593, offset 0, flags [none], proto: UDP (17), length: 63) 222.254.117.10.45435 > 72.74.136.55.6346: UDP, length 35

20:18:35.556768 00:15:DC:2B:1E:11 > 00:e0:0c:b9:f2:6f, ethertype IPv4 (0x0800), length 105: (tos 0xc0, ttl  64, id 37905, offset 0, flags [none], proto: ICMP (1), length: 91) 72.74.136.55 > 222.254.117.10: ICMP 72.74.136.55 udp port 6346 unreachable, length 71

        (tos 0x0, ttl  41, id 18593, offset 0, flags [none], proto: UDP (17), length: 63) 222.254.117.10.45435 > 72.74.136.55.6346: UDP, length 35

20:18:36.778158 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.192 tell 72.74.136.1

20:18:39.141118 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.90 tell 72.74.136.1

20:18:40.150968 00:e0:0c:b9:f2:6f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 72.74.137.211 tell 72.74.136.1
```

-----------

----------

## Hu

 *dustfinger wrote:*   

> dumping the traffic for eth0 resulted in a whole lot of output that looked like the following:

 

When logging network traffic, do not log the connection that is receiving the results of the logging.  That creates a feedback loop which will drown out the interesting traffic.  You should run this tcpdump from the console, run it with output not sent to the network (by saving to a file and then waiting until you stop capturing to read the file), or run it with a filter to avoid logging your ssh connection (such as tcpdump -i eth0 -n -v -e not tcp).

----------

## dustfinger

To Hu,

I ran the following commands from the router's console (no ssh connection) and redirected the output to a text file:

tcpdump -i eth0 -n -v -e > eth0.log

- No output was logged.

tcpdump -i eth1 -n -v -e > eth1.log

- The same sort of output was logged as my above post.

dustfinger.

----------

## Hu

Based on that, I would say that no traffic is even reaching your router.  The problem lies now in the clients.  What is the output of ip addr show; ip route show on the client where you are initiating the request?

----------

## dustfinger

To Hu,

The strange thing is that I can ping the router and ssh to the router so I can certainly communicate to the router from my desktop.  I do not have the command ip.  What do I have to emerge to get this command?

Here is the output of  ifconfig -a on my client side desktop.

```

eth0      Link encap:Ethernet  HWaddr 00:04:4C:01:17:6B  

          inet addr:192.168.1.77  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::204:4bff:fe01:176d/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:655040 errors:0 dropped:0 overruns:0 frame:0

          TX packets:188208 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:302468722 (288.4 Mb)  TX bytes:12791996 (12.1 Mb)

          Interrupt:23 Base address:0xe000 

eth1      Link encap:Ethernet  HWaddr 00:04:4D:01:17:6A  

          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::204:4bff:fe01:176e/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:158038 errors:0 dropped:0 overruns:0 frame:0

          TX packets:94485 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:224352866 (213.9 Mb)  TX bytes:8832401 (8.4 Mb)

          Interrupt:22 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:176 (176.0 b)  TX bytes:176 (176.0 b)

sit0      Link encap:IPv6-in-IPv4  

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
```

 eth0 is for connecting to my gentoo router.  eth1 I have connected to a DLink router that is not connected to the internet while performing these tests.  I then use the DLink to actually connect to the internet while communicating to you over this forum.  I would like to remove the DLink router from the picture and just use the gentoo router.

Note (client): /etc/conf.d/net

```
config_eth0=( "192.168.1.77 broadcast 192.168.1.255 netmask 255.255.255.0" )

gateway_eth0=( "default via 192.168.1.1" )
```

dustfinger.

-- EDIT --

I just learnt that those commands are part of the iproute2 package.  Bellow are the results of the commands that you requested I run.

# ip addr show

```

1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:04:4C:01:17:6B brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.77/24 brd 192.168.1.255 scope global eth0

    inet6 fe80::204:4bff:fe01:176d/64 scope link 

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:04:4D:01:17:6A brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1

    inet6 fe80::204:4bff:fe01:176e/64 scope link 

       valid_lft forever preferred_lft forever

4: sit0: <NOARP> mtu 1480 qdisc noop 

    link/sit 0.0.0.0 brd 0.0.0.0
```

# ip route show

```

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.77 

192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.100 

127.0.0.0/8 dev lo  scope link 

default via 192.168.0.1 dev eth1
```

It seems to me that my system is defaulted to 192.168.0.1 which is my D-Link router.  My desktop is connected to both my DLink router and my gentoo router.  When I post to these forums I hook my DLink router to the internet; however when I run these tests my gentoo router is connected to the internet.  I have tried disconnecting the DLink router entirely and rebooting, but that does not make a difference.  I think, but I may be wrong, that whenever I try to access the internet, my computer is trying to communicate to 192.168.0.1, when I really want it to communicate to 192.168.1.1.

Thank you again for all of your help thus far.

-----------

----------

## Hu

That would explain it.  Is eth1 configured statically or via DHCP?  In either case, please post whatever eth1 related directives you have in /etc/conf.d/net.  Also, try bringing down eth1 when you disconnect the DLink router.

----------

## dustfinger

eth1 is DHCP so I do not have any directives set in /etc/conf.d/net for eth1.  For eth0 I have:

config_eth0=( "192.168.1.77 broadcast 192.168.1.255 netmask 255.255.255.0" )

gateway_eth0=( "default via 192.168.1.1" )

dustfinger

-- EDIT #1 --

I tried disconnecting my router and shutting down eth1, but to no avail.

-----------

-- EDIT #2 --

One thing that I just realized is that when trying to connect to the internet through the gentoo router using eth0 I should be editing the /etc/resolv.conf file to use nameserver 192.168.1.1 rather than 192.168.0.1.  While connecting to the D-Link router to check this forum I have the /etc/resolv.conf file configured like so:

search my-isp.net

nameserver 192.168.0.1

I did a little test while trying to connect to the internet via the gentoo router by configuring the /etc/resolv.conf file like so:

search my-isp.net

nameserver 192.168.1.1

I then rebooted, but this did not work either.

---------------

----------

## Hu

I see no reference to gateway_<interface> in /etc/conf.d/net.example.  The closest I can see is routes_<interface>.  I am confident that your problem now lies in the routing table on the client, so if changing gateway to routes does not work, you may be better served by starting a new thread about internal static routing not being configured as you desire.

----------

## dustfinger

To Hu,

Thank you so very much for all of your time.  You have sorted out many of my configuration problems and I greatly appreciate your efforts.  Unfortunately, replacing gateway_eth0 with routes_eth0 did not resolve my issue.  I have started a new thread as you suggested.  The subject of the new thread is internal static routing configuration troubles.

dustfinger.

----------

