Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hello. Here at home I'm using sharing my internet connection via a linux router using ip masquerade with iptables. Stuff like surfing works fine, all applications except those who required ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2004
    Posts
    6

    Linux router port forwarding & ping issues


    Hello. Here at home I'm using sharing my internet connection via a linux router using ip masquerade with iptables. Stuff like surfing works fine, all applications except those who required a true connection to a computer on the network works too, but I just can't seem to get port forwarding to work. I've been to find issues in my routing tables, iptables rules and network configuration but I can't seem to find anything odd. Also, while logged in to the router I can't ping anything on the local network, or even the machine itself. I'm posting all the stuff I think is necessary to see, but if something's missing, feel free to ask.

    my computer on the network has an ip-address of 192.168.0.5. I've removed my ip- & gateway address from the text.

    It's slackwarer:
    root@closet:~# uname -a
    Linux closet 2.4.22 #6 Tue Sep 2 17:43:01 PDT 2003 i586 unknown unknown GNU/Linux


    first the ping issue (same problem with traceroute):
    --------------------------------------------------------------------------------
    root@closet:~# ping localhost
    PING localhost (127.0.0.1) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted

    --- localhost ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2014ms

    --------------------------------------------------------------------------------
    root@closet:~# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 *ispgateway* 0.0.0.0 UG 1 0 0 eth0

    --------------------------------------------------------------------------------
    root@closet:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    LOG icmp -- anywhere anywhere icmp echo-request LOG level warning
    DROP icmp -- anywhere anywhere icmp echo-request

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    --------------------------------------------------------------------------------
    root@closet:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere anywhere tcp dpt:8000 to:192.168.0.5
    DNAT udp -- anywhere anywhere udp dpt:8000 to:192.168.0.5

    Chain POSTROUTING (policy DROP)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    --------------------------------------------------------------------------------
    root@closet:~# ifconfig
    eth0 Link encap:Ethernet HWaddr **mac address*
    inet addr:***myexternalip*** Bcast:*.*.*.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4276 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4415 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1232456 (1.1 Mb) TX bytes:453691 (443.0 Kb)
    Interrupt:9 Base address:0xc000

    eth1 Link encap:Ethernet HWaddr **mac address*
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4965 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4653 errors:0 dropped:0 overruns:0 carrier:0
    collisions:1 txqueuelen:100
    RX bytes:514420 (502.3 Kb) TX bytes:1269426 (1.2 Mb)
    Interrupt:12 Base address:0x5000
    --------------------------------------------------------------------------------

    I'd appreciate any help solving this issue.

    Thanks in advance,
    John

  2. #2
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37

    Re: Linux router port forwarding & ping issues

    --------------------------------------------------------------------------------
    root@closet:~# ping localhost
    PING localhost (127.0.0.1) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted

    --- localhost ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2014ms
    This is restricted via iptables see below
    --------------------------------------------------------------------------------
    root@closet:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    LOG icmp -- anywhere anywhere icmp echo-request LOG level warning
    DROP icmp -- anywhere anywhere icmp echo-request

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)

    target prot opt source destination
    see that DROP icmp
    Thats pretty much going to kill any kind of ping or traceroute
    so if you want to be able to ping then you should change it to ACCEPT

    Im going to go with your using broadband based on the two eth connections.

    broadband do you get a static IP from your ISP?
    Also the external IP you have on your Linux Router is it a Public IP address?
    or is it private?
    With most broadbands you just have the DSL "MODEM" which gets a public address and uses NAT to masq any IP's inside to going outside.
    So first you would need to be able to tackle getting those ports forwared withing that DSL MODEM first before you can forward them within your Linux Router.

    Some ISP's who provide these MODEMS don't allow this sort of thing.
    its best if you have DSL Modem/Router combo like a "Cisco 678" for example.
    That model happens to be old and outdated BTW. Still they work great and you can get them off ebay

    Once you can get to your Linux Router from the Internet then you can tackle getting port forwarding within the Linux Router.

  3. #3
    Just Joined!
    Join Date
    Oct 2004
    Posts
    6
    ----------------------------------------------------
    Unfortunately, setting the ping rule doesn't affect the result:

    root@closet:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ...

    still gives me:
    root@closet:~# ping localhost
    PING localhost (127.0.0.1) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ------------------------------------------------------------------


    "Im going to go with your using broadband based on the two eth connections.
    broadband do you get a static IP from your ISP?
    Also the external IP you have on your Linux Router is it a Public IP address? or is it private?"

    Yes, I've got an ADSL connection, and my external ip-address is public.

    "With most broadbands you just have the DSL "MODEM" which gets a public address and uses NAT to masq any IP's inside to going outside.
    So first you would need to be able to tackle getting those ports forwared withing that DSL MODEM first before you can forward them within your Linux Router..."

    I'm not sure what you meant here, but I'm quite sure my modem doesn't use NAT, because the deal with my ISP is one IP-address only. We have to set up our own gateways/routers to connect several computers to the net. Btw, I'm in Sweden, so the isp deals might be different from ones in the USA.

    My network set up:
    I've got my ADSL modem (Orckit) connected to the net. I've hooked up the modem to my router pc in the closet to eth0. eth1 is connected to a hub which then connects to the three computers on the local network. The router uses NAT to masq the local ips to my external ip. This works fine.

  4. #4
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37

    Re: Linux router port forwarding & ping issues

    Ya that is different then how its done here in the states.
    Or at least the ways ive heard of it being done.

    still gives me:
    root@closet:~# ping localhost
    PING localhost (127.0.0.1) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ------------------------------------------------------------------
    that Operation not permitted is telling us that ping is restricted.
    Ive only ever seen this when iptables is configured to deny ICMP
    I would recommend that you look over your iptables rules
    But that really isn't an issue generally its a good thing.
    That way when someone port scans your box or tries to ping.
    They get no reply with ping and with the port scan they get no reply on closed ports which is the norm.

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    Looking at that. now Im not the expert on forwarding ports within a Linux box from one eth connection to the other.
    But I would take a look at the FORWARD Chain.
    I see that yours appears empty.
    I would start there to put in the rules for forward the ports you want from eth0 to eth1, or that is from the outside IP to the IP on the inside network.

  5. #5
    Just Joined!
    Join Date
    Oct 2004
    Posts
    6
    Using Shields UP over at http://www.grc.com/ I got a closer look on what's happening when I insert new iptables rules.

    I chose a random port (8500), and ran the shields up utility on my ip. The result came out as closed.

    I started a shoutcast server locally, listening on port 8500.

    I then inserted an iptables rule:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8500 -j DNAT --to-destination 192.168.0.5

    And then, running the sheilds up utilty again the result was that the port was stealthed, meaning no reply was made when the utility tried to connect. So it seems like the package is getting lost somewhere in my router.

  6. #6
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37
    Yes if its closed the the router isn't even letting anything in.
    If its listed as Stealthed or Filtered then its open and packets are getting in most likely but they are getting anywhere. In otherwords the server isn't doing anything with them.
    You need to get it so those ports are listed as open.

    [edit]
    found a few links about this via google
    http://www.jimohalloran.com/archives/000120.html
    http://linux.duke.edu/~mstenner/docs/iptables

    perhaps those will help?
    [/edit]

  7. #7
    Just Joined!
    Join Date
    Oct 2004
    Posts
    6
    Unfortunately, so far nothing has fixed the problem. While googling I stumbled across this thread in which someone has the same problem.

    The solution in the thread is that there's something wrong with the route table, but I can't for the life of me find what's wrong.

  8. #8
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37
    Code:
    /bin/netstat -r
    whats the default? is it your external interface?

  9. #9
    Just Joined!
    Join Date
    Oct 2004
    Posts
    6
    Code:
    root@closet:~# netstat -rn
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    external_ip  0.0.0.0         255.255.255.255 UH        0 0          0 eth0
    192.168.0.5     0.0.0.0         255.255.255.255 UH        0 0          0 eth1
    192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
    127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
    0.0.0.0         isp_gateway   0.0.0.0         UG        0 0          0 eth0
    the two top ones are very recent additions to the routing table.

    192.168.0.5 is my internal ip.

  10. #10
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37
    I don't see a default route setup there.
    that could be your problem.
    Code:
    /sbin/route add default gw <isp_gateway>
    Run that and see if that helps.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •