LAN Traffic Cannot ping external IP.

[Jkm3141]

About 2 months ago I setup an old computer as a linux home firewall router. This is a one computer does all situation. To accomplish this I followed the guide here, http://brennan.id.au to setup various things like routing, a basic IPTables configuration and network file shares and stuff. All of that stuff works, and I can reach all my network services from the net and the LAN (file sharing on the lan, FTP on the lan and on the net, web on the lan and on the net). and so on. I own the domain Jkm3141.com which i stupidly used as the Internal DNS name. so each time i tried to access a network resource from the LAN i used that domain, which worked fine. I had a few issues accessing the web page from jkm3141.com on the lan not www.jkm3141.com, which i mistakenly shurgged off as a imporperly configured DNS server (no entry for streightup jkm3141.com). Recently I got fedup with having my external domain the same as my internal, so i changed all DNS and hostnames and DHCP assigned domain settings to the domain barton.local for convience sakes (part of my name, and local).all worked out dandy after that and i can still access all my network resources from the lan and internet except on the lan if i want to access my legit domain jkm3141.com i have to use the newly specified dns name server.barton.local. this lead me to discover that my old problem was not a imporperly configured DNS server but something much harder. I have now realised that i am unable to do any contact with my external IP, 65.37.56.90 (i dont care about giving it out here as anyone can get it with a simple dns query of my website). I am unable to ping, or goto any of the websites (2 domains now (Jkm3141.com and DaveHornPage.com)) associated with that Ip on the LAN. I cannot figure out this one, i am sure it is not a DNS issue anymore, or anything other than Iptables. I use a heavily modifed version of a script produced with Easy Firewall Generator for IPTables, and will post the output of iptables -nvL, my script, and the output of route -n (routing table).

Iptables -nvL output:

Code:

Chain INPUT (policy DROP 5 packets, 2482 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1074  102K bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1           
  856 62668 ACCEPT     all  --  eth1   *       192.168.1.0/24       192.168.1.0/24      
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67 
  142 31176 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 tcp_inbound  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    5  2482 udp_inbound  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    3   214 icmp_packets  icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8982 3469K bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4612  862K tcp_outbound  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 udp_outbound  udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
 4370 2607K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  664  133K ACCEPT     all  --  *      eth1    192.168.1.0/24       192.168.1.0/24      
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       192.168.1.1          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
  142 10762 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain bad_packets (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       192.168.1.0/24       0.0.0.0/0           
   44  4212 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 9678 3520K bad_tcp_packets  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 9988 3566K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain bad_tcp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5284  912K RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   24   960 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 state NEW 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
 4370 2607K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain icmp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           
    3   214 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 

Chain tcp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain tcp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4612  862K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain udp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 

Chain udp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Route -n:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
65.37.48.0      0.0.0.0         255.255.240.0   U     0      0        0 eth0
0.0.0.0         65.37.48.1      0.0.0.0         UG    0      0        0 eth0

EDIT: Forgot to mention Im running Fedora Core 3 on this machine

[Jkm3141]

And my script is:

iptables script:

Code:

echo $'\a'
SYSCTL="/sbin/sysctl -w" 
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi


if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT  -i $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A OUTPUT -o $LOCAL_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart
echo $'\a'
echo "IPTables rules updated and saved."

[framp]

I don't think this is because of incorrect iptables rules. It's a problem with your DNS configuration.

I have the same topology (actually I don't allow access from the internet to my local systems except a plain ssh access to the gateway).

I don't use .local - this creates problems if you have windows boxes in your lan and therefore use .home.

What's the output of nslookup www.jkm3141.com on your router and on your clients? Do you have a DNS server on your router? Which DNS do your clients use?

[Jkm3141]

Yea thats the thing, I'm pretty sure this is a firewall problem because of several reasons. Firstly, I cannot even ping the ip of my external interface (assigned by ISP, or 65.37.56.90 from the LAN. Pinging an IP should not use any DNS services at all. Also, I have completely removed all links to Jkm3141.com in DNS, and have been experiencing problems before and after the DNS Change. My successes in accessing Jkm3141.com have been most successful when I had my internal DNS configuration set for Jkm3141.com, because it was resolving www.jkm3141.com to 192.168.1.1 (the router/server), for the LAN, not 65.37.56.90 on the WAN.

anyhow, the response to nslookup on the server itself is:

Code:

nslookup www.jkm3141.com
Server:         66.133.170.2
Address:        66.133.170.2#53

Non-authoritative answer:
Name:   www.jkm3141.com
Address: 65.37.56.90

and on a WinXP Client (behaves fine with .local btw)

Code:

nslookup www.jkm3141.com
Server:         server.barton.local
Address:        192.168.1.1

Non-authoritative answer:
Name:   www.jkm3141.com
Address: 65.37.56.90

This means that on the server its resolving to my correct IP address, 65.37.56.90 using my ISP's DNS servers, and on the LAN its resolving to 65.37.56.90 on My local DNS server. This also seems like more proof that the DNS is NOT the problem.


Also, a the command: dig jkm3141.com comes back with:

[root@server ~]# dig jkm3141.com

Code:

; <<>> DiG 9.2.4 <<>> jkm3141.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17829
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;jkm3141.com.                   IN      A

;; ANSWER SECTION:
jkm3141.com.            18032   IN      A       65.37.56.90

;; AUTHORITY SECTION:
jkm3141.com.            38381   IN      NS      ns29.1and1.com.
jkm3141.com.            38381   IN      NS      ns30.1and1.com.

;; ADDITIONAL SECTION:
ns29.1and1.com.         2611    IN      A       74.208.2.4
ns30.1and1.com.         6428    IN      A       74.208.3.4

;; Query time: 47 msec
;; SERVER: 66.133.170.2#53(66.133.170.2)
;; WHEN: Wed Mar 28 17:27:56 2007
;; MSG SIZE  rcvd: 121

which to me seems the same as that nslookup.

My question is why can't it ping the ip? is it a routing table problem? or a bad iptables script line? My old (way more simple and worse for internet gaming script) does not help this problem at all.

[Jkm3141]

Accually, its not so much the ping i'm wondering about since I have a iptables command blocking ping replys, I'm wondering about all other traffic, such as HTTP, FTP, and the such. Could this not be an Iptables problem at all and be a routing table problem?

[framp]

To check whether it's a iptables problem you should either

1) use tcpdump on your interface and look for rejected TCP messages
2) duplicate all DROP lines and replace in the first lines DROP with LOG flags 6 level 4 prefix `Block 1 ', Block 2 etc and check the FW log for 'block x' messages

[Jkm3141]

To check whether it's a iptables problem you should either

1) use tcpdump on your interface and look for rejected TCP messages
2) duplicate all DROP lines and replace in the first lines DROP with LOG flags 6 level 4 prefix `Block 1 ', Block 2 etc and check the FW log for 'block x' messages

could you please emphisise a little bit more on what the syntax for those iptables logging rules would be? I am not the best at syntax on iptables commands. Originally I had logging on almost every drop, however took them out due to a massive DDoS attack that took me down due to logging all dropped packets. Should I just reuse that script?

[framp]

Yes, just use this script and look for reject messages of local IPs.