[plug] cannot ping internet from desktops

Thu Jul 31 14:17:50 WST 2003

What Richard said, plus some simple checks with traceroute (mtr-tiny is
better) or ping -R or *anything*.

Plus this might be worth noting for a few people, and in this case if
the gateway has iptables, it may help.  Playing with shorewall managed
iptables rules will plrobably cause some problems, oh well, here goes...

I have the following at the end of my iptables script to show anything
that hits the default chain policies.  I have default DROP policies for
everything and then explicitly ACCEPT or REJECT (ident, sport:80 things
etc) handle specific things, thus anything that makes it past those I
want to know about:

# set up log chain with prefixes for protocols
$iptables -N LOG_DROP
$iptables -A LOG_DROP -p tcp -j LOG --log-prefix "TCP drop: "
--log-level=info
$iptables -A LOG_DROP -p udp -j LOG --log-prefix "UDP drop: "
--log-level=info
$iptables -A LOG_DROP -p icmp -j LOG --log-prefix "ICMP drop: "
--log-level=info
$iptables -A LOG_DROP -f -m limit --limit 1/s -j LOG --log-prefix "FRAG
drop: " --log-level=info
$iptables -A LOG_DROP -j DROP

then in /var/log/messages i get things like this 

(s/h4x0ring fodder/x/g):

Jul 31 13:53:06 wind-tunnel kernel: UDP drop: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:08:e3:20:f3:85:08:00 SRC=144.135.25.84
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=59179 PROTO=UDP SPT=137
DPT=137 LEN=58
Jul 31 13:53:08 wind-tunnel kernel: UDP drop: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:08:e3:20:f3:85:08:00 SRC=144.135.25.84
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=62696 PROTO=UDP SPT=137
DPT=137 LEN=58

It will therefore also log attempts by internal hosts to get out if they
are denied, this is handy to identify things I forgot to allow or see
what people are 'trying' to do on the network.

It works for me! (tm)

Ryan 

*blank stare* I still haven't figured out the intriguing top post 're:'
virus your email client has.  Can you enlighten me?

On Thu, 2003-07-31 at 14:05, Jon Miller wrote:
> Got a client that has a rh8 server with shorewall firewall.  this server has 2 nic one attached to the ADSL cisco router supplied by telstra.
> Their routing table looks okay, by this the default gateway is the IP address of the ethernet port of the ADSL router, the private IP address is listed to go through the def gw.  I double checked everything in this with a comparison of my routing table minus the VPN entries.
> 
> What was happening last night was from the server we could ping the internet, however from the desktop they couldn't yet the desktops had their def gw set to the Linux server.  Can anyone lend some light as to why the desktops cannot access the Internet?