[plug] users cannot access internet

Craig Ringer craig at postnewspapers.com.au
Fri May 9 23:43:05 WST 2003


Jon Miller wrote:
> Setup a box with all the normal stuff running, postfix, named, cucipop, etc.  Routing table looks good.  It's a dialup box, from the box that is dialing to the isp we can access the internet no problem.  However, we cannot ping anything pass the modem.  Can anyone point me in right direction?
> All users are using W2Kp workstations and have a default gateway of the server.

run:

iptables -L -n -v
iptables -L -t nat -n -v

and browse the results to make sure they make sense. In particular check 
that you're using the right interfaces. Make sure you're not blocking 
ICMP - though I presume "can't ping" in this case implies "can't get dns 
replies or other traffic through either".

Also, for _temporary_ _testing_ _purposes_ _only_ (for security 
reasons), try:

iptables -F
iptables -X

(clears tables)

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

(opens up defaults)

iptables -L -t nat -n -v

(make sure NAT table looks sensible still. Here's mine from my firewall, 
trimmed of some site-specific forwards and other rules - and mangled by 
my mailer):

Chain POSTROUTING (policy ACCEPT 264K packets, 16M bytes)
  pkts bytes target     prot opt in     out     source 
destination
62207 3889K MASQUERADE  all  --  *      *       192.168.0.0/24 
0.0.0.0/0
 
 

(the OUTPUT chain was empty, and the PREROUTING chain doesn't have 
anything you'll need in it, you can leave it empty too).

Try adding a these rules to the top of your normal ruleset (that is, 
after running your firewall script)

iptables -I INPUT 1 -i ppp0 -j log --log-prefix "[PPPIN]"
iptables -I OUTPUT 1 -o ppp0 -j log --log-prefix "[PPPOUT]"
iptables -I INPUT 1 -i eth0 -j log --log-prefix "[ETHIN]"
iptables -I OUTPUT 1 -o eth0 -j log --log-prefix "[ETHOUT]"

so you can see where packets are hitting iptables and what's happening. 
Come to think of it, that'd be a /lot/ easier with tcpdump (run 2 
tcpdumps on different consoles):

tcpdump -i ppp0
tcpdump -i eth0

and watch.

Generally with networking issues, getting enough info kind of tells you 
what the problem is. You just have to systematically troubleshoot and 
collect info 'till you figure it out.

Craig



More information about the plug mailing list