Can ping internet, but not browse

hwmax · #1 28th August 2006, 05:27 PM

Hi, i was wondering if someone can help. I have a fedora 5 box with 2 nics, eth0 connected to the LAN (192.168.0.2) and eth1 connected to a DSL modem (receives its IP through DHCP sent from the modem), i'm using this particular computer as a router/gateway, i've used Firestarter to share the internet and the internet is accessible and working fine from the LAN, but i can't access the internet from the fedora box i can ping websites fine, which should rule out any DNS issues (have also checked /etc/resolv.conf, it has the correct DNS server retrieved by Dhclient), i've tried accessing the internet using FTP, wget Firefox on the gateway machine but it isn't accessible. Can someone offer some assistance, thanks a lot.

BTW. here is the output of iptables -L (quite large) http://rafb.net/paste/results/GVyjbr18.html

Here is the output of route -n (my internet ip has been changed to a fake one.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 85.111.11.111 0.0.0.0 UG 0 0 0 eth1

hwmax · #2 29th August 2006, 01:30 PM

I'm sorry for such a quick bump of the topic, but this problem is becoming quite troublesome. If anyone has any ideas at all, they would be much appreciated.

wneumann · #3 29th August 2006, 01:44 PM

Did you create that iptable or firestarter? No kidding it is large, is it really all needed? I used the following howto to set up my box as a router/gateway. It was quick and easy and I learned a lot.

http://www.linux.org/docs/ldp/howto/...WTO/index.html

Front ends like firestarter that hide the nuts and bolts mean you don't learn as much and you don't have the control.

hwmax · #4 29th August 2006, 01:48 PM

Yeah Firestarter created those rules. I've used iptables in the past, but i though firestarter would be easier as i have a lot of ports which i would like to forward to specific computers. I might give creating the ruls myself a try and see if that fixes the problem

nhydra · #5 29th August 2006, 02:04 PM

I think that you have some iptables rules that block you internet browsing.
Can you show your iptables rules?

wneumann · #6 29th August 2006, 02:11 PM

OK, I've tried to read your iptables and there isn't enough info to see what the problem is. "iptables -L" does not list everything. "iptables -L -v" is better but still hides essential info. You really need to post the actual /etc/sysconfig/iptables file if you want someone to see what is up. But I doubt you'll find anyone here willing to plough through that thing. And anyway, the problem is probably not there. It looks more like a dns problem.

A few questions: you say you can ping sites from the box? All sites?
What does "dig fishbait.com" give you? (I made that address up, but it exists. Make up your own, not just standard addresses that might be in a cache)
How about "traceroute fishbait.com" from the gateway box? -- from a machine on your LAN?
What if you try to browse a site by ip adress?
Are you running named?

wneumann · #7 29th August 2006, 02:23 PM

Reversal: I think it may be your iptables. Line 5 doesn't tell us what its restriction is but my guess is that it is allowing ping. I don't know why it would be there otherwise. That would explain why ping works and other stuff is getting trapped. Lines 13-16 it is not clear to me where your gateway box is being addressed here, but there is too little information to be sure. Once you get to the "INBOUND" chain it looks as if http should be OK, so my best bet is a problem in lines 13-16.

But we really don't have the necessary info.

hwmax · #8 29th August 2006, 02:29 PM

Quote:

Originally Posted by nhydra

I think that you have some iptables rules that block you internet browsing.
Can you show your iptables rules?

I have included them in a link in the original post.

Quote:

Originally Posted by wneumann

OK, I've tried to read your iptables and there isn't enough info to see what the problem is. "iptables -L" does not list everything. "iptables -L -v" is better but still hides essential info. You really need to post the actual /etc/sysconfig/iptables file if you want someone to see what is up. But I doubt you'll find anyone here willing to plough through that thing. And anyway, the problem is probably not there. It looks more like a dns problem.

A few questions: you say you can ping sites from the box? All sites?
What does "dig fishbait.com" give you? (I made that address up, but it exists. Make up your own, not just standard addresses that might be in a cache)
How about "traceroute fishbait.com" from the gateway box? -- from a machine on your LAN?
What if you try to browse a site by ip adress?
Are you running named?

Hi, thanks for your reply. Yes i can pretty much ping all sites and get a response. I'm not runnng named and sites are still not accessible if i try to access them by IP instead.

here is the output of dig fishbait.com

# dig fishbait.com

; <<>> DiG 9.3.2 <<>> fishbait.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60513
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fishbait.com. IN A

;; ANSWER SECTION:
fishbait.com. 86400 IN A 205.206.209.57

;; Query time: 315 msec
;; SERVER: 62.241.163.200#53(62.241.163.200)
;; WHEN: Tue Aug 29 14:13:08 2006
;; MSG SIZE rcvd: 46

The output of a traceroute from a Windows XP machine on the LAN:

Tracing route to fishbait.com [205.206.209.57]
over a maximum of 30 hops:

1 55 ms <1 ms <1 ms 192.168.0.2
2 21 ms <1 ms * 192.168.1.1
3 16 ms 71 ms 34 ms loopback1.ar2.gs1.systems.pipex.net [62.241.161.
244]
4 21 ms 15 ms 67 ms ge-0-1-0.cr1.gs1.dsl.pipex.net [62.241.161.106]

5 95 ms 75 ms 15 ms ldn-b1-geth6-0-12.telia.net [213.248.100.105]
6 66 ms 16 ms 40 ms ldn-bb1-link.telia.net [80.91.250.91]
7 86 ms 150 ms 90 ms nyk-bb1-link.telia.net [213.248.65.98]
8 106 ms 120 ms 106 ms chi-bb1-pos6-0-0-0.telia.net [213.248.80.153]
9 119 ms 148 ms 106 ms telus-112712-chi-bb1.telia.net [213.248.84.78]
10 137 ms 157 ms 137 ms clgrab01dr00.bb.telus.com [208.38.16.144]
11 139 ms 138 ms 166 ms 216.123.211.114
12 139 ms 190 ms 144 ms 205.206.209.57

Trace complete.

And a traceroute from the gateway:

traceroute to fishbait.com (205.206.209.57), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 17.820 ms 17.396 ms 13.436 ms
2 loopback1.ar2.gs1.systems.pipex.net (62.241.161.244) 34.755 ms 32.961 ms *
3 ge-0-1-0.cr1.gs1.dsl.pipex.net (62.241.161.106) 92.082 ms 215.145 ms 216.506 ms
4 * ldn-b1-geth6-1-11.telia.net (213.248.100.41) 304.927 ms 363.797 ms
5 * * *
6 * * *
7 * * chi-bb1-pos6-0-0-0.telia.net (213.248.80.153) 428.275 ms
8 chcgildtgr00.bb.telus.com (154.11.3.81) 103.448 ms 104.300 ms 103.244 ms
9 clgrab01dr00.bb.telus.com (208.38.16.144) 136.732 ms 137.615 ms *
10 216.123.211.114 (216.123.211.114) 138.704 ms 138.987 ms 140.814 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

wneumann · #9 29th August 2006, 02:38 PM

Well, dns is clearly working fine. So you are probably right to suspect your iptables. You are doing so much specific filtering there that something could easily be broken. I still think lines 13-16 are the most likely suspect, but without seeing the original rules one can only guess.

wneumann · #10 29th August 2006, 02:43 PM

One more suggestion. Shut down the other machines on your lan so they aren't sending packets. Then restart your iptables to clear statistics. Then run "iptables -L -v" in between trying to send out http requests, capturing the output so you can get an idea where the http packets are getting trapped. A very primitive manual packet sniffer if you like.

wneumann · #11 29th August 2006, 03:13 PM

I'm going to have to sign off. But you might simply want to add a line to accept any outgoing from your gateway box to the WAN early in the table (I mean the real table in /etc/sysconfig/iptables). At a guess you are already allowing established connections in, so that would fix it.

I think

iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -s gateway-computer-ip-address -d 0.0.0.0/0 -j ACCEPT

would do it. First line says loopback interface is always OK and is probably enough.
Try adding the second line too if the first doesn't do it. Put them at the head of the table.

Better, don't edit the table, just insert the line at the head of the running iptables by changing the -A to -I and running the line as a command from the command line (as root). See if that does it.

But ultimately, I guess my first post on this thread is my first recommendation. It takes longer to write your own iptables and tweak it to do the details you want to do, but you learn more, so you save time down the road.

hwmax · #12 29th August 2006, 08:21 PM

Hi, thanks for all the help. I stopped firestarter and flushed iptables, i then used the first script included in that tutorial you posted, and it works, the internet in the gateway itself and from the LAN, now i'm wondering will it be possible to run that script in the user-pre section of firestarter (scripts that are ran before firestarter runs), presumably the internet will work on the gateway like it did before, then the rules from iptables will be load, allowing the use of the rules and the internet to work on the gateway.

wneumann · #13 30th August 2006, 07:51 AM

That won't work. If you stick it in the user-pre section of firestarter it accepts packages before they got to the firestarter stuff, so firestarter's code won't see the packages.

The very first script in that tutorial (section 3.4.1) is very permissive. It is fine for testing, but you will probably want to read on to section 6.4 of the tutorial for something secure. But do not panic: keep in mind that even the permissive script is not insecure. An open port is only a security risk if you have a service actually responding at that port and that service is insecure. Fedora loads very few services by default, and you have complete control over what is being loaded (unlike Windows). I get the same clean security billing from the security scan at http://www.dslreports.com/tools with my firewall completely disabled as with it up.

Anyway, section 6.4 guides you to a script that the author suggests is "preliminary", but in fact it is at least as secure as the default fedora firewall, certainly much more than you really need for a home network. It closes most incoming ports to new traffic by default, so you will then want to add lines to enable the ports you want, such as http if you want to run a web server, and ssh because you are sure to want ssh some time even if you don't right now.

hwmax · #14 30th August 2006, 01:57 PM

wneumann, thanks for all your help, i decided to heed your advice and go the iptables route and modify an premade scripts and it's working fine now. Thanks for all your help again.