Fedora Linux Support Community & Resources Center
  #1  
Old 28th August 2006, 05:27 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
Can ping internet, but not browse

Hi, i was wondering if someone can help. I have a fedora 5 box with 2 nics, eth0 connected to the LAN (192.168.0.2) and eth1 connected to a DSL modem (receives its IP through DHCP sent from the modem), i'm using this particular computer as a router/gateway, i've used Firestarter to share the internet and the internet is accessible and working fine from the LAN, but i can't access the internet from the fedora box i can ping websites fine, which should rule out any DNS issues (have also checked /etc/resolv.conf, it has the correct DNS server retrieved by Dhclient), i've tried accessing the internet using FTP, wget Firefox on the gateway machine but it isn't accessible. Can someone offer some assistance, thanks a lot.

BTW. here is the output of iptables -L (quite large) http://rafb.net/paste/results/GVyjbr18.html

Here is the output of route -n (my internet ip has been changed to a fake one.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 85.111.11.111 0.0.0.0 UG 0 0 0 eth1

Last edited by hwmax; 28th August 2006 at 05:29 PM.
Reply With Quote
  #2  
Old 29th August 2006, 01:30 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
I'm sorry for such a quick bump of the topic, but this problem is becoming quite troublesome. If anyone has any ideas at all, they would be much appreciated.
Reply With Quote
  #3  
Old 29th August 2006, 01:44 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
Did you create that iptable or firestarter? No kidding it is large, is it really all needed? I used the following howto to set up my box as a router/gateway. It was quick and easy and I learned a lot.

http://www.linux.org/docs/ldp/howto/...WTO/index.html

Front ends like firestarter that hide the nuts and bolts mean you don't learn as much and you don't have the control.
Reply With Quote
  #4  
Old 29th August 2006, 01:48 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
Yeah Firestarter created those rules. I've used iptables in the past, but i though firestarter would be easier as i have a lot of ports which i would like to forward to specific computers. I might give creating the ruls myself a try and see if that fixes the problem
Reply With Quote
  #5  
Old 29th August 2006, 02:04 PM
nhydra Offline
Registered User
 
Join Date: Aug 2006
Age: 32
Posts: 61
I think that you have some iptables rules that block you internet browsing.
Can you show your iptables rules?
Reply With Quote
  #6  
Old 29th August 2006, 02:11 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
OK, I've tried to read your iptables and there isn't enough info to see what the problem is. "iptables -L" does not list everything. "iptables -L -v" is better but still hides essential info. You really need to post the actual /etc/sysconfig/iptables file if you want someone to see what is up. But I doubt you'll find anyone here willing to plough through that thing. And anyway, the problem is probably not there. It looks more like a dns problem.

A few questions: you say you can ping sites from the box? All sites?
What does "dig fishbait.com" give you? (I made that address up, but it exists. Make up your own, not just standard addresses that might be in a cache)
How about "traceroute fishbait.com" from the gateway box? -- from a machine on your LAN?
What if you try to browse a site by ip adress?
Are you running named?
Reply With Quote
  #7  
Old 29th August 2006, 02:23 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
Reversal: I think it may be your iptables. Line 5 doesn't tell us what its restriction is but my guess is that it is allowing ping. I don't know why it would be there otherwise. That would explain why ping works and other stuff is getting trapped. Lines 13-16 it is not clear to me where your gateway box is being addressed here, but there is too little information to be sure. Once you get to the "INBOUND" chain it looks as if http should be OK, so my best bet is a problem in lines 13-16.

But we really don't have the necessary info.
Reply With Quote
  #8  
Old 29th August 2006, 02:29 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
Quote:
Originally Posted by nhydra
I think that you have some iptables rules that block you internet browsing.
Can you show your iptables rules?
I have included them in a link in the original post.

Quote:
Originally Posted by wneumann
OK, I've tried to read your iptables and there isn't enough info to see what the problem is. "iptables -L" does not list everything. "iptables -L -v" is better but still hides essential info. You really need to post the actual /etc/sysconfig/iptables file if you want someone to see what is up. But I doubt you'll find anyone here willing to plough through that thing. And anyway, the problem is probably not there. It looks more like a dns problem.

A few questions: you say you can ping sites from the box? All sites?
What does "dig fishbait.com" give you? (I made that address up, but it exists. Make up your own, not just standard addresses that might be in a cache)
How about "traceroute fishbait.com" from the gateway box? -- from a machine on your LAN?
What if you try to browse a site by ip adress?
Are you running named?
Hi, thanks for your reply. Yes i can pretty much ping all sites and get a response. I'm not runnng named and sites are still not accessible if i try to access them by IP instead.

here is the output of dig fishbait.com

# dig fishbait.com

; <<>> DiG 9.3.2 <<>> fishbait.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60513
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fishbait.com. IN A

;; ANSWER SECTION:
fishbait.com. 86400 IN A 205.206.209.57

;; Query time: 315 msec
;; SERVER: 62.241.163.200#53(62.241.163.200)
;; WHEN: Tue Aug 29 14:13:08 2006
;; MSG SIZE rcvd: 46

The output of a traceroute from a Windows XP machine on the LAN:

Tracing route to fishbait.com [205.206.209.57]
over a maximum of 30 hops:

1 55 ms <1 ms <1 ms 192.168.0.2
2 21 ms <1 ms * 192.168.1.1
3 16 ms 71 ms 34 ms loopback1.ar2.gs1.systems.pipex.net [62.241.161.
244]
4 21 ms 15 ms 67 ms ge-0-1-0.cr1.gs1.dsl.pipex.net [62.241.161.106]

5 95 ms 75 ms 15 ms ldn-b1-geth6-0-12.telia.net [213.248.100.105]
6 66 ms 16 ms 40 ms ldn-bb1-link.telia.net [80.91.250.91]
7 86 ms 150 ms 90 ms nyk-bb1-link.telia.net [213.248.65.98]
8 106 ms 120 ms 106 ms chi-bb1-pos6-0-0-0.telia.net [213.248.80.153]
9 119 ms 148 ms 106 ms telus-112712-chi-bb1.telia.net [213.248.84.78]
10 137 ms 157 ms 137 ms clgrab01dr00.bb.telus.com [208.38.16.144]
11 139 ms 138 ms 166 ms 216.123.211.114
12 139 ms 190 ms 144 ms 205.206.209.57

Trace complete.

And a traceroute from the gateway:

traceroute to fishbait.com (205.206.209.57), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 17.820 ms 17.396 ms 13.436 ms
2 loopback1.ar2.gs1.systems.pipex.net (62.241.161.244) 34.755 ms 32.961 ms *
3 ge-0-1-0.cr1.gs1.dsl.pipex.net (62.241.161.106) 92.082 ms 215.145 ms 216.506 ms
4 * ldn-b1-geth6-1-11.telia.net (213.248.100.41) 304.927 ms 363.797 ms
5 * * *
6 * * *
7 * * chi-bb1-pos6-0-0-0.telia.net (213.248.80.153) 428.275 ms
8 chcgildtgr00.bb.telus.com (154.11.3.81) 103.448 ms 104.300 ms 103.244 ms
9 clgrab01dr00.bb.telus.com (208.38.16.144) 136.732 ms 137.615 ms *
10 216.123.211.114 (216.123.211.114) 138.704 ms 138.987 ms 140.814 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Reply With Quote
  #9  
Old 29th August 2006, 02:38 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
Well, dns is clearly working fine. So you are probably right to suspect your iptables. You are doing so much specific filtering there that something could easily be broken. I still think lines 13-16 are the most likely suspect, but without seeing the original rules one can only guess.
Reply With Quote
  #10  
Old 29th August 2006, 02:43 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
One more suggestion. Shut down the other machines on your lan so they aren't sending packets. Then restart your iptables to clear statistics. Then run "iptables -L -v" in between trying to send out http requests, capturing the output so you can get an idea where the http packets are getting trapped. A very primitive manual packet sniffer if you like.
Reply With Quote
  #11  
Old 29th August 2006, 03:13 PM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
I'm going to have to sign off. But you might simply want to add a line to accept any outgoing from your gateway box to the WAN early in the table (I mean the real table in /etc/sysconfig/iptables). At a guess you are already allowing established connections in, so that would fix it.

I think

iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -s gateway-computer-ip-address -d 0.0.0.0/0 -j ACCEPT

would do it. First line says loopback interface is always OK and is probably enough.
Try adding the second line too if the first doesn't do it. Put them at the head of the table.

Better, don't edit the table, just insert the line at the head of the running iptables by changing the -A to -I and running the line as a command from the command line (as root). See if that does it.

But ultimately, I guess my first post on this thread is my first recommendation. It takes longer to write your own iptables and tweak it to do the details you want to do, but you learn more, so you save time down the road.
Reply With Quote
  #12  
Old 29th August 2006, 08:21 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
Hi, thanks for all the help. I stopped firestarter and flushed iptables, i then used the first script included in that tutorial you posted, and it works, the internet in the gateway itself and from the LAN, now i'm wondering will it be possible to run that script in the user-pre section of firestarter (scripts that are ran before firestarter runs), presumably the internet will work on the gateway like it did before, then the rules from iptables will be load, allowing the use of the rules and the internet to work on the gateway.
Reply With Quote
  #13  
Old 30th August 2006, 07:51 AM
wneumann Offline
Registered User
 
Join Date: Dec 2004
Posts: 512
That won't work. If you stick it in the user-pre section of firestarter it accepts packages before they got to the firestarter stuff, so firestarter's code won't see the packages.

The very first script in that tutorial (section 3.4.1) is very permissive. It is fine for testing, but you will probably want to read on to section 6.4 of the tutorial for something secure. But do not panic: keep in mind that even the permissive script is not insecure. An open port is only a security risk if you have a service actually responding at that port and that service is insecure. Fedora loads very few services by default, and you have complete control over what is being loaded (unlike Windows). I get the same clean security billing from the security scan at http://www.dslreports.com/tools with my firewall completely disabled as with it up.

Anyway, section 6.4 guides you to a script that the author suggests is "preliminary", but in fact it is at least as secure as the default fedora firewall, certainly much more than you really need for a home network. It closes most incoming ports to new traffic by default, so you will then want to add lines to enable the ports you want, such as http if you want to run a web server, and ssh because you are sure to want ssh some time even if you don't right now.
Reply With Quote
  #14  
Old 30th August 2006, 01:57 PM
hwmax Offline
Registered User
 
Join Date: Aug 2006
Posts: 6
wneumann, thanks for all your help, i decided to heed your advice and go the iptables route and modify an premade scripts and it's working fine now. Thanks for all your help again.
Reply With Quote
Reply

Tags
browse, internet, ping

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant browse internet but cant ping (on F10) bigods Servers & Networking 3 24th June 2009 06:38 PM
Able To Ping, But Cannot Browse logitron Servers & Networking 14 23rd November 2005 12:53 AM
Can ping internet via IP but cant browse - DNS problem rcfearn Servers & Networking 3 6th July 2005 02:26 AM
can not browse internet but can ping wireless router banner Servers & Networking 0 27th June 2005 04:06 PM


Current GMT-time: 12:29 (Thursday, 02-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin Copyright 2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat