IP Masquerade suddenly stopped working on my Fedora 15 system just after I added a Brother printer/scanner (HL-2280DW) to my home network. I don't recall what I may have done, but I do know I didn't run iptables or system-config-firewall, though the driver installer from Brother could have tried to tweak the firewall.
Since my F15 system is headless (it's my home server, gateway and firewall), I did everything remotely via SSH from my main workstation, an Ubuntu 11.10 system. The only other system on my home LAN is a Windows HTPC. Both the Ubuntu and Windows systems lost internet connectivity after the printer was installed, though they could communicate with the F15 system, the new printer, and each other.
On the F15 system, eth0 connects to the Internet via a cable modem, and eth1 connects to the home LAN. The printer is connected to the LAN, and the Ubuntu and Windows systems connect to the LAN via an 802.11g access point (which works great). All systems are able to use the new printer and its scanner.
Let's start with the firewall state as it was on my system when the problem was initially found. Though I do understand general firewall and network concepts, I don't understand iptables, so I'm not sure what's going on here.
Code:
$ sudo iptables-save
# Generated by iptables-save v1.4.10
*nat
:PREROUTING ACCEPT [11940:764498]
:INPUT ACCEPT [203:35026]
:OUTPUT ACCEPT [8808:832053]
:POSTROUTING ACCEPT [17435:1306259]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.10
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4531921:2029434194]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
I tried using system-config-firewall to correct the situation, but despite repeatedly enabling forwarding and making all other settings generic, the above firewall persisted, and IPMasq was still not working.
Note: To get system-config-firewall to run remotely over an X11-SSH connection, I had to use this command: "sudo -E system-config-firewall" I was unable to get the GUI to work any other way.
I am not presently using Fedora's new FirewallD daemon.
I was going to try using Firestarter, but was surprised to find it hasn't been part of Fedora for a long time (it works great with Ubuntu). I also used Shorewall long ago, but it has become very complex over the years.
I went online and searched for a minimal iptables rule set that would enable IP MASQ and little else, and implemented those rules on my system. (Note: Chrome is totally unusable running remotely over an X11-SSH connection - Firefox works *much* better.)
Code:
# /sbin/iptables -F
# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
And here's the resulting firewall:
Code:
$ sudo iptables-save
# Generated by iptables-save v1.4.10
*nat
:PREROUTING ACCEPT [242:15844]
:INPUT ACCEPT [6:1277]
:OUTPUT ACCEPT [177:25557]
:POSTROUTING ACCEPT [42:7392]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.10
*filter
:INPUT ACCEPT [44193:16722873]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49498:29664447]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
The rules above permitted MASQ to work. I'm not sure why the eth0 MASQ line appears twice, but it didn't seem to hurt firewall operation. To make sure the firewall was at least minimally secure, I ran all of the GRC "Shields Up!!" checks, and all tests passed.
Next, I ran 'sudo -E system-config-firewall' once more, and it installed the bad firewall again!
So, what's wrong? Is the F15 system-config-firewall insane? It has always worked fine for me, though the last time I ran it was when I installed F15, and I don't know if it has been updated since. Could it resent being run over SSH, or via 'sudo -E'?
At some point, I'll drag a monitor over to the F15 system to see if things behave differently there, but for the moment I'm very confused.
TIA,
-BobC
Linear Mode
