I am at my wits end, tearing my hair out after wrestling with a
!#$Y!#@$!#@#@ linux 2.4.22 firewall router setup using iptables for 3
days now. This box does NAT for a private LAN composed of WinXP
machines and a Win2K server. It interfaces with a DSL connection.
I use a firewall script called gShield, which worked great on a 2.4.17
box (well, great up until the time it got hacked by some bozo, but
that may not have been the firewall script's fault).
In any event, using the gShield script I can use lynx to visit
websites from the firewall/router. I can ping sites, both from the
firewall/router and the Windoze clients. I can do DNS lookups that
require internet access, again from both the firewall/router and the
Windoze clients.
But I can't surf to any website from the Windoze clients; if I try,
the site is found (i.e., the status bar on the browser says "Opening
web page"), but nothing ever downloads. Similarly, while I can ftp to
sites from both the Windoze clients and the firewall/router, and
browse the ftp site directories, if I try to download any file the
download connection is created (e.g., lftp reports downloading ...
0%), but no download occurs.
This feels like some kind of weird problem where NAT is not
"connecting" the incoming reply packets to the appropriate private
client, but I'm not at all sure about that.
I've tried running tcpdump on both the internal and external
interfaces, and there is definitely traffic on both. In fact, there's
so much traffic on the external interface that I can't see what
happens when a Windoze client tries to surf to a site (obviously I can
dump the tcpdump output to a file and go through it line by line, but
I haven't done that yet).
In addition to any suggestions folks may have for resolving this mess,
or even just gathering more data to pin down what the problem is, I
have a few (stupid, but, like I said, I'm desperate) questions...
1) Under my old, pre-hacked setup the linux firewall/router also ran a
DNS for my domain. In my new setup it no longer does that; the DNS
service for the private LAN is provided by a Win2K server, and the
"external" DNS service is provided by the company where I host my
website. Is that a potential problem? I've been burned before by those
nitwits in Redmond tweaking their DNS so it doesn't "play well with
others" (e.g., if you run a DNS on a Windoze primary domain controller
you >>cannot<< have any Windoze client use any other DNS as a
secondary service).
2) My DSL IP is 63.195.52.179, which is what I configured the external
interface NIC to use. However, the gateway for the firewall/router is
set to 63.195.52.254. I'm a little unclear about whether that's the
right value or not (I copied it over from the earlier, working
system). Changing the gateway to 63.195.52.179 prevents any access of
any kind to the internet from both the firewall/router and the Windoze
clients.
Thanx in advance...
- Mark
|
Similar Threads
Linear Mode
