Can't get to 192.168.100.1 from router, but can through it

Hi,
I've got a linux router I just converted to iptables that works fine
(meaning: local machines can get to each other and the router and out to
the internet, play games, surf the web, etc.) except for connecting to my
cable modem at 192.168.0.1:80. I get get to it from the lan, just not directly.
pings are blocked as well. It looks like I can get out but the return packets
are getting blocked. What am I screwing up? This can't be that hard.
Oh, tcpdump on eth1 doesn't show anything unless I'm accessing 192.168.100.1
from the LAN.

Thx, Chris

These are the rules I'm using:

#Allow unlimited $CABLEMODEM traffic
/sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT


This is what I get from iptables:

[root@tua512 sysconfig]# /sbin/iptables -L -n -v | egrep "(192.168.100|Chain|bytes)"
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 * 192.168.100.1 67.172.126.155 state ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10 648 ACCEPT all -- * eth1 67.172.126.155 192.168.100.1 state NEW,ESTABLISHED

(E-Mail Removed) wrote:
> Hi,
> I've got a linux router I just converted to iptables that works fine
> (meaning: local machines can get to each other and the router and out to
> the internet, play games, surf the web, etc.) except for connecting to my
> cable modem at 192.168.0.1:80. I get get to it from the lan, just not directly.
> pings are blocked as well. It looks like I can get out but the return packets
> are getting blocked. What am I screwing up? This can't be that hard.
> Oh, tcpdump on eth1 doesn't show anything unless I'm accessing 192.168.100.1
> from the LAN.

> Thx, Chris

> These are the rules I'm using:

> #Allow unlimited $CABLEMODEM traffic
> /sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT

It appears to me that you need to add similar rules to the FORWARD chain
(and make sure IP forwarding is turn on).

> This is what I get from iptables:

> [root@tua512 sysconfig]# /sbin/iptables -L -n -v | egrep "(192.168.100|Chain|bytes)"
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- eth1 * 192.168.100.1 67.172.126.155 state ESTABLISHED
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 10 648 ACCEPT all -- * eth1 67.172.126.155 192.168.100.1 state NEW,ESTABLISHED

--
Clifford Kite
/* I gave up on politics when no matter who I voted for, I regretted it.
* -- Pepper...and Salt, WSJ */

In article <(E-Mail Removed)>,
Clifford Kite <(E-Mail Removed)> writes:

>It appears to me that you need to add similar rules to the FORWARD chain
>(and make sure IP forwarding is turn on).

Well, that doesn't help. THese rules are early in the file, right
after #Allow unlimited LAN traffic. The only things above it are
setting policy, (I,O,F: DROP, -t nat PRE,POST,OUT: ACCEPT), MASQ,
and loopback. The wierd thing is that the LAN doesn't have a problem
with this address, just directly between the router and modem, which
I didn't think I'd need FORWARD rules for anyway. I added the last
2 rules and it worked. No idea why.

#Allow unlimited $CABLEMODEM traffic
/sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -d $CABLEMODEM -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -d $CABLEMODEM -j ACCEPT

I'm already tried something similar, but maybe not this exactly.

Thx, Chris

(E-Mail Removed) wrote:
> In article <(E-Mail Removed)>,
> Clifford Kite <(E-Mail Removed)> writes:

>>It appears to me that you need to add similar rules to the FORWARD chain
>>(and make sure IP forwarding is turn on).

> Well, that doesn't help. THese rules are early in the file, right

Yep, I messed up, guessing when I should have asked for clarification.

> after #Allow unlimited LAN traffic. The only things above it are
> setting policy, (I,O,F: DROP, -t nat PRE,POST,OUT: ACCEPT), MASQ,
> and loopback. The wierd thing is that the LAN doesn't have a problem
> with this address, just directly between the router and modem, which
> I didn't think I'd need FORWARD rules for anyway. I added the last
> 2 rules and it worked. No idea why.

> #Allow unlimited $CABLEMODEM traffic
> /sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t nat -A OUTPUT -o $EXTINT -d $CABLEMODEM -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -d $CABLEMODEM -j ACCEPT

These ACCEPT all OUTPUT/POSTROUTING traffic to CABLEMODEM via EXTINT
in the NAT table, but without NAT'ing it. AINUI, that allows you to
connect to 192.168.0.1:80 (CABLEMODEM, port 80) from the router (OUTPUT)
and from the LAN (POSTROUTING).

> I'm already tried something similar, but maybe not this exactly.

Congrats, you made it this time.

> Thx, Chris

--
Clifford Kite