How to diagnose DNS problem?

I have two Debian systems - box 'R' is acting as a firewall (2 NICs,
one to DSL modem, the other to a LAN switch); the other is a user's
box 'U' that needs to connect to the internet. U can connect to R,
and even to boxes on the internet if it doesn't need to do a DNS
lookup. If it does - nothing works. DNS lookup works perfectly if
done from R.

I've experimented with a variety of iptables configurations, but so
far without success. Can anyone suggest methods/programs/tools that
might help diagnose where the DNS lookup is failing?

Thanks for your thoughts!

On 31.1.11 7:04 , cassiope wrote:
> I have two Debian systems - box 'R' is acting as a firewall (2 NICs,
> one to DSL modem, the other to a LAN switch); the other is a user's
> box 'U' that needs to connect to the internet. U can connect to R,
> and even to boxes on the internet if it doesn't need to do a DNS
> lookup. If it does - nothing works. DNS lookup works perfectly if
> done from R.
>
> I've experimented with a variety of iptables configurations, but so
> far without success. Can anyone suggest methods/programs/tools that
> might help diagnose where the DNS lookup is failing?
>
> Thanks for your thoughts!


What is the DNS server the U box is set to use?

If the box R gets its DNS setting from the DSL provider
via DHCP, the user box cannot know it. You have two options:

1. Set the provider's DNS at the U box manually

2. Set up a DNS forwarder at the R box.

The alternative 1 is not recommended: if the ISP changes the DNS
server, your user boxes will lose the service.

My recommedation is alternative 2 with dsnmasq. It is easy
to set up and it can provide local network DNS from the
/etc/hosts file of the firewall machine.

--

Tauno Voipio
tauno voipio (at) iki fi

On Jan 30, 11:36*pm, Tauno Voipio <tauno.voi...@notused.fi.invalid>
wrote:
> On 31.1.11 7:04 , cassiope wrote:
>
> > I have two Debian systems - box 'R' is acting as a firewall (2 NICs,
> > one to DSL modem, the other to a LAN switch); the other is a user's
> > box 'U' that needs to connect to the internet. *U can connect to R,
> > and even to boxes on the internet if it doesn't need to do a DNS
> > lookup. *If it does - nothing works. *DNS lookup works perfectly if
> > done from R.
>
> > I've experimented with a variety of iptables configurations, but so
> > far without success. *Can anyone suggest methods/programs/tools that
> > might help diagnose where the DNS lookup is failing?
>
> > Thanks for your thoughts!
>
> What is the DNS server the U box is set to use?
>
> If the box R gets its DNS setting from the DSL provider
> via DHCP, the user box cannot know it. You have two options:
>
> 1. Set the provider's DNS at the U box manually
>
> 2. Set up a DNS forwarder at the R box.
>
> The alternative 1 is not recommended: if the ISP changes the DNS
> server, your user boxes will lose the service.
>
> My recommedation is alternative 2 with dsnmasq. It is easy
> to set up and it can provide local network DNS from the
> /etc/hosts file of the firewall machine.
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

Thanks for the tip, Tauno. I agree with choice #2. Yes, R is DHCP'd
on that NIC.
I have tried to set up dnsmasq - so far without success. The other
NIC (192.168.x.x)
has a fixed IP, as is U.

My guess is that iptables is not working on one or both machines. But
I haven't
been able to figure out where that is.

What's really annoying is that this worked at one time - but so many
changes ago
that it's hopeless trying to determine what changed.

cassiope <(E-Mail Removed)> wrote:
>I have two Debian systems - box 'R' is acting as a firewall (2 NICs,
>one to DSL modem, the other to a LAN switch); the other is a user's
>box 'U' that needs to connect to the internet. U can connect to R,
>and even to boxes on the internet if it doesn't need to do a DNS
>lookup. If it does - nothing works. DNS lookup works perfectly if
>done from R.

Does R run a DNS server? Does R do NAT? Which IP ranges are in use on
the internal and the external network? What is in R's and U's
/etc/resolv.conf?

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

On 31.1.11 5:59 , cassiope wrote:
>
> Thanks for the tip, Tauno. I agree with choice #2. Yes, R is DHCP'd
> on that NIC.
> I have tried to set up dnsmasq - so far without success. The other
> NIC (192.168.x.x)
> has a fixed IP, as is U.

OK. Let's go to diagnose, we can skip guessing.

Please post the outputs of following commands (as root) run in U:

- iptables -nvL
- ifconfig -a
- route -n

If you feel uncomfortable to post the full IP addresses, you
can mess up the address on the ADSL line, but please do not
touch the 192.168.x.y -addresses, they are by definition in
use in so many places that the true values do not pose a threat
to your privacy.

--

Tauno Voipio
tauno voipio (at) iki fi

On Jan 31, 8:40*am, Tauno Voipio <tauno.voi...@notused.fi.invalid>
wrote:
> On 31.1.11 5:59 , cassiope wrote:
>
>
>
> > Thanks for the tip, Tauno. *I agree with choice #2. *Yes, R is DHCP'd
> > on that NIC.
> > I have tried to set up dnsmasq - so far without success. *The other
> > NIC (192.168.x.x)
> > has a fixed IP, as is U.
>
> OK. Let's go to diagnose, we can skip guessing.
>
> Please post the outputs of following commands (as root) run in U:
>
> * - iptables -nvL
> * - ifconfig -a
> * - route -n

BTW one new factoid: I ran tcpdump on R - it shows a query
if I try a 'ping www.google com' from U:

21:03:51.686432 IP grebe.aves.net.56888 > puffin.aves.net.domain:
10794+ A? www.google.com. (32)
21:03:56.691032 IP grebe.aves.net.52556 > puffin.aves.net.domain:
61233+ A? www.google.com. (32)

where U is grebe, R is puffin. And /var/run/dnsmasq/resolv.conf has:

nameserver 192.168.1.1
nameserver x.x.x.x
nameserver x.x.x.x+1

> If you feel uncomfortable to post the full IP addresses, you
> can mess up the address on the ADSL line, but please do not
> touch the 192.168.x.y -addresses, they are by definition in
> use in so many places that the true values do not pose a threat
> to your privacy.

Yes, of course. For 'U' iptables:

> Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 192.168.0.0/24
192.168.0.0/24
0 0 ACCEPT all -- lo * 127.0.0.0/24
127.0.0.0/24
0 0 DROP udp -- * * 192.168.0.1
192.168.0.255 udp spt:520 dpt:520
0 0 ACCEPT udp -- * * 192.168.0.0/24
192.168.0.1 udp dpt:53
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/16 tcp spts:111:113
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/16 tcp dpts:111:113
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spts:137:139
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpts:137:139
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:445
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:524
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:524
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:631
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:631
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:967
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:967
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:2049
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:2049
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp spt:5432
0 0 DROP tcp -- * * 0.0.0.0/0
192.168.0.0/24 tcp dpt:5432
12 2011 ACCEPT all -- eth0 * 192.168.0.0/24
0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x18/0x08
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x30/0x20
0 0 drop-and-log-it all -- eth0 *
192.168.0.0/24 0.0.0.0/0
4 336 ACCEPT all -- eth0 * 0.0.0.0/0
192.168.0.4

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 192.168.0.0/24
192.168.0.0/24
0 0 ACCEPT all -- * lo 127.0.0.0/24
127.0.0.0/24
0 0 DROP tcp -- * * 192.168.0.0/16
0.0.0.0/0 tcp spts:111:113
0 0 DROP tcp -- * * 192.168.0.0/16
0.0.0.0/0 tcp dpts:111:113
0 0 DROP tcp -- * * 192.168.0.0/24
0.0.0.0/0 tcp spts:137:139
0 0 DROP tcp -- * * 192.168.0.0/24
0.0.0.0/0 tcp dpts:137:139
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
8 534 ACCEPT all -- * eth0 192.168.0.4
192.168.0.0/24
0 0 ACCEPT all -- * eth0 192.168.0.0/24
192.168.0.0/24
15 2175 ACCEPT all -- * eth0 192.168.0.4
0.0.0.0/0

Chain drop-and-log-it (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable

----------------------------
Note: not sure why nothing appears for FORWARD
For ifconfig:
----------------------------
eth0 Link encap:Ethernet HWaddr 00:10:a4:0d:65:87
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:
255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13056 (12.7 KiB) TX bytes:13285 (12.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0Kernel IP routing table
RX bytes:1492 (1.4 KiB) TX bytes:1492 (1.4 KiB)
----------------------------
and route -n:
---------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
0.0.0.0 192.168.0.3 0.0.0.0 UG 0 0
0 eth0

=========================
R's firewall is more complicated, I'll trim it slightly
-------------------------------
Chain INPUT (policy DROP 20 packets, 2182 bytes)
pkts bytes target prot opt in out source
destination
1097 183K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
9 756 PingInL icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 PingInX icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/16
192.168.0.50
0 0 ACCEPT all -- * * 192.168.0.50
192.168.0.0/16
0 0 ACCEPT all -- * * 192.168.0.0/16
192.168.0.42
0 0 ACCEPT all -- * * 192.168.0.42
192.168.0.0/16
132K 191M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 DROP all -- eth1 * 0.0.0.0/7
0.0.0.0/0
231 16592 DROP all -- eth1 * 192.168.0.0/16
0.0.0.0/0
0 0 ACCEPT udp -- eth1 * x.x.x.x
192.168.1.33 udp spt:53 dpts:1024:65535
0 0 ACCEPT tcp -- eth1 * x.x.x.x
192.168.1.33 tcp spt:53 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT udp -- eth1 * x.x.x.x+1
192.168.1.33 udp spt:53 dpts:1024:65535
0 0 ACCEPT tcp -- eth1 * x.x.x.x+1
192.168.1.33 tcp spt:53 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spt:25 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spts:1024:65535 dpt:25 state NEW
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spts:1024:65535 dpt:25
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spt:110 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spt:110 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spts:1024:65535 dpt:22 state NEW
1 60 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/16
192.168.1.33 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/16
192.168.0.3 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spt:21 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spt:20 dpts:1024:65535
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp spts:1024:65535 dpts:1024:65535 flags:!
0x17/0x02
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 multiport sports 80,8021,8080,8888,9673 tcp dpts:
1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 multiport sports 443,4030 tcp dpts:1024:65535
flags:!0x17/0x02
0 0 HTTPIn tcp -- eth1 * 0.0.0.0/0
192.168.1.33 multiport dports 80,9673
0 0 HttpSIn tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp dpt:443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.1.33 multiport sports 43,4321 tcp dpts:1024:65535
flags:!0x17/0x02
0 0 NTPIn tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp dpt:123
0 0 NTPIn udp -- eth1 * 0.0.0.0/0
192.168.1.33 udp dpt:123
0 0 LOG tcp -- eth1 * 0.0.0.0/0
192.168.1.33 tcp dpts:0:1023 LOG flags 0 level 4 prefix
`BLOCKED '
0 0 LOG udp -- eth1 * 0.0.0.0/0
192.168.1.33 udp dpts:0:1023 LOG flags 0 level 4 prefix
`BLOCKED '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4 336 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0
4 336 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 92 packets, 6357 bytes)
pkts bytes target prot opt in out source
destination
1097 183K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
9 756 PingOutL icmp -- * eth0 0.0.0.0/0
0.0.0.0/0
33 11126 PingOutX icmp -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/16
192.168.0.50
0 0 ACCEPT all -- * * 192.168.0.50
192.168.0.0/16
0 0 ACCEPT all -- * * 192.168.0.0/16
192.168.0.42
0 0 ACCEPT all -- * * 192.168.0.42
192.168.0.0/16
78605 5570K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
103 5296 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
456 29418 ACCEPT udp -- * eth1 192.168.1.33
x.x.x.x udp spts:1024:65535 dpt:53 state NEW
0 0 ACCEPT udp -- * eth1 192.168.1.33
x.x.x.x udp spts:1024:65535 dpt:53
0 0 ACCEPT tcp -- * eth1 192.168.1.33
x.x.x.x tcp spts:1024:65535 dpt:53
128 8295 ACCEPT udp -- * eth1 192.168.1.33
x.x.x.x+1 udp spts:1024:65535 dpt:53 state NEW
0 0 ACCEPT udp -- * eth1 192.168.1.33
x.x.x.x+1 udp spts:1024:65535 dpt:53
0 0 ACCEPT tcp -- * eth1 192.168.1.33
x.x.x.x+1 tcp spts:1024:65535 dpt:53
0 0 DbConnOut tcp -- * * 192.168.1.33
0.0.0.0/0 tcp spt:5432 dpts:1024:65535
0 0 DbConnOut tcp -- * * 192.168.1.33
0.0.0.0/0 tcp spt:113 dpts:1024:65535
0 0 DbConnOut tcp -- * * 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:113
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:25
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spt:25 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:110 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:110
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:110 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:110
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:22 state NEW
1 60 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spts:1024:65535 dpt:22 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spts:1024:65535 dpt:22
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth1 192.168.1.33
192.168.0.0/16 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth0 192.168.0.3
192.168.0.0/16 tcp spt:22 dpts:1024:65535 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:21
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpt:20 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535
317 19020 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports
80,8021,8080,8888,9673 state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports
80,8021,8080,8888,9673
16 960 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports 443,4030
state NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports 443,4030
0 0 HTTPOut tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spt:80 flags:!0x17/0x02
0 0 HTTPOut tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spt:9673 flags:!0x17/0x02
0 0 HttpSOut tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spt:443 flags:!0x17/0x02
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports 43,4321 state
NEW
0 0 ACCEPT tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spts:1024:65535 multiport dports 43,4321
0 0 NTPOut tcp -- * eth1 192.168.1.33
0.0.0.0/0 tcp spt:123
20 1520 NTPOut udp -- * eth1 192.168.1.33
0.0.0.0/0 udp spt:123
0 0 ACCEPT udp -- * eth1 192.168.1.33
0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523
92 6357 LOG all -- * eth1 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `BLOCKED '

Chain PingInL (1 references)
pkts bytes target prot opt in out source
destination
9 756 ACCEPT icmp -- * * 192.168.0.0/16
192.168.0.3

Chain PingInX (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG icmp -f eth1 * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `BLOCKED [icmp-a]'
0 0 LOG icmp -f eth0 * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `BLOCKED [icmp-a]'
0 0 DROP icmp -f eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
192.168.1.33 icmp type 4
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
192.168.0.3 icmp type 4
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
192.168.0.3 icmp type 12
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
192.168.1.33 icmp type 12
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
192.168.1.33 icmp type 3
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
192.168.0.3 icmp type 3
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
192.168.1.33 icmp type 11
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
192.168.0.3 icmp type 11
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
192.168.1.33 icmp type 0
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
192.168.0.3 icmp type 0

Chain PingOutL (1 references)
pkts bytes target prot opt in out source
destination
9 756 ACCEPT icmp -- * * 192.168.0.3
192.168.0.0/16
Chain PingOutX (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG icmp -f * eth1 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `BLOCKED [icmp-b]'
0 0 LOG icmp -f * eth0 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `BLOCKED [icmp-b]'
0 0 DROP icmp -f * eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 3 code 4
33 11126 LOG icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 3 LOG flags 0 level 4 prefix `BLOCKED
[icmp-b]'
0 0 LOG icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 3 LOG flags 0 level 4 prefix `BLOCKED
[icmp-b]'
0 0 ACCEPT icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp -- * eth1 192.168.1.33
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * eth0 192.168.0.3
0.0.0.0/0 icmp type 8

----------------------------
Whew! At least the FORWARD (which I'd opened up in my attempts)
prints...
ifconfig: {eth0 is internal, eth1 is to DSL modem}
-------------------------
eth0 Link encap:Ethernet HWaddr 6c:f0:49:08:0a:40
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:
255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:145 errors:0 dropped:0 overruns:0 frame:0
TX packets:130 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25649 (25.0 KiB) TX bytes:15172 (14.8 KiB)
Interrupt:17 Base address:0xe000

eth1 Link encap:Ethernet HWaddr 00:60:08:ad:ec:57
inet addr:192.168.1.33 Bcast:192.168.1.255 Mask:
255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131808 errors:0 dropped:0 overruns:0 frame:0
TX packets:79498 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:192699890 (183.7 MiB) TX bytes:6764937 (6.4 MiB)
Interrupt:18 Base address:0xcf00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1101 errors:0 dropped:0 overruns:0 frame:0
TX packets:1101 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:184020 (179.7 KiB) TX bytes:184020 (179.7 KiB)

-------------------------------
route -n
----------------------------

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0
0 eth1

---------------------------
Tauno (or anyone else), if you're still with me, ---- wow! Thanks for
your efforts
I hadn't expected you to wade through all of this - just hoped to
learn enough
so that I could diagnose it myself. Any clues would be appreciated!
Thanks!

> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

On 1.2.11 7:33 , cassiope wrote:
> On Jan 31, 8:40 am, Tauno Voipio<tauno.voi...@notused.fi.invalid>
> wrote:
>> On 31.1.11 5:59 , cassiope wrote:
>>
>>
> BTW one new factoid: I ran tcpdump on R - it shows a query
> if I try a 'ping www.google com' from U:
>
> 21:03:51.686432 IP grebe.aves.net.56888> puffin.aves.net.domain:
> 10794+ A? www.google.com. (32)
> 21:03:56.691032 IP grebe.aves.net.52556> puffin.aves.net.domain:
> 61233+ A? www.google.com. (32)
>
> where U is grebe, R is puffin. And /var/run/dnsmasq/resolv.conf has:

You should have done this with tcpdump -n, to make it not necessary
to guess the local net names. Anyway, this shows that the DNS query
is getting nowhere.

> nameserver 192.168.1.1

Which is this computer? It should be the IP of the
computer having dnsmasq. (Maybe 192.168.0.3, which
seems to be the default router).

> nameserver x.x.x.x
> nameserver x.x.x.x+1

You should need no other name servers if the local
nameserver is working.

> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 0.0.0.0 192.168.0.3 0.0.0.0 UG 0 0
> 0 eth0
>
> =========================
> R's firewall is more complicated, I'll trim it slightly
> -------------------------------

IMHO, it is far too complicated, plenty clipped:

> 192.168.1.33 udp spt:53 dpts:1024:65535
> 0 0 ACCEPT tcp -- eth1 * x.x.x.x

If I read correctly, the own address of R is 192.168.1.33. It will
never send anything into that address, all traffic will be sent
via the loopback interface, 127.0.0.1. These rules will not
be matched.

It may be that you have locked yourself out of accessing any
UDP/53 servers.

>
> ----------------------------
> Whew! At least the FORWARD (which I'd opened up in my attempts)
> prints...
> ifconfig: {eth0 is internal, eth1 is to DSL modem}
> -------------------------
> eth0 Link encap:Ethernet HWaddr 6c:f0:49:08:0a:40
> inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:
> 255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:145 errors:0 dropped:0 overruns:0 frame:0
> TX packets:130 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:25649 (25.0 KiB) TX bytes:15172 (14.8 KiB)
> Interrupt:17 Base address:0xe000
>
> eth1 Link encap:Ethernet HWaddr 00:60:08:ad:ec:57
> inet addr:192.168.1.33 Bcast:192.168.1.255 Mask:
> 255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:131808 errors:0 dropped:0 overruns:0 frame:0
> TX packets:79498 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:192699890 (183.7 MiB) TX bytes:6764937 (6.4 MiB)
> Interrupt:18 Base address:0xcf00
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1101 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1101 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:184020 (179.7 KiB) TX bytes:184020 (179.7 KiB)
>
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth1
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0
> 0 eth1

Is seems to me that the DSL modem is at 192.168.1.1 and it is handling
the NAT to the ISP's network, right?

To continue diagnosing, take a tcpdump -n on both interfaces in the
router while attempting the ping again. You could use ping -n to
prevent extra name server requests from the client.

Also, make a similar ping from the router and have a look at the
tcpdump -n output.

--

Heads up, you'll solve this
Tauno Voipio

On Jan 31, 11:31*pm, Tauno Voipio <tauno.voi...@notused.fi.invalid>
wrote:
> On 1.2.11 7:33 , cassiope wrote:
>
> > On Jan 31, 8:40 am, Tauno Voipio<tauno.voi...@notused.fi.invalid>
> > wrote:
> >> On 31.1.11 5:59 , cassiope wrote:
>
> > BTW one new factoid: I ran tcpdump on R - it shows a query
> > if I try a 'pingwww.googlecom' from U:
>
> > 21:03:51.686432 IP grebe.aves.net.56888> *puffin.aves.net.domain:
> > 10794+ A?www.google.com. (32)
> > 21:03:56.691032 IP grebe.aves.net.52556> *puffin.aves.net.domain:
> > 61233+ A?www.google.com. (32)
>
> > where U is grebe, R is puffin. *And /var/run/dnsmasq/resolv.conf has:
>
> You should have done this with tcpdump -n, to make it not necessary
> to guess the local net names. Anyway, this shows that the DNS query
> is getting nowhere.
>
> > nameserver 192.168.1.1
>
> Which is this computer? It should be the IP of the
> computer having dnsmasq. (Maybe 192.168.0.3, which
> seems to be the default router).
>
> > nameserver x.x.x.x
> > nameserver x.x.x.x+1
>
> You should need no other name servers if the local
> nameserver is working.
>
> > Kernel IP routing table
> > Destination * * Gateway * * * * Genmask * * * * Flags Metric Ref
> > Use Iface
> > 192.168.0.0 * * 0.0.0.0 * * * * 255.255.255.0 * U * *0 * * *0
> > 0 eth0
> > 0.0.0.0 * * * * 192.168.0.3 * * 0.0.0.0 * * * * UG * *0 * * *0
> > 0 eth0
>
> > =========================
> > R's firewall is more complicated, I'll trim it slightly
> > -------------------------------
>
> IMHO, it is far too complicated, plenty clipped:
>
> > 192.168.1.33 * * * *udp spt:53 dpts:1024:65535
> > * * *0 * * 0 ACCEPT * * tcp *-- *eth1 * * * * * x.x.x.x
>
> If I read correctly, the own address of R is 192.168.1.33. It will
> never send anything into that address, all traffic will be sent
> via the loopback interface, 127.0.0.1. These rules will not
> be matched.
>
> It may be that you have locked yourself out of accessing any
> UDP/53 servers.
>
>
>
>
>
> > ----------------------------
> > Whew! *At least the FORWARD (which I'd opened up in my attempts)
> > prints...
> > ifconfig: {eth0 is internal, eth1 is to DSL modem}
> > -------------------------
> > eth0 * * *Link encap:Ethernet *HWaddr 6c:f0:49:08:0a:40
> > * * * * * *inet addr:192.168.0.3 *Bcast:192.168.0.255 *Mask:
> > 255.255.255.0
> > * * * * * *UP BROADCAST RUNNING MULTICAST *MTU:1500 *Metric:1
> > * * * * * *RX packets:145 errors:0 dropped:0 overruns:0 frame:0
> > * * * * * *TX packets:130 errors:0 dropped:0 overruns:0 carrier:0
> > * * * * * *collisions:0 txqueuelen:1000
> > * * * * * *RX bytes:25649 (25.0 KiB) *TX bytes:15172 (14.8 KiB)
> > * * * * * *Interrupt:17 Base address:0xe000
>
> > eth1 * * *Link encap:Ethernet *HWaddr 00:60:08:ad:ec:57
> > * * * * * *inet addr:192.168.1.33 *Bcast:192.168.1.255 *Mask:
> > 255.255.255.0
> > * * * * * *UP BROADCAST RUNNING MULTICAST *MTU:1500 *Metric:1
> > * * * * * *RX packets:131808 errors:0 dropped:0 overruns:0 frame:0
> > * * * * * *TX packets:79498 errors:0 dropped:0 overruns:0 carrier:0
> > * * * * * *collisions:0 txqueuelen:1000
> > * * * * * *RX bytes:192699890 (183.7 MiB) *TX bytes:6764937 (6.4 MiB)
> > * * * * * *Interrupt:18 Base address:0xcf00
>
> > lo * * * *Link encap:Local Loopback
> > * * * * * *inet addr:127.0.0.1 *Mask:255.0.0.0
> > * * * * * *UP LOOPBACK RUNNING *MTU:16436 *Metric:1
> > * * * * * *RX packets:1101 errors:0 dropped:0 overruns:0 frame:0
> > * * * * * *TX packets:1101 errors:0 dropped:0 overruns:0 carrier:0
> > * * * * * *collisions:0 txqueuelen:0
> > * * * * * *RX bytes:184020 (179.7 KiB) *TX bytes:184020 (179.7 KiB)
>
> > Kernel IP routing table
> > Destination * * Gateway * * * * Genmask * * * * Flags Metric Ref
> > Use Iface
> > 192.168.1.0 * * 0.0.0.0 * * * * 255.255.255.0 * U * *0 * * *0
> > 0 eth1
> > 192.168.0.0 * * 0.0.0.0 * * * * 255.255.255.0 * U * *0 * * *0
> > 0 eth0
> > 0.0.0.0 * * * * 192.168.1.1 * * 0.0.0.0 * * * * UG * *0 * * *0
> > 0 eth1
>
> Is seems to me that the DSL modem is at 192.168.1.1 and it is handling
> the NAT to the ISP's network, right?
>
> To continue diagnosing, take a tcpdump -n on both interfaces in the
> router while attempting the ping again. You could use ping -n to
> prevent extra name server requests from the client.
>
> Also, make a similar ping from the router and have a look at the
> tcpdump -n output.
>
> --
>
> Heads up, you'll solve this
> Tauno Voipio

More later. Last night, as I started to test, I found that I had NO
internet at all.
At first I thought it was some stupidity that I'd wreaked on R's
iptables set.
Nope, something was amiss with the DSL. It's functional this morning,
but no time
to work on it now... will try again tonight. Thanks again, Tauno!

On Jan 31, 11:31*pm, Tauno Voipio <tauno.voi...@notused.fi.invalid>
wrote:
[snip]
>
> Is seems to me that the DSL modem is at 192.168.1.1 and it is handling
> the NAT to the ISP's network, right?
>
Ah, reversed - 192.168.1.33 is the modem, 192.168.1.1 is R's NIC.

> To continue diagnosing, take a tcpdump -n on both interfaces in the
> router while attempting the ping again. You could use ping -n to
> prevent extra name server requests from the client.
>
> Also, make a similar ping from the router and have a look at the
> tcpdump -n output.

Pinging www.debian.org from R (probably 3 pings)
20:32:22.578913 IP 192.168.1.1.520 > 192.168.1.255.520: RIPv2,
Response, length: 44
20:32:27.141783 IP 192.168.1.33.14163 > x.x.x.x.53: 64351+ A? www.debian.org.
(32)
20:32:27.141812 IP 192.168.1.33.14163 > x.x.x.x+1.53: 64351+ A?
www.debian.org. (32)
20:32:27.377433 IP x.x.x.x+1.53 > 192.168.1.33.14163: 64351 2/3/0 A
128.31.0.51, A 206.12.19.7 (121)
20:32:27.377761 IP 192.168.1.33 > 128.31.0.51: ICMP echo request, id
10269, seq 1, length 64
20:32:27.387250 IP x.x.x.x.53 > 192.168.1.33.14163: 64351 2/3/0 A
206.12.19.7, A 128.31.0.51 (121)
20:32:27.387320 IP 192.168.1.33 > x.x.x.x: ICMP 192.168.1.33 udp port
14163 unreachable, length 157
20:32:27.503533 IP 128.31.0.51 > 192.168.1.33: ICMP echo reply, id
10269, seq 1, length 64
20:32:27.503782 IP 192.168.1.33.30405 > x.x.x.x+1.53: 9070+ PTR?
51.0.31.128.in-addr.arpa. (42)
20:32:27.843229 IP x.x.x.x+1.53 > 192.168.1.33.30405: 9070 1/4/1 PTR
senfl.debian.org. (196)
20:32:28.379009 IP 192.168.1.33 > 128.31.0.51: ICMP echo request, id
10269, seq 2, length 64
20:32:28.506343 IP 128.31.0.51 > 192.168.1.33: ICMP echo reply, id
10269, seq 2, length 64
20:32:29.380544 IP 192.168.1.33 > 128.31.0.51: ICMP echo request, id
10269, seq 3, length 64
20:32:29.507287 IP 128.31.0.51 > 192.168.1.33: ICMP echo reply, id
10269, seq 3, length 64
20:32:52.573972 IP 192.168.1.1.520 > 192.168.1.255.520: RIPv2,
Response, length: 44

But from U - there is at most:
20:33:22.569018 IP 192.168.1.1.520 > 192.168.1.255.520: RIPv2,
Response, length: 44
(these seem to occur without any activity also)
>
> Heads up, you'll solve this
> Tauno Voipio

Thanks for your consideration...