Help: Mandriva failure to share Internet connection

Hi,
I have a Mandriva LE 2005 Desktop connected to the Internet via eth1 (static
IP 192.168.1.1 required by ADSL modem) and an ADSL (PPPoE) modem.

I run Shorewall on the desktop (details below) with no firewall (so far,
till I set up my loc network) on the laptop. Shoreall created a
complicated, multiple chain table set (used by iptables). I think, it
supports the required IP masquerading, but I not sure due to the
complexity.

I try to configure the desktop as an Internet gateway connected to a local
(internal) 10.200.1.0 network via its eth0.

Today I connected to that desktop a laptop with Mandriva 2005 LE. Both
computers are interconnected by a (Crossed) Ethernet cable connected to the
respective eth0 on both PCs. The Desktop successfully runs dhcpd and
assigns the Laptop an IP address. Both Computers successfully ping each
other in both directions.

The Problem: The laptop can't access the Internet while the Desktop is
connected.
Among others, I suspect the laptops routing and resol.conf should also be
modified (details below). Is the desktop's routing OK?
Following are the technical details. (sorry for the long data)

Please advise !

TIA

--------Desktop ifconfig output (ppp0 IP address hidden for security)---
eth0 Link encap:Ethernet HWaddr 00:50:FC:E4:23:2F
inet addr:10.200.1.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::250:fcff:fee4:232f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78 errors:0 dropped:0 overruns:0 frame:0
TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9548 (9.3 Kb) TX bytes:14374 (14.0 Kb)
Interrupt:10 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 00:0D:87:06:16:80
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20d:87ff:fe06:1680/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18955 errors:0 dropped:0 overruns:0 frame:0
TX packets:16033 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19204620 (18.3 Mb) TX bytes:2006919 (1.9 Mb)
Interrupt:11 Base address:0xec00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:114 errors:0 dropped:0 overruns:0 frame:0
TX packets:114 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35057 (34.2 Kb) TX bytes:35057 (34.2 Kb)

ppp0 Link encap:Point-to-Point Protocol
inet addr:X.X.X.X P-t-P:Y.Y.Y.Y Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:336 errors:437 dropped:0 overruns:0 frame:0
TX packets:341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:78454 (76.6 Kb) TX bytes:21717 (21.2 Kb)

sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::192.168.1.10/96 Scope:Compat
inet6 addr: ::127.0.0.1/96 Scope:Unknown
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

-------------Desktop route (Actcom is my ISP)--------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
v1.c.actcom.net * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 10 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default v1.c.actcom.net 0.0.0.0 UG 0 0 0 ppp0


----------Desktop output of iptables -L (long)--------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
ppp0_in all -- anywhere anywhere
eth0_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP !icmp -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ppp0_fwd all -- anywhere anywhere
eth0_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:135
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:135
DROP tcp -- anywhere anywhere tcp
dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp
dpt:microsoft-ds

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900

Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
reject tcp -- anywhere anywhere tcp
dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp
dpt:microsoft-ds

Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere nameserver 10.200.1.1
anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN

Chain dynamic (4 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
loc2net all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
ACCEPT udp -- anywhere anywhere udp
dpts:bootps:bootpc
loc2fw all -- anywhere anywhere

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain icmpdef (0 references)
target prot opt source destination

Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT all -- anywhere anywhere

Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:net2allROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT icmp -- anywhere anywhere icmp
echo-request
net2all all -- anywhere anywhere

Chain ppp0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
net2all all -- anywhere anywhere

Chain ppp0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state
INVALID,NEW
net2fw all -- anywhere anywhere

Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
DROP all -- anywhere anywhere PKTTYPE =
multicast
DROP all -- 10.255.255.255 anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- 224.0.0.0/4 anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 10.255.255.255 anywhere LOG level info
prefix `Shorewall:smurfsROP:'
DROP all -- 10.255.255.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level info
prefix `Shorewall:smurfsROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- 224.0.0.0/4 anywhere LOG level info
prefix `Shorewall:smurfsROP:'
DROP all -- 224.0.0.0/4 anywhere


-----------------Laptop ifconfig---------------
eth0 Link encap:Ethernet HWaddr 00:40:CA:CF:21:88
inet addr:10.200.1.200 Bcast:10.200.1.255 Mask:255.255.255.0
inet6 addr: fe80::240:caff:fecf:2188/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3966 (3.8 Kb) TX bytes:8246 (8.0 Kb)
Interrupt:7 Base address:0x1c00

lo Link encap:Local Loopback
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:17 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5576 (5.4 Kb) TX bytes:5576 (5.4 Kb)

sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::127.0.0.1/96 Scope:Unknown
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:11 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)


--------------output of laptop route---------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.200.1.0 * 255.255.255.0 U 0 0 0 eth0
default 10.200.1.1 0.0.0.0 UG 0 0 0 eth0


---------------output of laptop /etc/resolv.conf
nameserver 10.200.1.1

Michael Badt wrote:
> Hi,
> I have a Mandriva LE 2005 Desktop connected to the Internet via eth1 (static
> IP 192.168.1.1 required by ADSL modem) and an ADSL (PPPoE) modem.
>
> I run Shorewall on the desktop (details below) with no firewall (so far,
> till I set up my loc network) on the laptop. Shoreall created a
> complicated, multiple chain table set (used by iptables). I think, it
> supports the required IP masquerading, but I not sure due to the
> complexity.
>
> I try to configure the desktop as an Internet gateway connected to a local
> (internal) 10.200.1.0 network via its eth0.
>
> Today I connected to that desktop a laptop with Mandriva 2005 LE. Both
> computers are interconnected by a (Crossed) Ethernet cable connected to the
> respective eth0 on both PCs. The Desktop successfully runs dhcpd and
> assigns the Laptop an IP address. Both Computers successfully ping each
> other in both directions.
>
> The Problem: The laptop can't access the Internet while the Desktop is
> connected.
> Among others, I suspect the laptops routing and resol.conf should also be
> modified (details below). Is the desktop's routing OK?
> Following are the technical details. (sorry for the long data)

(details stripped)

Did you remember to enable IP forwarding in the desktop?

Quickie:

echo 1 >/proc/sys/net/ipv4/ip_forward

Your laptop needs the DNS set up properly, either directly to
the ISP's servers, or to a cache server in the desktop.

My recommendation is to install dnsmasq on the desktop and
direct the laptop to use it (via DHCP, see DHCP server
configuration manual). dnsmasq will also serve the local
network names from the /etc/hosts file on the desktop,
if so requested.

The routing in the laptop is trivial: all routes point to
the desktop (including the default route). It should be
properly set up after the DHCP exchange.

For Internet nodes with only one path to the Net, the rule
for the default route is to set it to point to the next
node towards the Net. In this case, the laptop has to point
to the desktop and the desktop has to point to the ISP.

You can debug the connectivity step by step by first checking
that the local hosts can ping each other and the desktop
can ping the ISP's gateway. The next step is to make the
laptop to ping the ISP's gateway with a numeric address
(with 'ping -n') to check the basic IP connectivity but
without DNS. The third step is to make DNS work at both
computers.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

On Sun, 12 Jun 2005 12:39:22 +0300, Michael Badt wrote:
> Hi,
> I have a Mandriva LE 2005 Desktop connected to the Internet via eth1 (static
> IP 192.168.1.1 required by ADSL modem) and an ADSL (PPPoE) modem.
>
> I run Shorewall on the desktop (details below) with no firewall (so far,
> till I set up my loc network) on the laptop. Shoreall created a
> complicated, multiple chain table set (used by iptables). I think, it
> supports the required IP masquerading, but I not sure due to the
> complexity.
>
> I try to configure the desktop as an Internet gateway connected to a local
> (internal) 10.200.1.0 network via its eth0. shorewall_masq_search_tag

Wondering if the smurf rule is dropping your 10.xx.xx.xx network.
Reject rule does drop 10.x
If you were to look in /var/log/messages you might get a clue as what
rule drops your connections.

I would change the local network from 10.x to something like
192.168.2.x if it were me.

> Today I connected to that desktop a laptop with Mandriva 2005 LE. Both
> computers are interconnected by a (Crossed) Ethernet cable connected to the
> respective eth0 on both PCs. The Desktop successfully runs dhcpd and
> assigns the Laptop an IP address. Both Computers successfully ping each
> other in both directions.
>
> The Problem: The laptop can't access the Internet while the Desktop is
> connected.

Test first on Desktop, then laptop.

If ping -c 1 -w 3 66.94.234.13 fails, firewall problem.
If ping -c 1 -w 3 66.94.234.13 works, then you have a DNS problem.
If ping -c 1 -w 3 yahoo.com fails, then you need to verify /etc/resolv.conf
contains the gateway ISPs nameserver ip addy

> Among others, I suspect the laptops routing and resol.conf should also be
> modified (details below).

if ping -c 1 -w 3 66.94.234.13 works,
put the /etc/resolv.conf from the desktop into the laptop's resolv.conf.
and try the yahoo ping, no restarts needed.


> Is the desktop's routing OK?

google, yahoo,... internet acces will go out the defautl gateway interface
indicated by the G seen in route command.

Click up a spare terminal on the desktop
su -l root

tail -f /var/log/messages

then on the laptop do the ping tests, you should see which chain
stopped the attempt.

To get my lan network running here is all shorewall files I modifed:
blacklist, masq, policy, rules, interfaces, params, routestopped

You can ignore blacklist and routestopped.

I am on cable modem, address is via dhcp, hardware layout

internet---cable_modem---eth1---eth0---switch----eth0 for all lan boxes.
^ ^
| |
Desktop firewall box------+------'

Modify /etc/sysconfig/network-scripts/ifcfg-eth0 on the desktop
METRIC=12 instead of 10


To understand my shorewall files you have to see my params file

cat params
# data values found in
DHCPSERVERS=68.87.66.10 # /var/lib/dhcp/dhclient-eth1.leases
DHCP_SERVERS=$DHCPSERVERS,$MODEMIP
LOC_BCAST=192.168.2.255 # /etc/sysconfig/network-scripts/ifcfg-eth0
LOC_NIC=eth0
MODEMWEB=192.168.100.1 # motorola sb4220/5100 web page (if enabled)
NET_BCAST=255.255.255.255 # /var/lib/dhcp/dhclient-eth1.leases
NET_NIC=eth1 # /etc/sysconfig/network
NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags # used in shorewall/interfaces

Contents of the modified shorewall files, minus the comments.

You could set your NET_OPTIONS=detect and ignore the DHCP* values
where you see them. fw and $FW are shorewall understood values.
I use tabs as seperators in the files.

cat interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net $NET_NIC $NET_BCAST $NET_OPTIONS
loc $LOC_NIC $LOC_BCAST

cat masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
$NET_NIC $LOC_NIC


cat policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
loc fw ACCEPT -
fw loc ACCEPT
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info


cat rules
#ACTION SOURCE DEST PROTO DEST
# PORT
ACCEPT net:$DHCP_SERVERS fw udp bootps,bootpc
ACCEPT loc fw icmp 8
ACCEPT fw loc icmp
DROP net $FW icmp echo-request
ACCEPT fw net icmp

Thanks all,
Eventually I managed to solve the problem only by modifying the laptop's
resolv.conf to point at my ISP's DNS server. (Yes, Ip forwarding was
already enabled).

Take care

Michael Badt


Tauno Voipio wrote:

> Michael Badt wrote:
>> Hi,
>> I have a Mandriva LE 2005 Desktop connected to the Internet via eth1
>> (static
>> IP 192.168.1.1 required by ADSL modem) and an ADSL (PPPoE) modem.
>>
>> I run Shorewall on the desktop (details below) with no firewall (so far,
>> till I set up my loc network) on the laptop. Shoreall created a
>> complicated, multiple chain table set (used by iptables). I think, it
>> supports the required IP masquerading, but I not sure due to the
>> complexity.
>>
>> I try to configure the desktop as an Internet gateway connected to a
>> local (internal) 10.200.1.0 network via its eth0.
>>
>> Today I connected to that desktop a laptop with Mandriva 2005 LE. Both
>> computers are interconnected by a (Crossed) Ethernet cable connected to
>> the respective eth0 on both PCs. The Desktop successfully runs dhcpd and
>> assigns the Laptop an IP address. Both Computers successfully ping each
>> other in both directions.
>>
>> The Problem: The laptop can't access the Internet while the Desktop is
>> connected.
>> Among others, I suspect the laptops routing and resol.conf should also be
>> modified (details below). Is the desktop's routing OK?
>> Following are the technical details. (sorry for the long data)
>
> (details stripped)
>
> Did you remember to enable IP forwarding in the desktop?
>
> Quickie:
>
> echo 1 >/proc/sys/net/ipv4/ip_forward
>
> Your laptop needs the DNS set up properly, either directly to
> the ISP's servers, or to a cache server in the desktop.
>
> My recommendation is to install dnsmasq on the desktop and
> direct the laptop to use it (via DHCP, see DHCP server
> configuration manual). dnsmasq will also serve the local
> network names from the /etc/hosts file on the desktop,
> if so requested.
>
> The routing in the laptop is trivial: all routes point to
> the desktop (including the default route). It should be
> properly set up after the DHCP exchange.
>
> For Internet nodes with only one path to the Net, the rule
> for the default route is to set it to point to the next
> node towards the Net. In this case, the laptop has to point
> to the desktop and the desktop has to point to the ISP.
>
> You can debug the connectivity step by step by first checking
> that the local hosts can ping each other and the desktop
> can ping the ISP's gateway. The next step is to make the
> laptop to ping the ISP's gateway with a numeric address
> (with 'ping -n') to check the basic IP connectivity but
> without DNS. The third step is to make DNS work at both
> computers.
>
> HTH
>