Unable to connect outside until reboot

Hi. Sometimes I can't open connections outside, when I reboot the
firewall it works again. Connecting inside works always.

This is a small network connected to internet with ADSL and I built
a linux firewall before the ADSL. Sometimes, last was one month ago,
people from inside the network can't see internet. Rebooting the
linux firewall fixes it.

Surprisingly, I do can ssh inside the linux from outside. Then I
try lynx and won't work. It does work when I reboot the fw.

This is very strange. Any hints ?

This is rehdat-9 with kernel-2.4.20-20 iptables-1.2.7a-2.

Francesc Guasch <(E-Mail Removed)> wrote:

> Hi. Sometimes I can't open connections outside, when I reboot the
> firewall it works again. Connecting inside works always.

If you say "connecting inside", do you mean from outside
to the internal network or from outside to the linux firewall
itself?


> This is a small network connected to internet with ADSL and I built
> a linux firewall before the ADSL. Sometimes, last was one month ago,
> people from inside the network can't see internet. Rebooting the
> linux firewall fixes it.

Is it possible to ping the linux box from the internal
network? Could the internal clients ping each other?

Have you tried to ping a host by name (eg. www.yahoo.com)
and by IP (eg. 216.109.118.71)? If pinging by name doesn't
work, check your name resolving.

Have you tried to stop the packet filter (flush the chains
and remove iptables modules) and then start it again, instead
of rebooting the entire machine?

Have you checked your routing table, interface configuration
and iptables-rules when the Internet access is working
and when it is not working anymore? Do you see differences?


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch <(E-Mail Removed)> wrote in message news:<bq3hg7$qo8$(E-Mail Removed)>...
> Francesc Guasch <(E-Mail Removed)> wrote:
>
Hi Horst, thank you very much for your answer.

> > Hi. Sometimes I can't open connections outside, when I reboot the
> > firewall it works again. Connecting inside works always.
>
> If you say "connecting inside", do you mean from outside
> to the internal network or from outside to the linux firewall
> itself?

I mean connecting from internet using ssh
>
> > This is a small network connected to internet with ADSL and I built
> > a linux firewall before the ADSL. Sometimes, last was one month ago,
> > people from inside the network can't see internet. Rebooting the
> > linux firewall fixes it.
>
> Is it possible to ping the linux box from the internal
> network? Could the internal clients ping each other?

Yes, internal clients work with the linux server because
it does samba too.

> Have you tried to ping a host by name (eg. www.yahoo.com)
> and by IP (eg. 216.109.118.71)? If pinging by name doesn't
> work, check your name resolving.

I've tried to ping, but I'm not sure I tried only by ip,
I'll do next time it happens.

> Have you tried to stop the packet filter (flush the chains
> and remove iptables modules) and then start it again, instead
> of rebooting the entire machine?

Yes. Stopping iptables didn't help.

>
> Have you checked your routing table, interface configuration
> and iptables-rules when the Internet access is working
> and when it is not working anymore? Do you see differences?

I'll try to check route and ifconfig next time it happens.
I can ping the ADSL interface from the linux.

Internet ---- ADSL ----- linux ----- localnet
<-- ping OK
<-- ping OK
<------------------- this didn't ping

Resetting the ADSL router won't help, resetting the
linux server did.

Francesc Guasch <(E-Mail Removed)> wrote:

> Horst Knobloch <(E-Mail Removed)> wrote in message
> news:<bq3hg7$qo8$(E-Mail Removed)>...
>> Francesc Guasch <(E-Mail Removed)> wrote:
>>
> Hi Horst, thank you very much for your answer.
>
>> > Hi. Sometimes I can't open connections outside, when I reboot the
>> > firewall it works again. Connecting inside works always.
>>
>> If you say "connecting inside", do you mean from outside
>> to the internal network or from outside to the linux firewall
>> itself?
>
> I mean connecting from internet using ssh

I meant more the *destination* to which you connect. Did you
connect from the Internet to the linux firewall with ssh or
to an internal client (through the linux firewall)?

Same with lynx, did you connect to the linux box or through
linux box to an internal client?


>> > This is a small network connected to internet with ADSL and I built
>> > a linux firewall before the ADSL. Sometimes, last was one month ago,
>> > people from inside the network can't see internet. Rebooting the
>> > linux firewall fixes it.

[internal communciation with linux box works]

>> Have you tried to ping a host by name (eg. www.yahoo.com)
>> and by IP (eg. 216.109.118.71)? If pinging by name doesn't
>> work, check your name resolving.
>
> I've tried to ping, but I'm not sure I tried only by ip,
> I'll do next time it happens.
>

[stopping and starting iptables didn't help]

>> Have you checked your routing table, interface configuration
>> and iptables-rules when the Internet access is working
>> and when it is not working anymore? Do you see differences?
>
> I'll try to check route and ifconfig next time it happens.
> I can ping the ADSL interface from the linux.
>
> Internet ---- ADSL ----- linux ----- localnet
> <-- ping OK
> <-- ping OK
> <------------------- this didn't ping
>
> Resetting the ADSL router won't help, resetting the
> linux server did.

Could you ping the internal IP address of the ADSL
router too? (The internal IP address is the one from
the ADSL router towards the linux box).

Also do a "traceroute 216.109.118.71" for an internal
client and check the last box giving you a reply and
the next box after it.

Have you tried to disable and enable the interface on
the linux box towards the ADSL box? Does this interface
get its IP address stactically or via DHCP?

On the linux box start tcpdump and log traffic on the
interface towards the ADSL router, check whether traffic
is coming in and leaving this interface as expected.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Francesc Guasch <(E-Mail Removed)> wrote:

> Horst Knobloch <(E-Mail Removed)> wrote in message
> news:<bq3hg7$qo8$(E-Mail Removed)>...
>> Francesc Guasch <(E-Mail Removed)> wrote:
>>
> Hi Horst, thank you very much for your answer.
>
>> > Hi. Sometimes I can't open connections outside, when I reboot the
>> > firewall it works again. Connecting inside works always.
>>
>> If you say "connecting inside", do you mean from outside
>> to the internal network or from outside to the linux firewall
>> itself?
>
> I mean connecting from internet using ssh

I meant more the *destination* to which you connect. Did you
connect from the Internet to the linux firewall with ssh or
to an internal client (through the linux firewall)?

Same with lynx, did you connect to the linux box or through
linux box to an internal client?


>> > This is a small network connected to internet with ADSL and I built
>> > a linux firewall before the ADSL. Sometimes, last was one month ago,
>> > people from inside the network can't see internet. Rebooting the
>> > linux firewall fixes it.

[internal communciation with linux box works]

>> Have you tried to ping a host by name (eg. www.yahoo.com)
>> and by IP (eg. 216.109.118.71)? If pinging by name doesn't
>> work, check your name resolving.
>
> I've tried to ping, but I'm not sure I tried only by ip,
> I'll do next time it happens.
>

[stopping and starting iptables didn't help]

>> Have you checked your routing table, interface configuration
>> and iptables-rules when the Internet access is working
>> and when it is not working anymore? Do you see differences?
>
> I'll try to check route and ifconfig next time it happens.
> I can ping the ADSL interface from the linux.
>
> Internet ---- ADSL ----- linux ----- localnet
> <-- ping OK
> <-- ping OK
> <------------------- this didn't ping
>
> Resetting the ADSL router won't help, resetting the
> linux server did.

Could you ping the internal IP address of the ADSL
router too? (The internal IP address is the one from
the ADSL router towards the linux box).

Also do a "traceroute 216.109.118.71" from an internal
client and check the last box giving you a reply and
the next box after it.

Have you tried to disable and enable the interface on
the linux box towards the ADSL box? Does this interface
get its IP address stactically or via DHCP?

On the linux box start tcpdump and log traffic on the
interface towards the ADSL router, check whether traffic
is coming in and leaving this interface as expected.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch <(E-Mail Removed)> wrote in message

Thank you Hosrt. I'll try your advices next time the network fails.