Can't get to 192.168.100.1 from router, but can through it

Discussion in 'Linux Networking' started by tomnykds, Dec 20, 2006.

  1. tomnykds

    tomnykds Guest

    Hi,
    I've got a linux router I just converted to iptables that works fine
    (meaning: local machines can get to each other and the router and out to
    the internet, play games, surf the web, etc.) except for connecting to my
    cable modem at 192.168.0.1:80. I get get to it from the lan, just not directly.
    pings are blocked as well. It looks like I can get out but the return packets
    are getting blocked. What am I screwing up? This can't be that hard.
    Oh, tcpdump on eth1 doesn't show anything unless I'm accessing 192.168.100.1
    from the LAN.

    Thx, Chris

    These are the rules I'm using:

    #Allow unlimited $CABLEMODEM traffic
    /sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT


    This is what I get from iptables:

    [[email protected] sysconfig]# /sbin/iptables -L -n -v | egrep "(192.168.100|Chain|bytes)"
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- eth1 * 192.168.100.1 67.172.126.155 state ESTABLISHED
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    10 648 ACCEPT all -- * eth1 67.172.126.155 192.168.100.1 state NEW,ESTABLISHED
     
    tomnykds, Dec 20, 2006
    #1
    1. Advertisements

  2. It appears to me that you need to add similar rules to the FORWARD chain
    (and make sure IP forwarding is turn on).
     
    Clifford Kite, Dec 20, 2006
    #2
    1. Advertisements

  3. tomnykds

    tomnykds Guest

    Well, that doesn't help. THese rules are early in the file, right
    after #Allow unlimited LAN traffic. The only things above it are
    setting policy, (I,O,F: DROP, -t nat PRE,POST,OUT: ACCEPT), MASQ,
    and loopback. The wierd thing is that the LAN doesn't have a problem
    with this address, just directly between the router and modem, which
    I didn't think I'd need FORWARD rules for anyway. I added the last
    2 rules and it worked. No idea why.

    #Allow unlimited $CABLEMODEM traffic
    /sbin/iptables -A INPUT -i $EXTINT -s $CABLEMODEM -d $IPADDR -m state --state ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -o $EXTINT -s $IPADDR -d $CABLEMODEM -m state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -t nat -A OUTPUT -o $EXTINT -d $CABLEMODEM -j ACCEPT
    /sbin/iptables -t nat -A POSTROUTING -o $EXTINT -d $CABLEMODEM -j ACCEPT

    I'm already tried something similar, but maybe not this exactly.

    Thx, Chris
     
    tomnykds, Dec 20, 2006
    #3
  4.  
    Clifford Kite, Dec 20, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.