[NTLUG:Discuss] server stops anytime.

Jay Urish j at yourlinuxguru.com
Wed Apr 10 10:45:19 CDT 2002 

On Wed, 10 Apr 2002, m m wrote:


I have seen this before.. My "fix was to start a job in the background
pinging yahoo.com say every 600 seconds.

I think the problem was a downstream router not holding the ARP entry.

Strangely enough, I was running redhat on the box.

If I were in your shoes I would snag a copy of Mandrake 8.2 and install
that.

> Hi, All:
> I have this problem for a long time, I thought that were hardware or APM
> problem, but it is not.
> the problem is that my server does not work (no ping, no web, no email...).
>
> I can "fix" it the following steps:
> 1. from the any internal box, telnet out to any external remote site.
> 2. after logon to the remote site, try to browser (my) site, like lynx
> http://hsugroup.com
> 3. it works.
> 4. it works for everyone in the world.
>
> that is the way I "fix it".
>
> BUT, IT WILL STOP WORKING ANY TIME AGAIN.
>
> all the internal network works fine, all internal boxes can surf on the
> internet.
>
> I am thinking that is configuration problem, maybe firewall rules, network
> setting...
> Anyone has ideas?
> TIA
>
> my system:
> RH 6.2 with update kernel 2.14.17 update.
> at&t cable modem.
>
> ------------------------------------------------------------------
> this is my firewall rules:
> #!/bin/sh
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "Begin firewall..."
> iptables -F -v
> ##iptables="/usr/local/sbin/iptables"
>
> ## $INTERNAL_IP = 192.168.1.1
> ## $INTERNAL_NET = 192.168.1.0/24
>
> ## $INTERNET = 12.237.96.67
>
> ## $DMZ = 192.168.2.0/24
>
> # Insert the required kernel modules
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> # Set default policies for packets going through this firewall box
>
> ### iptables -t nat -P PREROUTING DROP
> ### iptables -t nat -P POSTROUTING DROP
>
> ### iptables -P FORWARD DROP
>
> # Set default policies for packet entering this box
>
> ### iptables -P OUTPUT ALLOW
> ### iptables -P INPUT ALLOW
>
> # Kill spoofed packets
>
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>      echo 1 > $f
> done
>
> # Anything coming from our internal network should have only our addresses!
> # iptables -A FORWARD -i eth1 -s ! 192.168.1.0/24 -j DROP
>
> # Anything coming from the Internet should have a real Internet address
> iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
> iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
> iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
> iptables -A INPUT -i eth0 -s 24.14.77.8 -j DROP
> iptables -A INPUT -i eth0 -s 12.242.18.34 -j DROP
> iptables -A INPUT -i eth0 -s 12.242.18.50 -j DROP
> iptables -A INPUT -i eth0 -s 24.3.59.34 -j DROP
> iptables -A INPUT -i eth0 -s 12.229.238.84 -j DROP
>
> iptables  -v -t nat -A POSTROUTING -s 192.168.1.0/24 -j  MASQUERADE
> iptables  -v -t nat -A POSTROUTING -d 12.237.96.67 -j  MASQUERADE
>
> # Note:There are more "reserved" networks, but these are the classical ones.
>
> # Block outgoing network filesharing protocols that aren't designed
> # to leave the LAN
>
> #    SMB / Windows filesharing
> iptables -A FORWARD -p tcp --sport 137:139 -j DROP
> iptables -A FORWARD -p udp --sport 137:139 -j DROP
> #    NFS Mount Service (TCP/UDP 635)
> iptables -A FORWARD -p tcp --sport 635 -j DROP
> iptables -A FORWARD -p udp --sport 635 -j DROP
> #    NFS (TCP/UDP 2049)
> iptables -A FORWARD -p tcp --sport 2049 -j DROP
> iptables -A FORWARD -p udp --sport 2049 -j DROP
> #    Portmapper (TCP/UDP 111)
> iptables -A FORWARD -p tcp --sport 111 -j DROP
> iptables -A FORWARD -p udp --sport 111 -j DROP
>
> # Block incoming syslog, lpr, rsh, rexec...
> iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
>
> iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
> iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
> iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
>
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 8080 -j DNAT --to 192.168.1.3:8080
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 80 -j DNAT --to 192.168.1.2:80
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 81 -j DNAT --to 192.168.1.3:80
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 25 -j DNAT --to 192.168.1.1:25
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 211 -j DNAT --to 192.168.1.3:21
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 212 -j DNAT --to 192.168.1.2:21
> iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
>                          --dport 222 -j DNAT --to 192.168.1.20:21
>
> # Source NAT to get Internet traffic through
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 12.237.96.67
>
> # Activate the forwarding!
> echo 1 >/proc/sys/net/ipv4/ip_forward
>
> echo "firewall done."
> ------------------------------------------------------------------
> Here is the "route" result:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> heddy.hsugroup. *               255.255.255.255 UH    0      0        0 eth1
> 12-237-96-67-cl heddy.hsugroup. 255.255.255.255 UGH   0      0        0 eth1
> 12-237-96-67-cl 12-237-96-1.cli 255.255.255.255 UGH   0      0        0 eth0
> 12-237-96-67-cl *               255.255.255.255 UH    0      0        0 eth0
> 12.237.96.0     *               255.255.255.128 U     0      0        0 eth0
> 192.168.1.0     heddy.hsugroup. 255.255.255.0   UG    0      0        0 eth1
> 192.168.0.0     *               255.255.0.0     U     0      0        0 eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         12-237-96-1.cli 0.0.0.0         UG    0      0        0 eth0
> ------------------------------------------------------------------
> Here is the "route -n" result:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 12.237.96.67    192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
> 12.237.96.67    12.237.96.1     255.255.255.255 UGH   0      0        0 eth0
> 12.237.96.67    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
> 12.237.96.0     0.0.0.0         255.255.255.128 U     0      0        0 eth0
> 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0        0 eth1
> 192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         12.237.96.1     0.0.0.0         UG    0      0        0 eth0
> ------------------------------------------------------------------
> the /etc/hosts:
> 127.0.0.1	localhost	localhost.localdomain localhost
> 192.168.1.2	grace.hsugroup.com	grace
> 192.168.1.2	grace.hsugroup.com	www.hsugroup.com
> 192.168.1.3	megan.hsugroup.com	megan
> 12.237.96.67	12-237-96-67-client.attbi.com	12-237-96-67
> #12.237.96.67	heddy.hsugroup.com    	heddy
> 192.168.1.1	heddy.hsugroup.com	heddy
> 192.168.1.3	aaacoc.org	www 	www.aaacoc.org
> 192.168.1.2	findmyneed.com	www 	www.findmyneed.com
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list