[NTLUG:Discuss] server stops arbitrary
m m
llliiilll at hotmail.com
Wed Apr 10 19:28:08 CDT 2002
Hi, All:
I have this problem for a long time, I thought that were hardware or APM
problem, but it is not.
the problem is that my server does not work (no ping, no web, no email...).
I can "fix" it the following steps:
1. from the any internal box, telnet out to any external remote site.
2. after logon to the remote site, try to browser (my) site, like lynx
http://hsugroup.com
3. it works.
4. it works for everyone in the world.
that is the way I "fix it".
BUT, IT WILL STOP WORKING ANY TIME AGAIN.
all the internal network works fine, all internal boxes can surf on the
internet.
I am thinking that is configuration problem, maybe firewall rules, network
setting...
Anyone has ideas?
TIA
my system:
RH 6.2 with update kernel 2.14.17 update.
at&t cable modem.
------------------------------------------------------------------
this is my firewall rules:
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Begin firewall..."
iptables -F -v
##iptables="/usr/local/sbin/iptables"
## $INTERNAL_IP = 192.168.1.1
## $INTERNAL_NET = 192.168.1.0/24
## $INTERNET = 12.237.96.67
## $DMZ = 192.168.2.0/24
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Set default policies for packets going through this firewall box
### iptables -t nat -P PREROUTING DROP
### iptables -t nat -P POSTROUTING DROP
### iptables -P FORWARD DROP
# Set default policies for packet entering this box
### iptables -P OUTPUT ALLOW
### iptables -P INPUT ALLOW
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from our internal network should have only our addresses!
# iptables -A FORWARD -i eth1 -s ! 192.168.1.0/24 -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 24.14.77.8 -j DROP
iptables -A INPUT -i eth0 -s 12.242.18.34 -j DROP
iptables -A INPUT -i eth0 -s 12.242.18.50 -j DROP
iptables -A INPUT -i eth0 -s 24.3.59.34 -j DROP
iptables -A INPUT -i eth0 -s 12.229.238.84 -j DROP
iptables -v -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -v -t nat -A POSTROUTING -d 12.237.96.67 -j MASQUERADE
# Note:There are more "reserved" networks, but these are the classical ones.
# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN
# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 8080 -j DNAT --to 192.168.1.3:8080
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 80 -j DNAT --to 192.168.1.2:80
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 81 -j DNAT --to 192.168.1.3:80
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 25 -j DNAT --to 192.168.1.1:25
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 211 -j DNAT --to 192.168.1.3:21
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 212 -j DNAT --to 192.168.1.2:21
iptables -A PREROUTING -t nat -p tcp -d 12.237.96.67 \
--dport 222 -j DNAT --to 192.168.1.20:21
# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 12.237.96.67
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "firewall done."
------------------------------------------------------------------
Here is the "route" result:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
heddy.hsugroup. * 255.255.255.255 UH 0 0 0 eth1
12-237-96-67-cl heddy.hsugroup. 255.255.255.255 UGH 0 0 0 eth1
12-237-96-67-cl 12-237-96-1.cli 255.255.255.255 UGH 0 0 0 eth0
12-237-96-67-cl * 255.255.255.255 UH 0 0 0 eth0
12.237.96.0 * 255.255.255.128 U 0 0 0 eth0
192.168.1.0 heddy.hsugroup. 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 12-237-96-1.cli 0.0.0.0 UG 0 0 0 eth0
------------------------------------------------------------------
Here is the "route -n" result:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
12.237.96.67 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
12.237.96.67 12.237.96.1 255.255.255.255 UGH 0 0 0 eth0
12.237.96.67 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
12.237.96.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0
192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 12.237.96.1 0.0.0.0 UG 0 0 0 eth0
------------------------------------------------------------------
the /etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost
192.168.1.2 grace.hsugroup.com grace
192.168.1.2 grace.hsugroup.com www.hsugroup.com
192.168.1.3 megan.hsugroup.com megan
12.237.96.67 12-237-96-67-client.attbi.com 12-237-96-67
#12.237.96.67 heddy.hsugroup.com heddy
192.168.1.1 heddy.hsugroup.com heddy
192.168.1.3 aaacoc.org www www.aaacoc.org
192.168.1.2 findmyneed.com www www.findmyneed.com
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
More information about the Discuss
mailing list