On Thu, Dec 26, 2013 at 5:27 AM, mett <[email protected]> wrote: > > I'm using a debian box as a router and multiserver between my LAN and > the internet. > > Everything was working fine till yesterday when I put the box down for > upgrading memory, for a few hours. > > Right now, the external interface of the gateway is fully accessible > from the net, and I do not have any problem with the different services > I am providing to the outside(mail, webserver. and dns for the web > servers). > > The problem is on the LAN side, I can access some sites but not all the > sites as I used to do. > > For example, I can access the "Start page" search engine but not > "Duckduckgo". > > The gateway can access everything, it's the hosts behind the gateway > that cannot. > > I have 2 interfaces on this box: > eth0 which is used as the LAN interface and > eth1 which is used as ppp0 with a static IP from my ISP. > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
1) Add logging to these rules to see which one(s) is(are) blocking your access. 2) "iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT" should be "iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT" or (better since you have two nics) "iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT" 3) OT: A) "# Don't forward from the outside to the inside" and "iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT" don't correspond. B) You should add "iptables -A FORWARD -i ppp0 -o eth0 -j REJECT" and "iptables -A INPUT -i ppp0 -j REJECT" after the line in (A) if your policy is "ACCEPT". -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAOdo=szvydfze27t2dekmvzuwy7vnzqupl1+b_0djuyqamb...@mail.gmail.com
