Topic: Strange (squid?) problem...

[Old Lodge Skins]

Hi all,

I've had to make a change in the way my SME 7.0 server connects to the Internet recently... Since then I'm having trouble accessing the internet through my workstations. I've had a week of downtime and while searching why I was unable to access the internet I may have changed something important in my setup but I doubt it...

OpenSUSE 10.2 (wireless) + Vector Linux 5.1 (wired)
|
|
|
Netgear router
|
|
|
SME (eth0)
SME(eth1)
|
|
|
ADSL modem

Now the strange thing is that my workstations can access the internet... Only if I set up a proxy in my browsers! Which makes me think that Squid isn't working in transparent mode anymore... Not sure... Anyway here's a list of things I can't do from my workstations:

* Ping an external machine (yahoo.fr for example),
* Run SecondLife,
* Log into my yahoo IM account with Gaim,
* Access an external POP server.

If anyone has ever seen something like this I'm interested...

Thanks in advance,

Seb.

[Old Lodge Skins]

I'm in the process of upgrading to 7.1... We'll see if this solves the problem.

[mmccarn]

Sounds like a routing problem to me: if your workstations have the wrong gateway configured, or have a malfunctioning gateway configured, but can still access the proxy server, then configuring a proxy server in your browser would let you browse...

The questions I have are:
* why do you have a netgear router between your workstations and your SME LAN?  (or, is this really a switch and wireless access point)?

* What is the change that you made?

[Old Lodge Skins]

Hi,

I bought that router to use is as a wireless access point, nothing more.

My ISP made a change on my line (not going into the details - this is not necessary), my old modem wasn't working anymore. So I requested my ISP to send me the hardware they should have sent me 3 years ago and that Inever received.
I was so happy with my simple modem... It was working just fine!
Their hardware is some kind of modem / router... But the router functions aren't enabled I don't need them so it *should* be acting as a modem.

This was the only real change... But I didn't understand immediately that my old modem was the reason why I was offline, so I tried a lot of things. I think everything is back to normal now but I could be making a mistake, maybe I changed something and don't remember it.

Seb.

[Old Lodge Skins]

Ok it seems the problem doesn't come from my router... I put my old switch back, and I get the same behavior.

Seb.

[Old Lodge Skins]

A traceroute from my laptop goes through the server but doesn't go any further...

Code: [Select]

pc-00249:/home/seb # traceroute yahoo.fr
traceroute to yahoo.fr (217.146.186.221), 30 hops max, 40 byte packets
 1  sme-server-7.cmp-france.homelinux.org (192.168.1.20)  1.019 ms   1.035 ms   1.384 ms
 2  * * *


... while from the server itself...

Code: [Select]


[root@sme-server-7 ~]# traceroute yahoo.fr
traceroute: Warning: yahoo.fr has multiple addresses; using 217.146.186.221
traceroute to yahoo.fr (217.146.186.221), 30 hops max, 38 byte packets
 1  88.176.98.254 (88.176.98.254)  27.589 ms  27.515 ms  27.309 ms
 2  213.228.23.254 (213.228.23.254)  28.164 ms  28.303 ms  27.797 ms
 3  * * *
 4  te-3-4.car1.Paris1.Level3.net (212.73.207.33)  29.712 ms


[Old Lodge Skins]

One stupid question if I may...
Is Squid in charge of ALL the requests made by the workstations? Http, ftp, pings, IM, SecondLife, etc...? If not then the problem's probably elsewhere.

Seb.

[raem]

Old Lodge Skins

> I'm in the process of upgrading to 7.1...

Nothing to do with your immediate issue, but read the FAQ about repositories & yum, to save you other problems in the future.

[Old Lodge Skins]

Old Lodge Skins

> I'm in the process of upgrading to 7.1...

Nothing to do with your immediate issue, but read the FAQ about repositories & yum, to save you other problems in the future.

i've already done that
The update went fine, I just have a strange problem with the webmail but I'll see that later... I rarely need it anyway.

[Old Lodge Skins]

As somebody suggested in an other forum, I tried to change my router's IPto have it on a different branch... It's now in 192.168.2.1 while my local network is 192.168.1.x but no result I still get the same thing.

[mmccarn]

Is your SME providing DHCP?  Perhaps it was once turned off (when you were using the old modem/router)?

Is DHCP disabled on the Netgear router?  If there are two DHCP servers enabled on one network you'll get odd results: (usually) whichever boots up last will politely turn itself off until manually restarted...

If you run "ipconfig" on your workstation, is the SME server the default gateway, and do all the network masks match (workstation, SME eth0, ADSL modem, etc)?

Are your SME network cards on different networks?  Perhaps the old modem fed a public IP to eth1, but the new modem/router may be feeding it a 192.168.1.x number?

(I'm obviously grasping at straws here...)

[Old Lodge Skins]

Hi,

I've already checked all the most obvious possible causes...

* yes, the router can be a DHCP server but this functionality is currently disabled. I even tried with my old switch to make sure the problem didn't come from the router... Same result.
* The SME has two different networks on each card. eth1 (outside) is 88.xx (I don't remember it completely it's 1AM here), eth0 (inside) is 192.168.0.xx (I changed it recently to get back to my old settings from before I move the server just in case, it was 192.168.1.xx when I started the thread),
* The router has had a couple of different addresses due to advices on an other forum... It makes no difference if it's on the same network as SME's eth0 or not.
* The workstations have their IPs from DHCP between 192.168.0.50 to 0.259 while the server is 192.168.0.20
* ipconfig is a winthing tool
ra0 below is my wireless card on my laptop:

Code: [Select]


able de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 ra0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.0.20    0.0.0.0         UG    0      0        0 ra0

It looks to be the same as the example here: http://en.opensuse.org/SDB:Using_an_ADSL_Router_in_SUSE_LINUX#Default_Gateway
so I guess it's OK...

Seb.

[mmccarn]

It looks like your routing and IPs are all fine.

Is it possible that your iptables are non-standard?  (I think there a way to install Dansguardian that allows only proxied internet access and denies everything else, for example...)

On my SME 7.1.3 it looks like the default masq NAT rules are in /etc/e-smith/templates/etc/rc.d/init.d/masq/40masqLAN:

Code: [Select]

   /sbin/iptables --table nat --new-chain PostroutingOutbound
    /sbin/iptables --table nat --append PostroutingOutbound \
        --source $OUTERNET -j ACCEPT
    /sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
    if [ -n "$OUTERIF" ]; then
        /sbin/iptables --append POSTROUTING -t nat \
            --out-interface $OUTERIF -j PostroutingOutbound
    fi

[Old Lodge Skins]

On the other forum where I've asked they seem to be saying there's something weird with my iptables rules... About the FORWARD chain. As I don't know anything about iptables maybe you'll understand something from this:

[root@sme-server-7 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 14986 packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain FORWARD (policy DROP 95 packets, 5772 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 8994 packets, 4616K bytes)
pkts bytes target prot opt in out source destination

Chain ForwardedTCP (0 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedTCP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02

Chain ForwardedTCP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpts:13000:13050
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpt:443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpts:12035:12036
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpt:12043

Chain ForwardedUDP (0 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedUDP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0

Chain ForwardedUDP_3345 (1 references)
pkts bytes target prot opt in out source destination

Chain InboundICMP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundICMP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain InboundICMP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0

Chain InboundTCP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundTCP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02

Chain InboundTCP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14
0 0 REJECT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:465

Chain InboundUDP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundUDP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0

Chain InboundUDP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14

Chain PPPconn (0 references)
pkts bytes target prot opt in out source destination
0 0 PPPconn_1 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PPPconn_1 (1 references)
pkts bytes target prot opt in out source destination

Chain denylog (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `denylog:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain gre-in (0 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0

Chain local_chk (0 references)
pkts bytes target prot opt in out source destination
0 0 local_chk_3345 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain local_chk_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0

Chain state_chk (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[Old Lodge Skins]

and my  /etc/e-smith/templates/etc/rc.d/init.d/masq/40masqLAN:

Code: [Select]

/sbin/iptables --table nat --new-chain PostroutingOutbound
    /sbin/iptables --table nat --append PostroutingOutbound \
        --source $OUTERNET -j ACCEPT
    /sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
    if [ -n "$OUTERIF" ]; then
        /sbin/iptables --append POSTROUTING -t nat \
            --out-interface $OUTERIF -j PostroutingOutbound
    fi


... looks just like yours.