Topic: Internet gateway not working

[dustyp]

I have been using SME as for an email and web server for much of the past decade, upgrading as late betas are released.
Until Christmas, I was using SME 8.1 ß1 as a stand alone server connected to my DMZ thence via an IPcop gateway to my ISP via an FDDC connection.
During storms at Chrismas, my ipcop machine was affected by lightning, causing lethal damage.
I decided to put an extra NIC in the SME machine and use it as an internet gateway, but it doesn't want to work that way.
The WAN port connects to my ISP correctly on 217.146.113.153 via PPPoATM, and my internal network is on the 192.168.254.0/24 subnet.
The client machines correctly connect via DHCP. but cnnot connectb to the internet, though they do show pages hosted by the SME server.  They can not ping outside addresses either.
Outside addresses can be pinged from a root session on the SME server, and it reports that it can access contribs.org when logged in as admin.
It looks to me as if it still thinks it's part of the no longer existant DMZ.
Any ideas on what I am doing wrong and how to correct it, please?
I've temporarily disconnected the SME box and replaced it with a FritzBox, which means I can no longer receive emails (due to NAT)

Many thanks, and happy new year,
  - Dusty

[idp_qbn]

Did you use the proxy server on the IPCOP ?
If my memory is correct, the proxy was Port 800. Your PCs may still be set to use the old proxy server (if you used it).

If that is the problem, there are at least three solutions (there may be more):
1) set the SME Server to supply proxy services and set each CP to use the proxy port (3128 on SME)
or
2) Disable Proxy on SME and then go to each PC and make sure they are set to not use a proxy server
or
3) Set SME to supply DHCP for your LAN (it should be the only DHCP server) and your PCs to automatically detect settings (in IE Browser's Internet settings).

Google will show you how to do all this.

Good luck
Ian

[dustyp]

Thanks, Ian but no help.
I have not used proxy server on any of the PCs here  for several years. IMHO it creates more problems than it solves.
I'll try using the SME proxy and let you know the result.
No problemswith multiple DHCP servers as that's a schoolboy error and the first place I looked.
I  think I need to wait for the shops to open tomorrow so I can replace the destroyed parts of the IPcop box then return to the original setup.

[idp_qbn]

Ah, well  - good luck anyway.
Hopefully there really is something very simple that is causing the problem. SME shouldn't but one of it's settings may. Have you checked the proxy server settings on the SME? If you don't use them on the PCs and the SME Proxy IS enabled, it may be the problem.

see http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

Cheers
Ian

[dustyp]

As external sites can be pinged from the console, but not from clients, I now suspect the problem to be the internal firewall.

The result of iptables --list is
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

What should it be?

[dustyp]

Proble half solved-
I made a full backup to USB then I downgraded (or upgrade - depends on how you look at it).
 from 8.1 beta2 to 8.0 and it all started working OK
Then I restored from my backup so I would have all the emails and webs whereupon it stopped working again in spite of reporting 8.0.How can I restore my users, groups emails and web site alone?
HELP!
  - Dusty

[idp_qbn]

Have you checked the proxy server setting on the SME? (server-manager - security section - Proxy settings)
It is on by default in a fresh install, at least up yo v8.0, not sure about newer versions.
Try disabling it (drop down list is Disable or Enable) and see if that helps.
If not, I am at the limits of my knowledge......hopefully someone with more knowledge can step in.

Cheers - and sorry your New Year has got off to such an "exciting" start.
Ian

[janet]

dustyp

I downgraded from 8.1 beta2 to 8.0 and it all started working OK

I assume you mean "it all worked again" on a default install of sme8.0 OS without extensive configuration or modification.
That implies that a default sme server is working correctly & your general network setup is OK (ie allowing access to Internet from workstations), but also implies that your production sme server configuration or modifications are the source of the issue you are experiencing.

You need to use the troubleshooting tools available to see what changes you have made to your sme server that may be the source of the problem.
See /sbin/e-smith/audittools
particularly run these commands
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/templates

This also may help if you understand the output
iptables -L

There may be custom templates that are causing the issue, only you know what changes you have made to your server.
There may be a contrib installed that is blocking access.

You could temporarily move any/all custom templates to a safe location, then do
signal-event post-upgrade
signal-event reboot

& see if access is again available.

Then I restored from my backup so I would have all the emails and webs whereupon it stopped working again in spite of reporting 8.0.How can I restore my users, groups emails and web site alone?

It's easy enough to manually restore emails & web sites in ibays, but restoring users & groups (only) is difficult as the configuration data is stored in various db files & locations along with system configuration settings & cannot easily be extracted (on its own).
To restore users & groups & other necessary configuration to restore those, will also include system configuration & end up repeating (restoring) the same issues you are having now.

See this Howto for an overview of backup & restore including non standard procedures, which may be of limited assistance to you.
http://wiki.contribs.org/Backup_server_config

I think the best answer is to troubleshoot your system, per above suggestions.
Post the output of those commands here so others can see.

PS If you start randomly changing settings on your server etc, that only makes it harder to track what has happened, so resist making hurried or trial & error changes. Investigate & diagnose first.

[idp_qbn]

Janet,
Thank you for those tips on troubleshooting - one is never too old to learn. (At least, not yet!)
I muddle on with a limited Linux / SME knowledge and a rapidly fading experience with NT Domains (prior to Active Directory)

Ah, well .....

Cheers
Ian

[janet]

idp_qbn

If you spend some time regularly reading the bugzilla reports, you will get/see some good troubleshooting procedures.

[janet]

dustyp

You could also read the sme server squid logs to see why access is not being allowed.

Are you sure that the workstations are using the sme server as their gateway ?
In Windows
Start
Run
type in cmd & press Enter
in the DOS window type
ipconfig
The Default Gateway should be the sme server LAN IP.

[chris burnat]

Moving to General Discussion where it is more appropriate, as requested.

[CharlieBrady]

The result of iptables --list is
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

What should it be?

It should be very different to that - and too long to list here.

What does:

config show masq

show? It looks like the 'masq' service (which configures iptables in SME server) is either disabled, or broken.

[dustyp]

Many thanks for helping me to get ths working especially to Ian, Janet and Charlie.
I don't know whether this was a correct or allowable way, but it partially worked for me:

I backed up from my non-working server to a large USB drive via 'backup to removable media' on the conslole admin menu.
When this had completed, I performed a  fresh install  of SME 8.0 and  checked that clients connected to the internet correctly.
I then extracted the .tgz file produced from the USB drive to my  PC with 7zip, then extracted the .tar file from the result - again with 7zip.  Inside were home, root and etc direcories. I opened home /e-smith/files and copied users (and all subbdirectories and files) to /home/e-smith/files on the server and all emails were restored.
For the web content, I copied everything under home\e-smith\files\ibays\ to the server, but the web pages come up with a "This web site is under construction" message so obviously I have done something wrong  or missed an essential step  or two.
Thanks,
  -  Dusty

[janet]

dustyp

..... the web pages come up with a "This web site is under construction" message so obviously I have done something wrong  or missed an essential step  or two.

You need to delete the original default index.html file from the ibay html folders in question.