Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Old Lodge Skins on July 08, 2007, 06:57:02 PM
-
Hi all,
I've had to make a change in the way my SME 7.0 server connects to the Internet recently... Since then I'm having trouble accessing the internet through my workstations. I've had a week of downtime and while searching why I was unable to access the internet I may have changed something important in my setup but I doubt it...
OpenSUSE 10.2 (wireless) + Vector Linux 5.1 (wired)
|
|
|
Netgear router
|
|
|
SME (eth0)
SME(eth1)
|
|
|
ADSL modem
Now the strange thing is that my workstations can access the internet... Only if I set up a proxy in my browsers! Which makes me think that Squid isn't working in transparent mode anymore... Not sure... Anyway here's a list of things I can't do from my workstations:
* Ping an external machine (yahoo.fr for example),
* Run SecondLife,
* Log into my yahoo IM account with Gaim,
* Access an external POP server.
If anyone has ever seen something like this I'm interested...
Thanks in advance,
Seb.
-
I'm in the process of upgrading to 7.1... We'll see if this solves the problem.
-
Sounds like a routing problem to me: if your workstations have the wrong gateway configured, or have a malfunctioning gateway configured, but can still access the proxy server, then configuring a proxy server in your browser would let you browse...
The questions I have are:
* why do you have a netgear router between your workstations and your SME LAN? (or, is this really a switch and wireless access point)?
* What is the change that you made?
-
Hi,
I bought that router to use is as a wireless access point, nothing more.
My ISP made a change on my line (not going into the details - this is not necessary), my old modem wasn't working anymore. So I requested my ISP to send me the hardware they should have sent me 3 years ago and that Inever received.
I was so happy with my simple modem... It was working just fine!
Their hardware is some kind of modem / router... But the router functions aren't enabled I don't need them so it *should* be acting as a modem.
This was the only real change... But I didn't understand immediately that my old modem was the reason why I was offline, so I tried a lot of things. I think everything is back to normal now but I could be making a mistake, maybe I changed something and don't remember it.
Seb.
-
Ok it seems the problem doesn't come from my router... I put my old switch back, and I get the same behavior.
Seb.
-
A traceroute from my laptop goes through the server but doesn't go any further...
pc-00249:/home/seb # traceroute yahoo.fr
traceroute to yahoo.fr (217.146.186.221), 30 hops max, 40 byte packets
1 sme-server-7.cmp-france.homelinux.org (192.168.1.20) 1.019 ms 1.035 ms 1.384 ms
2 * * *
... while from the server itself...
[root@sme-server-7 ~]# traceroute yahoo.fr
traceroute: Warning: yahoo.fr has multiple addresses; using 217.146.186.221
traceroute to yahoo.fr (217.146.186.221), 30 hops max, 38 byte packets
1 88.176.98.254 (88.176.98.254) 27.589 ms 27.515 ms 27.309 ms
2 213.228.23.254 (213.228.23.254) 28.164 ms 28.303 ms 27.797 ms
3 * * *
4 te-3-4.car1.Paris1.Level3.net (212.73.207.33) 29.712 ms
-
One stupid question if I may...
Is Squid in charge of ALL the requests made by the workstations? Http, ftp, pings, IM, SecondLife, etc...? If not then the problem's probably elsewhere.
Seb.
-
Old Lodge Skins
> I'm in the process of upgrading to 7.1...
Nothing to do with your immediate issue, but read the FAQ about repositories & yum, to save you other problems in the future.
-
Old Lodge Skins
> I'm in the process of upgrading to 7.1...
Nothing to do with your immediate issue, but read the FAQ about repositories & yum, to save you other problems in the future.
i've already done that ;)
The update went fine, I just have a strange problem with the webmail but I'll see that later... I rarely need it anyway.
-
As somebody suggested in an other forum, I tried to change my router's IPto have it on a different branch... It's now in 192.168.2.1 while my local network is 192.168.1.x but no result I still get the same thing.
-
Is your SME providing DHCP? Perhaps it was once turned off (when you were using the old modem/router)?
Is DHCP disabled on the Netgear router? If there are two DHCP servers enabled on one network you'll get odd results: (usually) whichever boots up last will politely turn itself off until manually restarted...
If you run "ipconfig" on your workstation, is the SME server the default gateway, and do all the network masks match (workstation, SME eth0, ADSL modem, etc)?
Are your SME network cards on different networks? Perhaps the old modem fed a public IP to eth1, but the new modem/router may be feeding it a 192.168.1.x number?
(I'm obviously grasping at straws here...)
-
Hi,
I've already checked all the most obvious possible causes...
* yes, the router can be a DHCP server but this functionality is currently disabled. I even tried with my old switch to make sure the problem didn't come from the router... Same result.
* The SME has two different networks on each card. eth1 (outside) is 88.xx (I don't remember it completely it's 1AM here), eth0 (inside) is 192.168.0.xx (I changed it recently to get back to my old settings from before I move the server just in case, it was 192.168.1.xx when I started the thread),
* The router has had a couple of different addresses due to advices on an other forum... It makes no difference if it's on the same network as SME's eth0 or not.
* The workstations have their IPs from DHCP between 192.168.0.50 to 0.259 while the server is 192.168.0.20
* ipconfig is a winthing tool ;)
ra0 below is my wireless card on my laptop:
able de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ra0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.20 0.0.0.0 UG 0 0 0 ra0
It looks to be the same as the example here: http://en.opensuse.org/SDB:Using_an_ADSL_Router_in_SUSE_LINUX#Default_Gateway
so I guess it's OK...
Seb.
-
It looks like your routing and IPs are all fine.
Is it possible that your iptables are non-standard? (I think there a way to install Dansguardian that allows only proxied internet access and denies everything else, for example...)
On my SME 7.1.3 it looks like the default masq NAT rules are in /etc/e-smith/templates/etc/rc.d/init.d/masq/40masqLAN: /sbin/iptables --table nat --new-chain PostroutingOutbound
/sbin/iptables --table nat --append PostroutingOutbound \
--source $OUTERNET -j ACCEPT
/sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append POSTROUTING -t nat \
--out-interface $OUTERIF -j PostroutingOutbound
fi
-
On the other forum where I've asked they seem to be saying there's something weird with my iptables rules... About the FORWARD chain. As I don't know anything about iptables maybe you'll understand something from this:
[root@sme-server-7 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 14986 packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain FORWARD (policy DROP 95 packets, 5772 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8994 packets, 4616K bytes)
pkts bytes target prot opt in out source destination
Chain ForwardedTCP (0 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedTCP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain ForwardedTCP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpts:13000:13050
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpt:443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpts:12035:12036
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 tcp dpt:12043
Chain ForwardedUDP (0 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedUDP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain ForwardedUDP_3345 (1 references)
pkts bytes target prot opt in out source destination
Chain InboundICMP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundICMP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundICMP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundTCP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundTCP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain InboundTCP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14
0 0 REJECT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 88.176.98.14 tcp dpt:465
Chain InboundUDP (0 references)
pkts bytes target prot opt in out source destination
0 0 InboundUDP_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundUDP_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14
Chain PPPconn (0 references)
pkts bytes target prot opt in out source destination
0 0 PPPconn_1 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PPPconn_1 (1 references)
pkts bytes target prot opt in out source destination
Chain denylog (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `denylog:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain gre-in (0 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !88.176.98.14
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local_chk (0 references)
pkts bytes target prot opt in out source destination
0 0 local_chk_3345 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local_chk_3345 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
Chain state_chk (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
-
and my /etc/e-smith/templates/etc/rc.d/init.d/masq/40masqLAN:
/sbin/iptables --table nat --new-chain PostroutingOutbound
/sbin/iptables --table nat --append PostroutingOutbound \
--source $OUTERNET -j ACCEPT
/sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append POSTROUTING -t nat \
--out-interface $OUTERIF -j PostroutingOutbound
fi
... looks just like yours.
-
Yes, but your 'FORWARD' chain does indeed look abbreviated; here's what I get from iptables -L -n -v ( I have several forwarding rules configured):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5046K 7147M state_chk all -- * * 0.0.0.0/0 0.0.0.0/0
2248 366K local_chk all -- * * 0.0.0.0/0 0.0.0.0/0
13 4536 PPPconn all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 denylog all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 InboundICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 InboundTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
13 4536 InboundUDP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 gre-in 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 state_chk all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 local_chk all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ForwardedTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 ForwardedUDP udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2519K 147M PPPconn all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 denylog all -- * * 0.0.0.0/0 224.0.0.0/4
2519K 147M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ForwardedTCP (1 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedTCP_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain ForwardedTCP_3600 (1 references)
pkts bytes target prot opt in out source destination
Chain ForwardedUDP (1 references)
pkts bytes target prot opt in out source destination
0 0 ForwardedUDP_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain ForwardedUDP_3600 (1 references)
pkts bytes target prot opt in out source destination
Chain InboundICMP (1 references)
pkts bytes target prot opt in out source destination
0 0 InboundICMP_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundICMP_3600 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundTCP (1 references)
pkts bytes target prot opt in out source destination
0 0 InboundTCP_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain InboundTCP_3600 (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !192.168.200.1
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:2222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.200.1 tcp dpt:465
Chain InboundUDP (1 references)
pkts bytes target prot opt in out source destination
13 4536 InboundUDP_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 denylog udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain InboundUDP_3600 (1 references)
pkts bytes target prot opt in out source destination
13 4536 denylog all -- * * 0.0.0.0/0 !192.168.200.1
Chain PPPconn (2 references)
pkts bytes target prot opt in out source destination
2519K 147M PPPconn_1 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PPPconn_1 (1 references)
pkts bytes target prot opt in out source destination
Chain denylog (20 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
13 4536 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `denylog:' queue_threshold 1
13 4536 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain gre-in (1 references)
pkts bytes target prot opt in out source destination
0 0 denylog all -- * * 0.0.0.0/0 !192.168.200.1
0 0 denylog all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local_chk (2 references)
pkts bytes target prot opt in out source destination
2248 366K local_chk_3600 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local_chk_3600 (1 references)
pkts bytes target prot opt in out source destination
372 25290 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1863 336K ACCEPT all -- * * 192.168.200.0/24 0.0.0.0/0
Chain state_chk (2 references)
pkts bytes target prot opt in out source destination
5044K 7147M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Do you have any custom templates for masq in /etc/e-smith/templates-custom/etc/rc.d/init.d/masq?
-
Nope, it doesn't go further than /etc/e-smith/templates-custom/etc/ then I only have httpd and proftpd.conf in there.
Do you know if there's a way to restore the iptables rules from the begining?
-
Old Lodge Skins
>...Do you know if there's a way to restore the iptables rules from the begining?
remove any custom templates
remove any add on packages you installed
signal-event post-upgrade
reboot
Test if OK
Install any packages you require & test again
Redo any custom template changes you require & test again.
Note that rpms should not put templates in the custom templates area.
-
... Well since I have not made any custom template...
I could try to remove snort. Actually I didn't install much contribs on this server... Well at least I can try this. I'll see that this afternoon.
Seb.
-
Old Lodge Skins
You could try
signal-event post-upgrade
reboot
but if you have template fragments that are creating wrong settings, then the same wrong settings will be automatically recreated.
It's worth a try though.
If that doesn't fix things, then remove snort and anything else you have installed & do the post upgrade reboot again.
-
Ray, I've done a signal-event post-upgrade & reboot several times already...
Actually at the moment I'm thinking that if I can find enough room on an other hard drive to make a backup of my data i'd better install a fresh new 7.1.3 it'd be simpler.
Seb.
-
Ok guys thanks to all for your help... Problem solved by reinstalling the whole beast. I should have done that sooner, took me less than one hour...
Seb.