MandrivaUsers.org > Internet Sharing still problem in MDK10 OE

bsyuni

Jun 12 2004, 11:32 PM

I install MDK 10 OE in my desktop. I have been used it with MDK 9.0, 9.1 and 9.2.

I have a little problem with internet sharing with all MDK 9.X. After several tries I was succeed.
This time it happens again but a little different way.

My home networking is as follows,

Cable modem ---> DeskTop ---->Laptop1 and Laptop2

The desktop works fine.
Both Laptops have MDK 10 OE. The Laptops can use instant messenger. Even they can access mirroring MDK FTP severs to update patches and ping yahoo.com also works. Even VNC works well. I can access my other remote desktop which is in my office.

But I have a problem to access internet in the Laptops. When I use Mozilla, the error message is "access denied".

It might be firewall problem but I do not have any idea.

Please

me.
[moved from Installing Mandrake by spinynorman]

streeter

Jun 13 2004, 07:28 AM

First, have you tried another browser?
I suspect this could be a proxy problem, so check the settings in Mozilla. Also look at the settings in Mozilla on your desktop - copy them to a laptop. Best work on only one laptop for now.

Then, if no proxy is specified in mozilla, have you got a proxy server running on your desktop (eg, squid)?

Then, please post output of "iptables -nvL" and "iptables -nvL -t nat" - it is possible all http traffic is being directed to a (non running, or incorrectly set up) proxy by your firewall - I've seen this once or twice.

DONT alter any network settings - if you can ftp and ping, basic networking is OK.

Chris

bsyuni

Jun 13 2004, 04:39 PM

Thanks for your quick responding.

I tried mozilla, konqueror, w3m, opera but they dose not work so far.

I think squid was installed because of the squid failling message during shutdown.
But I am not sure how can I figure it out whether it works or not.

By the way I have two ethernet card.
eth0: for local setting
eth1: for internet connection

Both of them work under all MDK 9.X.

Here is what I have done.
I restart network service

CODE

[root@yuni bsyuni]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Enabling IPv4 packet forwarding [ OK ]
Bringing up interface eth0: [FAILED]
Bringing up interface eth1: [ OK ]

As you see eth0 fails.

Bring up eth0 again

CODE

[root@yuni bsyuni]# ifup eth0

It seems eth0 works. But even I skip 'ifup eth0' I have same ifconfig.

CODE

[root@yuni bsyuni]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:02:44:00:CE:2F
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::202:44ff:fe00:ce2f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:340 errors:0 dropped:0 overruns:0 frame:0
TX packets:334 errors:0 dropped:0 overruns:0 carrier:0
collisions:29 txqueuelen:1000
RX bytes:28092 (27.4 Kb) TX bytes:43582 (42.5 Kb)
Interrupt:9 Base address:0x2040

eth1 Link encap:Ethernet HWaddr 00:10:4B:0F:D2:13
inet addr: Bcast: Mask:
inet6 addr: fe80::210:4bff:fe0f:d213/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3269 errors:0 dropped:0 overruns:0 frame:0
TX packets:341 errors:0 dropped:0 overruns:0 carrier:0
collisions:9 txqueuelen:1000
RX bytes:223335 (218.1 Kb) TX bytes:27833 (27.1 Kb)
Interrupt:11 Base address:0x2080

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4670 (4.5 Kb) TX bytes:4670 (4.5 Kb)

For iptables

CODE

[root@yuni bsyuni]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
71 4670 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
36 6513 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
9 1880 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
261 34312 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
274 17368 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
71 4670 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
20 1255 fw2net all -- * eth1 0.0.0.0/0 0.0.0.0/0
5 208 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain Drop (1 references)
pkts bytes target prot opt in out source destination
16 2456 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0
16 2456 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
16 2456 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0
16 2456 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0
16 2456 dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0
12 2292 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

Chain DropSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

Chain DropUPnP (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900

Chain Reject (4 references)
pkts bytes target prot opt in out source destination
6 1688 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0
6 1688 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0

Chain RejectAuth (2 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113

Chain RejectSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445

Chain all2all (2 references)
pkts bytes target prot opt in out source destination
4 160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 1688 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
1 48 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
5 1640 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast

Chain dropNonSyn (2 references)
pkts bytes target prot opt in out source destination
4 164 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02

Chain dynamic (4 references)
pkts bytes target prot opt in out source destination

Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
72 6004 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
274 17368 loc2net all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
9 1880 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
9 1880 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0

Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
261 34312 net2all all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
16 2456 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
36 6513 net2all all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
15 939 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (0 references)
pkts bytes target prot opt in out source destination

Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
5 1640 all2all all -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
202 11364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
72 6004 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2all (2 references)
pkts bytes target prot opt in out source destination
281 38369 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
16 2456 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
12 2292 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
12 2292 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1 48 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination

Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0

Here is another one.

CODE

[root@yuni bsyuni]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 76 packets, 9875 bytes)
pkts bytes target prot opt in out source destination
64 7659 loc_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 24 packets, 1890 bytes)
pkts bytes target prot opt in out source destination
45 3573 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 17 packets, 1144 bytes)
pkts bytes target prot opt in out source destination

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
32 2463 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0

Chain loc_dnat (1 references)
pkts bytes target prot opt in out source destination
4 240 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
[root@yuni bsyuni]#

Whether eth0 device fail or not the laptops work with FTP, messenger
and VNC access.

Thank you in advance.

streeter

Jun 13 2004, 05:18 PM

Quick reply - got to go out - sorry!

1) eth1 doesn't have an Ip address assigned

2)
>>Chain loc_dnat (1 references)
>>pkts bytes target prot opt in out source destination
>> 4 240 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

port 3128 is the squid proxy port - any http request getting to this rule will get redirected to squid - if it's no working....

Chris

streeter

Jun 13 2004, 07:26 PM

Back again

So, do you need to use squid? I suspect not, but if so, you will need to configure it. Try the wizard, but they can be dodgy at times, and you seem to get a very long iptables list... select allow access to the local network. If this doesn't work, try webmin, or ask here - I have it working OK here.

If not, remove it with the package manager (preferred option). You should then remove the jump to the entry relating to the proxy from the PREROUTING table.

CODE

Chain PREROUTING (policy ACCEPT 76 packets, 9875 bytes)
pkts bytes target � � prot opt in � � out � � source � � � � � � � destination � � � �
�64 �7659 loc_dnat � all �-- �eth0 � * � � � 0.0.0.0/0 � � � � � �0.0.0.0/0

This entry jumps to the entry in my last post if any packet comes in on eth0, then the loc_dnat table will match http packets (destination port 80) - which is most requests from your laptop browsers!!
It is possible that the proxy server wizard (found in mcc->server wizards->configure proxy) does this for you - anybody know about this?

You can remove the entry manually with (should work...):

CODE

iptables -t nat -D PREROUTING -i eth0 -j loc_dnat

Check with "iptables -nvL -t nat" and compare to the output of your last post.

If you needed to use the manual command, and your browsers now work, you could put the command at the end of /etc/rc.d/rc.local

Chris

streeter

Jun 13 2004, 08:21 PM

Right - I have just used the Mandrake wizards on my laptop, so I now know a little more about them... I have always set things up by hand before, as I don't trust the wizards

The internet connection sharing wizard sets up a dhcp server, squid and a caching nameserver.

You don't always need these - on a home network these servers are just an added complication and more opportunity for things to go wrong....

And if squid (a proxy server) is not set up correctly, you get exactly the results you are getting - the firewall redirects all http requests to squid.

So my last post should be right - either try setting up squid again, or set things up manually.

Chris

bsyuni

Jun 15 2004, 02:02 AM

Thanks again.

I can understand a little of your recommendation but I tried to follow
you instruction.
I removed squid. I do not have any idea for webmin or modification of
ROUTING table.
I just did as follows,

CODE

iptables -t nat -D PREROUTING -i eth0 -j loc_dnat

It seems the definition has a conflict.
I remove iptables package. and reinstall iptables package.
Than I have a little different message.

CODE

[root@yuni bsyuni]# iptables -t nat -D PREROUTING -i eth0 -j loc_dnat
iptables v1.2.9: Couldn't load target `loc_dnat':/lib/iptables/libipt_loc_dnat.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
[root@yuni bsyuni]# iptables -t nat -D PREROUTING -i eth0 -j loc_dnat
iptables v1.2.9: Couldn't load target `loc_dnat':/lib/iptables/libipt_loc_dnat.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
[root@yuni bsyuni]#

Sorry for bothering and thank you for your help.

bsyuni

Jun 15 2004, 02:18 AM

Hello again.

I install webmin that was one of the recommendations of yours.
I am facing huge control panel in mozilla.
It looks easy because of GUI but I am not familiar with it at all.
Could you possibly help me out?
Any tips are appreciated.

streeter

Jun 15 2004, 09:20 AM

All "iptables -t nat -D PREROUTING -i eth0 -j loc_dnat " does is remove a table entry - if the entry is no longer there (the result we want) you will get the error. So the result is the same - the entry is gone.

Did you put the "iptables -t nat -D PREROUTING -i eth0 -j loc_dnat " at the end of /etc/rc.d/rc.local?
If not, do it now and reboot.
Then try it out.
Then post output of "iptables -nvl -t nat".

Forget webmin and squid for now - you don't need them.

What we are trying to do is stop your PC from automatically redirecting http requests to squid.
The above command should do that, if I got the syntax right...

Chris

bsyuni

Jul 19 2004, 03:20 AM

I just would like to say thank you, Chris.
It has been a month to fix my problem.
Right now, I just sove the problem.

Thnak you for your big help again.