View previous topic :: View next topic |
Author |
Message |
Starblazer n00b
Joined: 14 Jul 2002 Posts: 8
|
Posted: Sun Jul 14, 2002 12:46 am Post subject: Unable to route local network? |
|
|
Has anyone encountered the following problem?
I currently have a firewall/proxy/dhcp server with an internal address of 192.168.1.1
My PC is Windows XP Pro.
The dhcp server is able to grant me a lease in the 192.168.1.x subnet (mask 255.255.255.0) with default gw of 192.168.1.1
Now, web browsing through the proxy (192.168.1.1:3128) works fine. IPTables forwarding (no proxy) works fine.
My problem is when I try to connect to the internal NIC via SSH. I've included the correct statement to open up incoming connections, but I get connection refused. The error does not show up when I log all connections that go through iptables.
It looks like my PC does not know how to handle routing for the local subnet. The following is an example error using telnet to the proxy server's port:
Code: | telnet proxy 3128
Connecting To proxy...Could not open connection to the host, on port 3128.
No connection could be made because the target machine actively refused it.
|
When I use Nmap, i get this:
Code: | WARNING: Could not determine what interface to route packets through to 192.168.1.1, changing ping scantype to ICMP only
|
This is my routing table:
Code: | Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.102 192.168.1.102 20
192.168.1.102 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.102 192.168.1.102 20
224.0.0.0 240.0.0.0 192.168.1.102 192.168.1.102 20
255.255.255.255 255.255.255.255 192.168.1.102 192.168.1.102 1
Default Gateway: 192.168.1.1 |
Anyone have any ideas? This is a big pain since I can't remotely administer the firewall. |
|
Back to top |
|
|
Nitro Bodhisattva
Joined: 08 Apr 2002 Posts: 661 Location: San Francisco
|
Posted: Sun Jul 14, 2002 5:41 am Post subject: |
|
|
I don't think it is a routing problem. If it was a routing problem, you wouldn't be able to touch any of the services on that box at all. Simple test is a ping. As long as you don't have an explicit rule in your firewall disallowing pings or have pings shut off in your kernel this will tell us the story about routing.
Ping both interfaces tell us the results, and ping from each computer to the other. If the pings work, scratch routing problems. You might want to try flushing your iptables rules to see if that fixes it. The following should flush all rules and chains: Code: |
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X |
_________________ - Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
Back to top |
|
|
Starblazer n00b
Joined: 14 Jul 2002 Posts: 8
|
Posted: Wed Jul 17, 2002 3:35 am Post subject: |
|
|
I personally don't think it's a routing problem either. But it's just plain weird. I've already tried turning off the firewall and just have it behave as a DHCP server. I can ping from both machines. But I can't telnet/ssh in. The part that gets me, is that it obviously finds the proxy server somehow, otherwise, I won't be able to post this message (the logs do confirm that I'm using the proxy). |
|
Back to top |
|
|
Nitro Bodhisattva
Joined: 08 Apr 2002 Posts: 661 Location: San Francisco
|
Posted: Wed Jul 17, 2002 4:08 am Post subject: |
|
|
Starblazer wrote: | I personally don't think it's a routing problem either. But it's just plain weird. I've already tried turning off the firewall and just have it behave as a DHCP server. I can ping from both machines. But I can't telnet/ssh in. The part that gets me, is that it obviously finds the proxy server somehow, otherwise, I won't be able to post this message (the logs do confirm that I'm using the proxy). |
You are using TCP wrappers huh? Well, you are by default.
Try putting the followingin hosts.allow: and the following in hosts.deny: _________________ - Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
Back to top |
|
|
Starblazer n00b
Joined: 14 Jul 2002 Posts: 8
|
Posted: Wed Jul 17, 2002 4:53 am Post subject: |
|
|
That was a pretty good idea... but it didn't pan out.
I went a step further and sniffed my connection. I can see the traffic go out to the proxy server and back, but that's it. If I use telnet/ssh/nmap, no traffic whatsoever.
When I try a ping, I can see my ping packets go out. I also see the bootp protocol going back and forth. |
|
Back to top |
|
|
Nitro Bodhisattva
Joined: 08 Apr 2002 Posts: 661 Location: San Francisco
|
Posted: Wed Jul 17, 2002 12:15 pm Post subject: |
|
|
You wouldn't happen to have ECN turned on in your kernel would you?
Networking options ---> IP: TCP Explicit Congestion Notification support
Have you tried recompiling your kernel? Perhaps even trying the vanilla sources kernel to rule out any problems with a patch gone bad on your gentoo-sources? _________________ - Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
Back to top |
|
|
Starblazer n00b
Joined: 14 Jul 2002 Posts: 8
|
Posted: Wed Jul 17, 2002 7:32 pm Post subject: |
|
|
I've recompiled a few times already, and no ECN isn't enabled. I haven't tried using the vanilla-sources yet, but I strongly suspect that my problem isn't gentoo related since traffic never even leaves my PC.
I think it has something to do with the network layer on XP. I'm going to try something else tonight. But if you think of anything, please let me know! Thanks for the help so far. |
|
Back to top |
|
|
Starblazer n00b
Joined: 14 Jul 2002 Posts: 8
|
Posted: Wed Jul 17, 2002 11:16 pm Post subject: |
|
|
ALRIGHT!!!
It's kinda silly really, but I've figured out what was blocking me. I had to uninstall Zonealarm. Apparently, even though I thought it wasn't running, it had some sort of hook into the OS that must've prevented me from connecting directly to the firewall. All's good now. Thanks for the all the help. |
|
Back to top |
|
|
Nitro Bodhisattva
Joined: 08 Apr 2002 Posts: 661 Location: San Francisco
|
Posted: Thu Jul 18, 2002 1:51 am Post subject: |
|
|
Ack, don't you hate it when that happens? _________________ - Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
Back to top |
|
|
|