| View previous topic :: View next topic |
| Author |
Message |
1U
Guru
Joined: 21 Jul 2005
Posts: 319
|
 Posted: Sat Jul 23, 2005 10:25 pm Post subject: Is there anything wrong with my networking setup? |
 |
|
I'll attempt to describe it as short as I can because it can get overly complex. Starting from the outside world and ending up at the end (also being the problem)
1. My eth0 is connected to the cable modem and receives an external ip through dhcp.
2. I then have the following iptables rules below to share the internet with the rest of the network.
| Code: | iptables -F
iptables -t nat -F
iptables -F INPUT
iptables -I INPUT 1 -i br0 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 216 -s something.somewhere.com -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -m multiport --dports 65534,65535 -i eth0 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 65534,65535 -i eth0 -j DNAT --to 192.168.1.2
iptables -I FORWARD -i br0 -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i br0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p udp
iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
#iptables -A INPUT -i ! lo -j DROP
/etc/init.d/iptables save |
3. The rest of the network is br0. It's a bridge I made out of 2 4pot network cards so that box can also be used as a switch. Each of the ports is identified as a seperate ethernet device so therefore I have eth1-8 bridged.
4. Now the tricky thing is I have Vmware GSX installed and one winblows virtual machine bridged to the bridge  . I wasn't sure how else I can enable bridged internet access for the virtual machine becaues the only other interface (other than the seperate bridged ports) I have is eth0 and if I bridge it to that I won't be behind the firewall nor will I be able to get a second IP from my ISP.
This is where the problem exists. It forwards ports but some traffic has a hard time going through. It used to work before (with the same exact setup) and I'm not even sure what I changed (perhaps iptable options in kernel that I didn't notice?) that broke it. One example is in DC++ on win virtual machine it can receive search results from everyone (which is a sign that active mode is working) but it can't initiate any transfers. Also with edonkey it doesn't work and the tests provided by the edonkey website to check the functionality of ports also fail.
So far I've tried...
Recompiling the kernel and checking all the typical iptable options.
Checking the ports from another external ip with nmap which stated the udp ports were open and the tcp ports were filtered?
Passive mode on DC++ and I still get connection timeouts as usual.
Different ports for the software, below and above 1024, makes no difference at all.
And a whole lot of other little things. Also keep in mind the general internet and networking works for this virtual machine. It can surf websites, download files at a fast speed and etc. But wtf is up with the port redirection (or even in passive mode)?
I'm completely lost and don't even know where to start looking. I guess I had it coming with such a complex setup but it was fun getting all the uses out of my pc when it worked properly. |
|
| Back to top |
|
 |
r4d1x
Apprentice
Joined: 25 Nov 2003
Posts: 157
Location: Japan
|
| Posted: Sun Jul 24, 2005 12:46 am Post subject: |
|
|
Why not just put a single port NIC in and use a hub or switch for your other computers? Your internal network would still be protected by your linux machine, and no need for "bridging".
Other than that, I've never used multi port cards personally, but they sound like more throuble than they're worth.
_________________
Gentoo Linux 2.6.19.2-grsec
Dual Athlon-MP 1900
1024Mb PC2100 DDR
Radeon 9600 pro
1TB File Server / FTP |
|
| Back to top |
|
|
1U
Guru
Joined: 21 Jul 2005
Posts: 319
|
| Posted: Sun Jul 24, 2005 12:52 am Post subject: |
|
|
| Then I would need a whole bunch of extra devices and cables. My box doesn't do much anyways so I might as well give it some good task and consolidate everything I can into it. |
|
| Back to top |
|
|
r4d1x
Apprentice
Joined: 25 Nov 2003
Posts: 157
Location: Japan
|
| Posted: Sun Jul 24, 2005 2:54 am Post subject: |
|
|
ok, well..... is there any chance that you could set up the 2 nics without bridging? Then set the gateways to your external line? IE:
ext_iface: DHCP
int_iface1: 192.168.0.1
int_iface2: 192.168.0.2
then forward your ports to both addresses and set rules accordingly.
now just have your machines behind the box use iface1 or iface2 ip's for the gateway depending on which card they are connected to, and set NAT for iface1 & 2. That should work, but as I said before I havent messed with a multiport card before :/
also, you may give ipkungfu a try to ease the pain of iptables' rules.
_________________
Gentoo Linux 2.6.19.2-grsec
Dual Athlon-MP 1900
1024Mb PC2100 DDR
Radeon 9600 pro
1TB File Server / FTP |
|
| Back to top |
|
|
1U
Guru
Joined: 21 Jul 2005
Posts: 319
|
| Posted: Sun Jul 24, 2005 4:10 am Post subject: |
|
|
| Thanks for the suggestion. I'll probably keep digging and trying everything and try that as a last resort, though I will definitely check out ipkungfu because I believe this is iptables related. My iptables started processing the rule scripts very slowly and abnormally now too so now I have the problem narrowed down. |
|
| Back to top |
|
|
tibyke
n00b
Joined: 14 Jul 2005
Posts: 31
|
| Posted: Sun Jul 24, 2005 7:44 pm Post subject: |
|
|
it must be a 2.6.12 issue, im also experiencing network failure thru the bridged interface with 2.6.12, but 2.6.11.x works just fine.
it only works for me if I plug a network cable to the bridged interface and it has LINK (other side).
t |
|
| Back to top |
|
|
|
Networking & Security
