1

This is about a clearOS installation.

eth0 = external interface (dhcp Internet) eth1 = internal lan, static 192.168.0.10 eth2 = dmz

The problem is, after initial installation, I was able to connect to external (Internet) without too much trouble, but local network usage (ie browsing) was initially all "closed", I could ping the machines but browsing was not possible.

Enabling the web proxy fixed this, except for https pages. Https pages are blocked, they all time-out when on the network.

Being from a progrmming background, I am not all that familiar with iptables-lingo, this is beyond my grasp but any tip or helpful directions to a helpful example similar to what I need to do will be greatly appreciated. Route and iptables --list output provided below.

route :

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth2
96.22.88.0      *               255.255.255.0   U     0      0        0 eth0
default         modemcable001.8 0.0.0.0         UG    0      0        0 eth0

iptables:

[root@alcastraz ~]# iptables --list -n -v
Chain INPUT (policy DROP 290 packets, 12072 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2    84 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
    0     0 DROP       all  --  eth0   *       127.0.0.0/8          0.0.0.0/0
    0     0 DROP       all  --  eth0   *       169.254.0.0/16       0.0.0.0/0
 4473 1190K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
10200 2469K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0            192.168.0.50        udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            192.168.0.50        tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth2   *       192.168.0.0/24       192.168.0.50        udp dpt:53
    0     0 ACCEPT     tcp  --  eth2   *       192.168.0.0/24       192.168.0.50        tcp dpt:53
   56  1624 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 0
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 3
    1    28 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 11
   25  8189 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.50        tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            96.22.88.25         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.50        tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            96.22.88.25         tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.50        tcp dpt:1875
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            96.22.88.25         tcp dpt:1875
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 state RELATED,ESTABLISHED
  434 56568 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 state RELATED,ESTABLISHED
10241   11M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       192.168.0.0/24       0.0.0.0/0           icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.0/24      icmp type 0
    0     0 ACCEPT     icmp --  *      *       192.168.0.0/24       0.0.0.0/0           icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.0/24      icmp type 3
    1    84 ACCEPT     icmp --  *      *       192.168.0.0/24       0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.0/24      icmp type 8
    0     0 ACCEPT     icmp --  *      *       192.168.0.0/24       0.0.0.0/0           icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.0/24      icmp type 11
    0     0 DROP       icmp --  *      *       192.168.0.0/24       0.0.0.0/0
    0     0 DROP       icmp --  *      *       0.0.0.0/0            192.168.0.0/24
    0     0 ACCEPT     all  --  *      *       192.168.0.0/24       192.168.0.0/24      state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       192.168.0.0/24       192.168.0.0/24
    0     0 ACCEPT     all  --  *      *       192.168.0.0/24       192.168.0.0/24
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
  189  9468 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4473 1190K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      pptp+   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0
13828   13M ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   57  1652 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      eth2    192.168.0.50         0.0.0.0/0           tcp spt:80
    0     0 ACCEPT     tcp  --  *      eth0    96.24.88.26          0.0.0.0/0           tcp spt:80
    0     0 ACCEPT     tcp  --  *      eth2    192.168.0.50         0.0.0.0/0           tcp spt:443
    0     0 ACCEPT     tcp  --  *      eth0    96.24.88.26          0.0.0.0/0           tcp spt:443
    0     0 ACCEPT     tcp  --  *      eth2    192.168.0.50         0.0.0.0/0           tcp spt:1875
    0     0 ACCEPT     tcp  --  *      eth0    96.24.88.26          0.0.0.0/0           tcp spt:1875
    0     0 ACCEPT     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
 9125 2383K ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain drop-lan (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Thanks!

[UPDATE] Updated output of iptable, added parameters -v -n. https pages are now working, though only when client is configured to use the web-proxy, this is a re-install and I am perplexed as to how the web clients could access Internet proxi-less before the re-install. Though this routing everything through the proxy may make sense somewhat in a work environnement, I feel it may be overkill for my home network where the biggest threat is my dog romping through the cables.

stefgosselin
  • 257
  • 1
  • 3
  • 14
  • 1
    Try adding -n and -v when dumping your iptables rules. This will give you raw IP addresses and hit-counts for each rule. – Ladadadada Feb 12 '12 at 22:50
  • Yes, have updated iptable output with -v -n, would you mind having a peek when / if you have a few minutes and letting me now a few basics on how to read this out? In your opinion, is it possible to add a simple rule or 2 to allow proxiless web access? Thanks mate, I appreciate. – stefgosselin Feb 13 '12 at 08:05
  • Can you also provide `iptables -nvL -t nat` and `iptables -nvL -t mangle` output. – mgorven Mar 26 '12 at 00:25

1 Answers1

0

Based on the fact that only HTTP and HTTPS access work when using the proxy, it seems that clearOS is not actually routing any packets for the clients. This is usually caused by the FORWARD chain dropping the packets (which looks fine from the above output), or IP forwarding being disabled (cat /proc/sys/net/ipv4/ip_forward should output 1), or NAT not being applied (i.e. MASQUERADE rules in the POSTROUTING chain of the nat table).

mgorven
  • 30,036
  • 7
  • 76
  • 121