GW box not allowing internet from internal computers

Question

I have a relatively new GW box ( CentOS 6.5 ) that can ping www.apple.com. When I change computers inside my network to use this GW as †he default GW, they cannot access the internet. So then I change it back to the old GW, and they can access the internet again. The internal computers are various windows machines ( Vista, Windows 7, etc ), and various linux machines ( another CentOS box, an old RedHat Linux 9 machine, etc ). So my questions are:

How can the new GW ping www.apple.com, but internal computers that are setup to use that GW cannot ping www.apple.com? Put another way, why would this GW not allow internet access through it?
What iptable settings can I check on the newer GW machine to see if that is blocking it? I started with the exact same iptables from the older GW machine ( which allows internet access through ), changing the IPs as needed ( from old GW IP to newer GW IP, for instance ).

Thanks. Just look for a starting point.

EDIT:

[root@wmsgateway ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@wmsgateway ~]# iptables -L -n -v 
Chain INPUT (policy ACCEPT 7175 packets, 739K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9091 LOG flags 0 level 4 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9093 LOG flags 0 level 4 

Chain FORWARD (policy ACCEPT 161 packets, 14106 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6424 packets, 629K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@wmsgateway ~]#

Note that iptables does have some settings, you just cannot see them this way. Running "iptables -L -t nat -v" gets the different port mappings, for instance.

EDIT 2:

Also, here is the routing table ( with external IP obfuscated ):

+ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
68.AAA.BBB.CC2  0.0.0.0         255.255.255.248 U     0      0        0 eth2
192.168.254.0   0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth2
0.0.0.0         68.AAA.BBB.CC3  0.0.0.0         UG    0      0        0 eth2

Where "AAA", "BBB", and "CC" are the same between these two external IPs.

Also, here is ifconfig ( once again with the external IP obfuscated in the exact same way as above ):

+ ifconfig
eth0      Link encap:Ethernet  HWaddr 80:3F:5D:08:8F:94  
          inet addr:192.168.254.80  Bcast:192.168.254.255  Mask:255.255.255.0
          inet6 addr: fe80::823f:5dff:fe08:8f94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:410127 errors:0 dropped:0 overruns:0 frame:0
          TX packets:385512 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:42227089 (40.2 MiB)  TX bytes:37546249 (35.8 MiB)

eth2      Link encap:Ethernet  HWaddr 00:24:8C:90:99:FB  
          inet addr:68.AAA.BBB.CC5  Bcast:255.255.255.255  Mask:255.255.255.248
          inet6 addr: fe80::224:8cff:fe90:99fb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1308912 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1192461 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:499876320 (476.7 MiB)  TX bytes:179686421 (171.3 MiB)
          Interrupt:25 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:106248 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106248 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:105325072 (100.4 MiB)  TX bytes:105325072 (100.4 MiB)

wlan0     Link encap:Ethernet  HWaddr 00:21:00:E3:7E:79  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

It is interesting, but eth2 has an external IP not listed in route -n. Could that be the problem?

For starters, could you **edit into your question** the outputs of `iptables -L -n -v` and `cat /proc/sys/net/ipv4/ip_forward`? — MadHatter, Mar 26 '14 at 16:54
You appear to be missing a `nat` table. Clients with RFC1918 addresses won't be able to communicate with the internet without NAT. But the `iptables` command that you used will not show all relevant information. Better show us the output of `iptables-save`, which will show us the information we are missing. — kasperd, Apr 01 '14 at 23:09

Tony B · Answer 1 · 2014-04-02T16:19:19.640

Ok, I found the problem. The key was to run the following commands and look at the output:

iptables-save and look at output. Of special importance are any lines referencing your network interfaces.
Run ifconfig to get the interface setup
Run route -n to get the routing. Not absolutely essential, but it helped me see the problem.

So, in my case, I had the following scenario ( before my fix ):

iptables-save | grep eth
-A POSTROUTING -o eth1 -j SNAT --to-source 68.AAA.BBB.155

 ifconfig
eth0      Link encap:Ethernet  HWaddr 80:3F:5D:08:8F:94
          inet addr:192.168.254.80  Bcast:192.168.254.255  Mask:255.255.255.0
...

eth2      Link encap:Ethernet  HWaddr 00:24:8C:90:99:FB
          inet addr:68.AAA.BBB.155  Bcast:255.255.255.255  Mask:255.255.255.248
...

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
...

wlan0     Link encap:Ethernet  HWaddr 00:21:00:E3:7E:79
...

Obviously, I obfuscated the external IP some, and replaced some of the ifconfig output with "..." to make it easier to follow. Note that in iptables, I was referencing eth1, but there was no eth1 interface anymore. Originally, eth1 referenced the external IP, but some change in our system removed that interface and added eth2 ( this happens to be a USB to Ethernet adaptor, so I personally think changing USB ports removed eth1 and added eth2 ). Anyway, in my case, simply changing iptables to reference eth2 instead of eth1 fixed my issue. The key here was telling iptables how to route outgoing packets ( unless someone else has a better interpretation ).

So I changed iptables from

iptables-save | grep eth
-A POSTROUTING -o eth1 -j SNAT --to-source 68.AAA.BBB.155

to

iptables-save | grep eth
-A POSTROUTING -o eth2 -j SNAT --to-source 68.AAA.BBB.155

I hope this helps someone else avoid this type of mistake.

GW box not allowing internet from internal computers

1 Answers1

Linked