Problem to get internet to work with Bubba Two 2.4 RC1

[nolla]

Does anyone else have a problem to get internet to work in a LAN behind Bubba? I have a fresh installation of the new bubba two release, 2.4 RC1. Whole network worked well with the old release. DHCP gives ip addresses to my LAN and also nslookup works, but for example ping does not. Even if I connect my desktop computer directly to bubba with a cable, internet still does not work. Bubba's own internet works great!

Any ideas what is wrong in my bubba?

[A_Swissionary]

Hi,
In my case at least, the problem was that the file
/etc/network/firewall.conf
was empty.
This file contains some rules for iptables, allowing some access and blocking others.

A missing firewall.conf file obviously means that no internet traffic is routed from LAN to WAN.

When I upgraded to 2.4 RC1, I luckily saved my old firewall.conf file and could just copy it to the old place and restore the rules.

Do you have an old copy lying around? Or do you need an example to create a new one?

Best,
René

[nolla]

I have my Bubba connected a bridged adsl-modem and Bubba's self generated setup for network (WAN and LAN both DHCP). I want to repeat that Bubba's internet connection works OK and a computer that is connected to Bubba can nslookup but not ping.

Here is my setup:
- - - -
ifconfig

Code: Select all

br0       Link encap:Ethernet  HWaddr 00:22:02:00:0f:db
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::222:2ff:fe00:fdb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2212 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1114 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:236037 (230.5 KiB)  TX bytes:210489 (205.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:22:02:00:0f:da
          inet addr:80.220.53.130  Bcast:80.220.63.255  Mask:255.255.224.0
          inet6 addr: fe80::222:2ff:fe00:fda/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:9224 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7207 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11785572 (11.2 MiB)  TX bytes:1179469 (1.1 MiB)
          Base address:0x8000

eth1      Link encap:Ethernet  HWaddr 00:22:02:00:0f:db
          inet6 addr: fe80::222:2ff:fe00:fdb/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:5040 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2260 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:793680 (775.0 KiB)  TX bytes:852032 (832.0 KiB)
          Base address:0xc000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:99 errors:0 dropped:0 overruns:0 frame:0
          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8461 (8.2 KiB)  TX bytes:8461 (8.2 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 00-80-48-69-9B-5C-10-03-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8168537 (7.7 MiB)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:80:48:69:9b:5c
          inet6 addr: fe80::280:48ff:fe69:9b5c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:143472 (140.1 KiB)

- - - -
resolv.conf

Code: Select all

domain dhcp.inet.fi
search dhcp.inet.fi
nameserver 192.89.123.231
nameserver 193.210.19.190

[nolla]

Hi,
In my case at least, the problem was that the file
/etc/network/firewall.conf
was empty.
This file contains some rules for iptables, allowing some access and blocking others.

A missing firewall.conf file obviously means that no internet traffic is routed from LAN to WAN.

When I upgraded to 2.4 RC1, I luckily saved my old firewall.conf file and could just copy it to the old place and restore the rules.

Do you have an old copy lying around? Or do you need an example to create a new one?

Best,
René

No, I don't have my old firewall conf, but thanks for tip. I'll try to craete one. Thanks for superb fast reply


- - - - - edit:
I have a firewall.conf at /etc/network.firewall.conf. Ain't that a right place?

Code: Select all

# Generated by iptables-save v1.4.8 on Thu Oct 20 17:25:51 2011
*nat
:PREROUTING ACCEPT [100:9825]
:INPUT ACCEPT [3:448]
:OUTPUT ACCEPT [5:276]
:POSTROUTING ACCEPT [24:1345]
COMMIT
# Completed on Thu Oct 20 17:25:51 2011
# Generated by iptables-save v1.4.8 on Thu Oct 20 17:25:51 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000:14000 -j ACCEPT
COMMIT
# Completed on Thu Oct 20 17:25:51 2011

[A_Swissionary]

Well, it indeed seems to be at the right place.
Now, I'm not the greatest expert on this file.
But if I see this correctly, some elements seem to be missing.
If I get that right, your file only opens up some ports for external access.
Here is my firewall.conf for a reference. Note: eth0 is WAN, eth1 is LAN. That's why I let it accept everything on eth1:

Code: Select all

# Generated by iptables-save v1.4.1.1 on Thu Sep 29 11:46:36 2011
*nat
:PREROUTING ACCEPT [38405:10148740]
:POSTROUTING ACCEPT [91:17867]
:OUTPUT ACCEPT [1129:72225]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Sep 29 11:46:36 2011
# Generated by iptables-save v1.4.1.1 on Thu Sep 29 11:46:36 2011
*filter
:INPUT DROP [24544:7837458]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [109250:12644388]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT 
# Here comes one I think you should add:
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
COMMIT

[nolla]

Well, it indeed seems to be at the right place.
Now, I'm not the greatest expert on this file.
But if I see this correctly, some elements seem to be missing.
If I get that right, your file only opens up some ports for external access.
Here is my firewall.conf for a reference. Note: eth0 is WAN, eth1 is LAN. That's why I let it accept everything on eth1:

Code: Select all

# Generated by iptables-save v1.4.1.1 on Thu Sep 29 11:46:36 2011
*nat
:PREROUTING ACCEPT [38405:10148740]
:POSTROUTING ACCEPT [91:17867]
:OUTPUT ACCEPT [1129:72225]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Sep 29 11:46:36 2011
# Generated by iptables-save v1.4.1.1 on Thu Sep 29 11:46:36 2011
*filter
:INPUT DROP [24544:7837458]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [109250:12644388]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT 
# Here comes one I think you should add:
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
COMMIT

Oh my.. well I'm not even capable to apply those rules . I overrode the file but don't know how to activate them. By using "/etc/init.d/bubba-firewall restart" command all my new rules are removed. How should I apply them?

If "/etc/init.d/bubba-firewall stop" disables the firewall and actually apply those rules, firewall is not the problem, is it?

[nolla]

I did...

Code: Select all

nolla@bubba:/etc/init.d$ sudo iptables -A FORWARD -i eth1 -j ACCEPT
nolla@bubba:/etc/init.d$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
nolla@bubba:/etc/init.d$ sudo iptables -A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
sudo /etc/init.d/bubba.firewall restart

...but it did not help.

[ryz]

To make the changes in the file take affect you should run

Code: Select all

/sbin/iptables-restore /etc/network/firewall.conf

[nolla]

I did find my old firewall config that I used in bubba, while I had earlier release installed in it. So, I formatted hdd once again, because after editing firewall rules, I accidentally locked myself out from bubba. I replaced empty firewall.conf with the old firewall.conf and ran "/sbin/iptables-restore /etc/network/firewall.conf" as I was advised to. The result was that bubba locked me out again. Once again bubba had internet connection, but my LAN didn't. Why does my firewall configuration lock the machine and could there be any other solutions to fix this problem? I'm not very familiar with the configuration lines in firewall.conf, but I had this config file running and working in my previous installation (I commented double hashed lines away from conf because of new different ip network):

Code: Select all

# Generated by iptables-save v1.4.1.1 on Wed Sep 14 21:27:00 2011
*nat
:PREROUTING ACCEPT [1042:73452]
:POSTROUTING ACCEPT [138:12152]
:OUTPUT ACCEPT [156:15213]
##-A PREROUTING -d 80.220.53.130/32 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.1.3:80 
##-A PREROUTING -d 80.220.53.130/32 -p tcp -m tcp --dport 8881 -j DNAT --to-destination 192.168.1.3:8881 
-A POSTROUTING -o eth0 -j MASQUERADE
##-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.100 
##-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 8881 -j SNAT --to-source 192.168.1.100
COMMIT
# Completed on Wed Sep 14 21:27:00 2011
# Generated by iptables-save v1.4.1.1 on Wed Sep 14 21:27:00 2011
*filter
:INPUT DROP [6:280]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8869:841319]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 8000 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 64738 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3784 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 3784 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
##-A FORWARD -d 192.168.1.3/32 -p tcp -m tcp --dport 80 -j ACCEPT 
##-A FORWARD -d 192.168.1.3/32 -p tcp -m tcp --dport 8881 -j ACCEPT 
COMMIT
# Completed on Wed Sep 14 21:27:00 2011

[nolla]

Now while I've been trying to get my network to work properly, I have also tested web interface's firewall setup. The firewall page crashes permanently if trying to add additional rules. I have tried to open a tcp wan port (3784) and everytime I have done that, the firewall settings page have started to return HTTP 500.

[johannes]

Thanks for notifing this, fixed now in our testing environment. Workaround:

http://forum.excito.net/viewtopic.php?f=1&t=3397#p17324

[nolla]

After executing commands that Johannes asked, like with every other configuration here, I cannot access to Bubba anymore. Not even via rescue system. While trying to fix bubba with rescue system, I can see that bubba leases an ip, but I still cannot access it. Connection timed out is responded everytime ( which is the same case with every other configurations activated with iptables-restore)!

[Binkem]

You have to connect to the WAN port if you use the rescue stick!

[nolla]

You have to connect to the WAN port if you use the rescue stick!

I did, and saw the ip lease on my router.

[nolla]

I guess this could be a same issue as this: http://forum.excito.net/viewtopic.php?f=9&t=3160