is this a DHCP problem?

is this a DHCP problem?

Post by H. S » Mon, 18 Oct 2004 05:21:01



I have  a small homenetwork. One of the internam machines (in
192.168.0.x) is a laptop running Debian Sarge freshly installed. On that
machine I have been able to access some webpage e.g.
http://security.debian.org. I am suspecting this is a DHCP problem.

Now my layout is: CompA is connected a high speed modem and acts as a
router, firewall and recently also as a DHCP server for my inter home
network. The DHCP servers seems to work properly since it gives out
valid addresses.

But since I wasn't able to access some websites from the laptop while
connected to the internal network, I looked into my firewall script. I
use one of those rc.stronge.firewall scripts. And I noticed that I had
not uncommented the lines:
#---------
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

and further down the script

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
  --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
  --dport 68 -j ACCEPT

I have tried uncommenting both the above and it seemed not to have
worked. After editing the firewall script, I do:
$> poff
$> /etc/init.d/networking restart
$> /etc/init.d/dhcp restart
$> pon dsl-provider

After these, my internal laptop still cannot access
http://security.debian.org though my ComputerA (the router) can. My
internal laptop can ping security.debian.org, it can browse
www.yahoo.com. Am I correct in guess DHCP and ports 67 and 68 are the
problem or should I look somewhere else?

My $>iptables -nvL gives (just the relevant lines):
Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source
destination
     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp spt:68 dpt:67
     3   984 ACCEPT     udp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           udp spt:68 dpt:67
.
.
.
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source
destination
     0     0 ACCEPT     tcp  --  *      eth1    192.168.0.2
0.0.0.0/0           tcp spt:67 dpt:68
     0     0 ACCEPT     udp  --  *      eth1    192.168.0.2
0.0.0.0/0           udp spt:67 dpt:68

All help is appreciated,
thanks,
->HS

 
 
 

is this a DHCP problem?

Post by Dam » Mon, 18 Oct 2004 06:15:34


First of all, if there is a DHCP problem, as you suspect, the problem should
be stronger than the one you're running.

In this case, the internal laptop, won't receive an IP address and it will
never ping both internet hosts and your internal hosts, for example the
router compA.

Try to use ifconfig after booting your client and verify that you have
received from DHCP server a valid IP address (in the subnet 192.168.0.x
subnet mask 255.255.255.0). Then you should be able to ping your server,
compA, 192.168.0.1, I suppose.
If this works, DHCP is OK, and the problem should be searched elsewhere...

Your client to access the Internet will probably use a default route to your
router (which has got the internet interface).
You can see this, using route -n and searching for the line whose
destination is 0.0.0.0 which must have your router, i.e. 192.168.0.1, as
gateway.
If this is ok, the routing configuration of your client is OK.

Than you should check, you haven't a DNS problem.
For example you have a DNS problem, if after having tried
http://somehost.org/webpage.html from the server (working), and the same
address from the client (not working), and having changed somehost.org with
its IP address (try ping somehost.org from the router to guess it), the
address works from the client, as well as from the router.
In this case you should provide your clients with a valid DNS address (look
at /etc/resolv.conf) or you should try to set up your router as a DNS
server (or relay server) for your internal network.

If you haven't DNS problems, your problem may be your firewall on the
router.
Try to disable the firewall (with iptables -F for example) and then trying
again.
If it works there is a rule in your firewall which block traffic from your
client. I cannot help you very much in this case.

Good luck
Damiano


> I have  a small homenetwork. One of the internam machines (in
> 192.168.0.x) is a laptop running Debian Sarge freshly installed. On that
> machine I have been able to access some webpage e.g.
> http://security.debian.org. I am suspecting this is a DHCP problem.

> Now my layout is: CompA is connected a high speed modem and acts as a
> router, firewall and recently also as a DHCP server for my inter home
> network. The DHCP servers seems to work properly since it gives out
> valid addresses.

> But since I wasn't able to access some websites from the laptop while
> connected to the internal network, I looked into my firewall script. I
> use one of those rc.stronge.firewall scripts. And I noticed that I had
> not uncommented the lines:
> #---------
> # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> #
> $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

> and further down the script

> # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> #         - Remove BOTH #s all the #s if you need this functionality.
> #
> $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
>   --dport 68 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
>   --dport 68 -j ACCEPT

> I have tried uncommenting both the above and it seemed not to have
> worked. After editing the firewall script, I do:
> $> poff
> $> /etc/init.d/networking restart
> $> /etc/init.d/dhcp restart
> $> pon dsl-provider

> After these, my internal laptop still cannot access
> http://security.debian.org though my ComputerA (the router) can. My
> internal laptop can ping security.debian.org, it can browse
> www.yahoo.com. Am I correct in guess DHCP and ports 67 and 68 are the
> problem or should I look somewhere else?

> My $>iptables -nvL gives (just the relevant lines):
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:68 dpt:67
>      3   984 ACCEPT     udp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0           udp spt:68 dpt:67
> .
> .
> .
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     tcp  --  *      eth1    192.168.0.2
> 0.0.0.0/0           tcp spt:67 dpt:68
>      0     0 ACCEPT     udp  --  *      eth1    192.168.0.2
> 0.0.0.0/0           udp spt:67 dpt:68

> All help is appreciated,
> thanks,
> ->HS


 
 
 

is this a DHCP problem?

Post by H. S » Mon, 18 Oct 2004 06:24:43


Apparently, _Dam_, on 16/10/04 17:15,typed:

Quote:> Try to use ifconfig after booting your client and verify that you have
> received from DHCP server a valid IP address (in the subnet 192.168.0.x
> subnet mask 255.255.255.0). Then you should be able to ping your server,
> compA, 192.168.0.1, I suppose.
> If this works, DHCP is OK, and the problem should be searched elsewhere...

Yes, this is okay. My router's internal NIC is 192.168.0.2, just in case.

Quote:> Your client to access the Internet will probably use a default route to your
> router (which has got the internet interface).
> You can see this, using route -n and searching for the line whose
> destination is 0.0.0.0 which must have your router, i.e. 192.168.0.1, as
> gateway.
> If this is ok, the routing configuration of your client is OK.

That is okay too. It does to 0.0.0.0 through gateway 192.168.0.2.

Quote:> Than you should check, you haven't a DNS problem.
> For example you have a DNS problem, if after having tried
> http://somehost.org/webpage.html from the server (working), and the same
> address from the client (not working), and having changed somehost.org with
> its IP address (try ping somehost.org from the router to guess it), the
> address works from the client, as well as from the router.
> In this case you should provide your clients with a valid DNS address (look
> at /etc/resolv.conf) or you should try to set up your router as a DNS
> server (or relay server) for your internal network.

No, it is not a DNS problem. Many other sites work perfectly. Moreover,
I can ping to security.debian.org from the client as well as from the
router (so DNS is not an issue).

Quote:> If you haven't DNS problems, your problem may be your firewall on the
> router.
> Try to disable the firewall (with iptables -F for example) and then trying
> again.
> If it works there is a rule in your firewall which block traffic from your
> client. I cannot help you very much in this case.

hmm .. Okay. I will try to reduce the rules to bare minimum and see how
it goes.

Thanks for your detailed response.
->HS

 
 
 

is this a DHCP problem?

Post by H. S » Mon, 18 Oct 2004 07:15:34


Apparently, _Dam_, on 16/10/04 17:15,typed:
 > First of all, if there is a DHCP problem, as you suspect, the problem
should
 > be stronger than the one you're running.
 >
 > In this case, the internal laptop, won't receive an IP address and it
will
 > never ping both internet hosts and your internal hosts, for example the
 > router compA.
 >
 > Try to use ifconfig after booting your client and verify that you have
 > received from DHCP server a valid IP address (in the subnet 192.168.0.x
 > subnet mask 255.255.255.0). Then you should be able to ping your server,
 > compA, 192.168.0.1, I suppose.
 > If this works, DHCP is OK, and the problem should be searched
elsewhere...
 >
 > Your client to access the Internet will probably use a default route
to your
 > router (which has got the internet interface).
 > You can see this, using route -n and searching for the line whose
 > destination is 0.0.0.0 which must have your router, i.e. 192.168.0.1, as
 > gateway.
 > If this is ok, the routing configuration of your client is OK.
 >
 > Than you should check, you haven't a DNS problem.
 > For example you have a DNS problem, if after having tried
 > http://somehost.org/webpage.html from the server (working), and the same
 > address from the client (not working), and having changed
somehost.org with
 > its IP address (try ping somehost.org from the router to guess it), the
 > address works from the client, as well as from the router.
 > In this case you should provide your clients with a valid DNS address
(look
 > at /etc/resolv.conf) or you should try to set up your router as a DNS
 > server (or relay server) for your internal network.
 >
 > If you haven't DNS problems, your problem may be your firewall on the
 > router.
 > Try to disable the firewall (with iptables -F for example) and then
trying
 > again.
 > If it works there is a rule in your firewall which block traffic from
your
 > client. I cannot help you very much in this case.
 >
 > Good luck
 > Damiano
 >

Okay, so I tried pruning my firewall rules. When I was down to this,
where virtually everything is accepted (but please verify this from the
rules below) and the internal client was still not able to connect to
security.debian.org, but could ping it and it was also reachable from
the router. What should I check next?

/etc/iptables# iptables -nvL
Chain INPUT (policy ACCEPT 71 packets, 8282 bytes)
  pkts bytes target     prot opt in     out     source
destination
  7095  863K ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
     0     0 ACCEPT     all  --  eth1   *       192.168.0.0/24
0.0.0.0/0
     0     0 drop-and-log-it  all  --  ppp0   *       192.168.0.0/24
    0.0.0.0/0
     0     0 LOG        all  -f  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 prefix `IPTABLES FRAGMENTS: '
     0     0 DROP       all  -f  *      *       0.0.0.0/0
0.0.0.0/0
    48 19151 ACCEPT     all  --  ppp0   *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp spts:67:68 dpts:67:68
     0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           udp spts:67:68 dpts:67:68

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source
destination
     0     0 ACCEPT     udp  --  *      *       192.168.0.2
0.0.0.0/0           udp spts:67:68 dpts:67:68
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
192.168.0.2         udp spts:67:68 dpts:67:68
  3285 3438K ACCEPT     all  --  ppp0   eth1    0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
  4626 4716K ACCEPT     all  --  eth1   ppp0    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 42 packets, 6890 bytes)
  pkts bytes target     prot opt in     out     source
destination
  7095  863K ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0
    30  4366 ACCEPT     all  --  *      eth1    0.0.0.0/0
192.168.0.0/24
     0     0 ACCEPT     all  --  *      eth1    192.168.0.2
192.168.0.0/24
     0     0 drop-and-log-it  all  --  *      ppp0    0.0.0.0/0
    192.168.0.0/24
    83  5974 ACCEPT     all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0           state NEW,RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0
0.0.0.0/0           udp spts:67:68 dpts:67:68
     0     0 ACCEPT     tcp  --  *      eth1    0.0.0.0/0
0.0.0.0/0           tcp spts:67:68 dpts:67:68

Chain BadTCPLaD (0 references)
  pkts bytes target     prot opt in     out     source
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix `PingOfDeath: '
     0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain drop-and-log-it (2 references)
  pkts bytes target     prot opt in     out     source
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6
     0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable

->HS

 
 
 

is this a DHCP problem?

Post by H. S » Mon, 18 Oct 2004 08:12:03


It was the MTU!!

The laptop (DHCP client) was working on 1500. I am able to  make it work
at a value of 1490. I put "mtu 1490" just below eth0 line and all is well.

Boy, this took a while to figure out!

->HS

Apparently, _H. S._, on 16/10/04 18:15,typed:

Quote:

> Okay, so I tried pruning my firewall rules. When I was down to this,
> where virtually everything is accepted (but please verify this from the
> rules below) and the internal client was still not able to connect to
> security.debian.org, but could ping it and it was also reachable from
> the router. What should I check next?

> /etc/iptables# iptables -nvL
> Chain INPUT (policy ACCEPT 71 packets, 8282 bytes)
>  pkts bytes target     prot opt in     out     source destination
>  7095  863K ACCEPT     all  --  lo     *       0.0.0.0/0 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth1   *       192.168.0.0/24 0.0.0.0/0
>     0     0 drop-and-log-it  all  --  ppp0   *       192.168.0.0/24    
> 0.0.0.0/0
>     0     0 LOG        all  -f  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 4 prefix `IPTABLES FRAGMENTS: '
>     0     0 DROP       all  -f  *      *       0.0.0.0/0 0.0.0.0/0
>    48 19151 ACCEPT     all  --  ppp0   *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0           tcp spts:67:68 dpts:67:68
>     0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0           udp spts:67:68 dpts:67:68

> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source destination
>     0     0 ACCEPT     udp  --  *      *       192.168.0.2
> 0.0.0.0/0           udp spts:67:68 dpts:67:68
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 192.168.0.2         udp spts:67:68 dpts:67:68
>  3285 3438K ACCEPT     all  --  ppp0   eth1    0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  4626 4716K ACCEPT     all  --  eth1   ppp0    0.0.0.0/0 0.0.0.0/0

> Chain OUTPUT (policy ACCEPT 42 packets, 6890 bytes)
>  pkts bytes target     prot opt in     out     source destination
>  7095  863K ACCEPT     all  --  *      lo      0.0.0.0/0 0.0.0.0/0
>    30  4366 ACCEPT     all  --  *      eth1    0.0.0.0/0 192.168.0.0/24
>     0     0 ACCEPT     all  --  *      eth1    192.168.0.2 192.168.0.0/24
>     0     0 drop-and-log-it  all  --  *      ppp0    0.0.0.0/0    
> 192.168.0.0/24
>    83  5974 ACCEPT     all  --  *      ppp0    0.0.0.0/0
> 0.0.0.0/0           state NEW,RELATED,ESTABLISHED
>     0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0           udp spts:67:68 dpts:67:68
>     0     0 ACCEPT     tcp  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0           tcp spts:67:68 dpts:67:68

> Chain BadTCPLaD (0 references)
>  pkts bytes target     prot opt in     out     source destination
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `PingOfDeath: '
>     0     0 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0

> Chain drop-and-log-it (2 references)
>  pkts bytes target     prot opt in     out     source destination
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6
>     0     0 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-port-unreachable

> ->HS

 
 
 

is this a DHCP problem?

Post by Walter Mautne » Mon, 18 Oct 2004 09:20:49


....

Quote:> No, it is not a DNS problem. Many other sites work perfectly. Moreover,
> I can ping to security.debian.org from the client as well as from the
> router (so DNS is not an issue).

http://www.gschwarz.de/mtu-wert.htm

Since you appear to use DSL, it might be a MTU-problem instead.
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
?to?remove?offending?incompatible?products.??Reactivate?your?MS?software.
Linux woodpecker.homnet.at 2.6.8reiser4pkt?[LinuxCounter#295241]