PDA

View Full Version : [ubuntu] Workstations can ping hostname but cannot access internet.



lose_the_grimm
February 5th, 2009, 07:28 AM
I have a strange problem that two days of trolling the interwebz has not provided a solution.

I have a small home network. My internet access is through my cable company. I have an ubuntu 8.10 box acting as a router/dhcp/samba server.

Cable Modem --> Linux Box --> Switch --> Internal Network

(I've recently moved from a working Fedora 7 installation, and wanted to try ubuntu)

From the server I can browse the internet. I can ping every workstation.
From the workstations I can ping 'www.google.com' it resolves, but when I attempt to load it in a browser firefox just sits and spins (The workstations range from Windows XP, Vista to ubuntu desktops)
From the workstations I can also access the samba shares, and I can SSH into the server.

I have attempted accessing other websites (reddit.com, digg.com, slashdot.org, facebook.com, others) to no avail. I can ping them however. Other applications that use the internet also do not work. (pidgin, xfire, etc..) This makes no sense to me.

The firewall (well iptables anyway) is enabled manually and only turns on NAT. So that isn't an issue. (I believe)

Any help would be appreciated, this has truly boggled my mind.

Some files....

iptables configuration:

# Generated by iptables-save v1.4.0 on Thu Feb 5 00:20:10 2009
*nat
:PREROUTING ACCEPT [1333:262376]
:POSTROUTING ACCEPT [58:6859]
:OUTPUT ACCEPT [36:4852]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 5 00:20:10 2009
# Generated by iptables-save v1.4.0 on Thu Feb 5 00:20:10 2009
*filter
:INPUT ACCEPT [12368:2727207]
:FORWARD ACCEPT [402:38972]
:OUTPUT ACCEPT [40835:51548114]
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Feb 5 00:20:10 2009

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.10.10.1
network 10.10.10.0
netmask 255.255.255.0
broadcast 10.10.10.255

/etc/sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

################################################## ############3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1


################################################## #################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
# sys.kernel.maps_protect = 1

If you need more let me know. Thanks very much.

Jon@bayleys.org.uk
February 5th, 2009, 09:40 AM
I had a similar problem, it turned out that turning the modem off and back on solved it. I assume something screwed up port 80 on the modem. Other issue might be to check that your netmasks are all the same. Cheers, Jon

mohitchawla
February 5th, 2009, 10:53 AM
Toggle the ipv6 flag in firefox configuration and see if that helps.

lose_the_grimm
February 5th, 2009, 09:05 PM
Jon:

I've got a linksys router floating around just in case, and if the interface connected to the cable modem changes, i.e. moving from the server to the linksys, it usually requires a power cycle of the cable modem. I've done this many times. =)


mohitchawla:

I'm actually having issues across the board (though ping and traceroute work). Like I mentioned, XFire, Pidgin(IM), Firefox, Thunderbird are all having issues. On the windows workstations I have IP6 turned off. I will try the Firefox trick to see if that makes a difference.

I did find a forum article (not here) that describes my problem and they suggested turning off ip6 on the server. I've tried that, but apparently haven't been able to turn it off properly.

I'll fiddle with it some more after work.

Thanks!

lose_the_grimm
February 6th, 2009, 01:19 AM
An update.

I removed ipv6 from my server. But that didn't do it. I've checked again and it appears some things are working. Firefox, Safari, Chrome, Pidgin are not working but uTorrent and Xfire *are* working.

I don't get this at all. Why not web/IM traffic but let bittorrent and others through.

As above there isn't anything in iptables accept NAT. Is there something else preventing this traffic? I'm at a total loss.

To clarify I can do whatever I need to on the server (web, im, etc..) but no workstation (there are 5) can get web traffic.

lose_the_grimm
February 6th, 2009, 04:44 AM
I found the solution.

My ISP (Brighthouse) was handing out a MTU of 576.

I basically used the info from here:
http://ubuntuforums.org/archive/index.php/t-996396.html