Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › [SOLVED]IPTables Blocks Access To LAN
New Posts  All Forums:Forum Nav:

[SOLVED]IPTables Blocks Access To LAN

post #1 of 25
Thread Starter 
OK, so I've been configuring my firewall so that anything destined for the Internet is forced over my VPN. The thing is that for some reason I can't figure out, access to my local LAN is blocked. Everything else works as normal.

My iptables config looks like this:
Quote:
# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# LAN
-A INPUT -s 192.168.1.0 -d 192.168.1.0 -i eth1 -j ACCEPT

# LAN
-A OUTPUT -s 192.168.1.0 -d 192.168.1.0 -o eth1 -j ACCEPT

# Accept packets to VPN endpoint.
-A OUTPUT -d 85.17.31.98 -o eth1 -j ACCEPT
# Accept packets from VPN endpoint
-A INPUT -s 85.17.31.98 -i eth1 -j ACCEPT
# Only accept external traffic if over VPN.
-A INPUT ! -s 192.168.1.0 -i tun0 -j ACCEPT
# Force packet to external network over VPN.
-A OUTPUT ! -d 192.168.1.0 -o tun0 -j ACCEPT
COMMIT
# Completed on Thu Jul 25 00:47:40 2013
# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 25 00:47:40 2013
# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 25 00:47:40 2013

I've bolded the part I think its relevant. Soooo...what am I missing?

Many thanks. smile.gif

EDIT:

OK, so bold doesn't work with code tags...quoting instead.
Edited by parityboy - 7/25/13 at 8:14am
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #2 of 25
Thread Starter 
Anyone? When I try to ping my router on 192.168.1.1, I get:
Quote:
ping: sendmsg: Operation not permitted

Any ideas? I really don't understand why access to the 192.168.1.0 address range should be blocked.
Edited by parityboy - 7/25/13 at 5:17pm
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #3 of 25
Don't know what firewall you are running.
It might be your zones (Home, Public) or IPv6 Tables for LAN.

Here's a manual for the new FirewallD:
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/
Rampage 3 Formula
(23 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 950 Asus Rampage lll Formula EVGA GTX980Ti ACX2.0 12 GB G-Skill 
Hard DriveHard DriveHard DriveOptical Drive
Intel 320 x 3 RAID 0 Seagate ST31000524NS x 2 Intel 520 Memorex 
CoolingOSMonitorMonitor
Corsair H70 Win7U 64-bit Planar PX2611W Planar PX2611W 
KeyboardPowerCaseMouse
Alps Wave Seasonic Platinum 1000W CM Cosmos S Logitech M510 
AudioAudioAudio
SoundBblaster X-FI Titanium HD Sennheiser PC350 Swan M-200 
  hide details  
Reply
Rampage 3 Formula
(23 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 950 Asus Rampage lll Formula EVGA GTX980Ti ACX2.0 12 GB G-Skill 
Hard DriveHard DriveHard DriveOptical Drive
Intel 320 x 3 RAID 0 Seagate ST31000524NS x 2 Intel 520 Memorex 
CoolingOSMonitorMonitor
Corsair H70 Win7U 64-bit Planar PX2611W Planar PX2611W 
KeyboardPowerCaseMouse
Alps Wave Seasonic Platinum 1000W CM Cosmos S Logitech M510 
AudioAudioAudio
SoundBblaster X-FI Titanium HD Sennheiser PC350 Swan M-200 
  hide details  
Reply
post #4 of 25
Thread Starter 
@ar3f

I'm using Mint 14, so therefore iptables. smile.gif Anyway, I solved it by adding /24 to the 192.168.1.0 declarations in the rules.
Edited by parityboy - 7/30/13 at 4:05am
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #5 of 25
Quote:
Originally Posted by parityboy View Post

@ar3f

I'm using Mint 14, so therefore iptables. smile.gif Anyway, I solved it by adding /24 to the 182.168.1.0 declarations in the rules.

This is one of those occasions where the solution seems so obvious now that you've posted it, but I'd never have worked it out for myself. laugher.gif
post #6 of 25
Thread Starter 
@plan9

Yeah, actually it shows iptables is pretty retarded. Ever since I started in networking addresses ending in ".0" has always meant "network" as opposed to "host", so I don't understand why I had to explicitly add /24 to the end.

Annoying. tongue.gif
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #7 of 25
Quote:
Originally Posted by parityboy View Post

@plan9

Yeah, actually it shows iptables is pretty retarded. Ever since I started in networking addresses ending in ".0" has always meant "network" as opposed to "host", so I don't understand why I had to explicitly add /24 to the end.

Annoying. tongue.gif

I'm no networking guru but I thought that was only the case when using the 255.255.255.0 style of subnets. I thought using the slash method you couldn't use zero in the IP number because you can have subnets that are only a range of the last block of IP addresses (eg for a subnet of between 192.168.0.1 to 192.168.0.126 would be 192.168.0.1/25 or 255.255.255.128)
post #8 of 25
Thread Starter 
@Plan9

Well I used the slash method and it worked, and I still think it's superfluous. tongue.gif I'm gonna have to go brush up on my networking. smile.gif
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #9 of 25
Quote:
Originally Posted by parityboy View Post

@Plan9

Well I used the slash method and it worked, and I still think it's superfluous. tongue.gif I'm gonna have to go brush up on my networking. smile.gif

It's not really superfluous because you can have subnet ranges of less than 254 tongue.gif (and greater than too)

By the looks of it IPTables supports both the xxx.xxx.xxx.xxx subnet masks and the mask bits:
Code:
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT  # using standard slash notation
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask
http://wiki.centos.org/HowTos/Network/IPTables#head-8450ee609cbecd71b6fef3bd3d1ac6228991e073
post #10 of 25
Thread Starter 
@Plan9

Subnet ranges of greater than 254? IPv4 is 32 bits, 8 bits per field. 2 ^ 8 is 256, .0 is "network", .255 is "broadcast". Are you saying I could have a host with an address of 192.168.1.280, by specifying less bits for the third field? If so, is .255 still reserved for broadcast?

Forgive my retardedness, I really need to brush up on my networking. smile.gif
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Linux, Unix
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › [SOLVED]IPTables Blocks Access To LAN