5

CORRECTION 3: SOLVED! I needed to add the the official DNS server of my departement's VLAN as DNS to the clients.

I've read through a large number of posts about iptables issues when using Linux as a router, but none could help me with the following:

I am setting up a number of student workstations in our university department, where we have limited IP's in a VLAN. The workstations need to communicate with each other and go online. They explicitly should not be reachable from the internet. Instead of giving each workstation one of the rare IP's in the university VLAN i want to use the following setup:

We have a server which is running Ubuntu 14.04 server with 4 Ethernet ports (i use 2 for this setup).

1st port is em1 and is plugged into a L2-switch together with all the workstations.

2nd port is em2 and is plugged into the university VLAN.

First the problem, then my setup:

  1. I can reach the server via ssh over the web, i can ping 8.8.8.8, www.example.com and other 192.168.99.x clients in the LAN from it, so for that one all works fine.
  2. The clients can ping each other, also 8.8.8.8, but not www.example.com. That is why i am thinking i need another iptable setting for the DNS. Same in any browser, i can't resolve external websites. In the windows clients, the Network Settings show connection to the internet, in the Linux clients, things like wget and apt-get install work. I have tried manually setting the Google DNS servers 8.8.8.8 and 8.8.4.4 for the clients, but to no avail, even though they can ping them. (The solution was to use the official DNS from the VLAN)

CORRECTION: The wget/apt-get stuff seems to work only sometimes.

CORRECTION 2: I had a typo in at least one of the DNS entries for one client, i will try the rest tommorow and then mark this as closed.

Settings etc.:

I have activated forwarding in the kernel by uncommenting net.ipv4.ip_forward=1 in /etc/sysctl.conf.

My /etc/network/interfaces entries for the 2 Ethernet ports look like this:

auto em2
iface em2 inet static
    address x.x.x.x
    netmask x.x.x.x
    network x.x.x.x
    gateway x.x.x.x
    dns-nameservers x.x.x.x x.x.x.x
    dns-search x.example.com
    pre-up iptables-restore < /etc/network/iptables.up.rules
    post-down iptables-save > /etc/network/iptables.up.rules

auto em1
iface em1 inet static
    address 192.168.99.252
    netmask 255.255.255.128
    pre-up iptables-restore < /etc/network/iptables.up.rules
    post-down iptables-save > /etc/network/iptables.up.rules

(The em2 parameters are redacted for privacy reasons, but i don't think they play a role here. Please note we have two internal DNS servers, this might play a role in the problem?)

I also have setup iptables with sudo iptables -t nat -A POSTROUTING -o em2 -j MASQUERADE so sudo iptables -t nat -L gives me:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

(that second entry must have happened by accident, but shouldn't be concerning, right?)

All the clients have static IP's with the following settings:

  • IP: 192.168.99.22 or similar
  • Subnetmask: 255.255.255.128
  • Gateway: 192.168.99.252

The Solution was to add the official DNS entry from my departement's VLAN to the clients DNS entries. The router was not configured to be used as a DNS on it's own and did not redirect DNS requests to the outside DNS. So for every client: - DNS: Official VLAN DNS of outside network

zerweck
  • 150
  • 1
  • 2
  • 6
  • 1
    Which DNS server are using workstation? As you wrote: "The wget/apt-get stuff seems to work only sometimes" it suggests that sometimes DNS query is resolved may be from one of the two internal DNS server. Does workstation able to resolve internal name? – Lety Aug 26 '14 at 11:30
  • I am actally curious why it worked at one point during the different settings i tried but does not so anymore. The settings posted are the ones i am using right now, and the linux clients can neither wget nor ping unresolved URL's or similar. They are still able to ping IP adresses. On all clients, no explicit DNS Server is specified. However, results did not change when i added dns-nameservers x.x.x.x in the /etc/network/interfaces, indepenent of using 8.8.8.8 or the internal DNS from the university. How could i check if the workstation resolves the internal name? – zerweck Aug 26 '14 at 12:37
  • 1
    Sorry, I would say internal domains, domains on university intranet. – Lety Aug 26 '14 at 12:59
  • you seem to have sent me on the right track, and of course it is a solution that rewards a slap on my head. i looked closer at the DNS entries on one of the clients and i seem to have mistyped the internal DNS IP'S. Now this client can reolve www adresses. I can only try the windows clients tommorow when i am back at work, but that seems to have been it... together with a complete flush and redo of the iptables with the same rules. crossing my fingers... will mark this as answered tommorow. – zerweck Aug 26 '14 at 17:04
  • 1
    I'm sorry, but I'm curious. Have you solved your problem? In case, could you write the answer to the benefit of all? Thanks. – Lety Aug 30 '14 at 13:01
  • Oh man, i solved it and went on vacation the next day, i totally forgot about the post, sorry. yes, the solution was that i needed to change the DNS from all clients within the intranet to the official DNS of the departement. Then those packets get masqued by the router/server, which can officially request them as he has an official IP. The returning packets are handled perfectly by iptables, it seems. thanks again for your help. – zerweck Sep 15 '14 at 17:04
  • Try to double check your iptables setting by, iptables --list | grep more I bet you need to flush the iptables first to setup your needed NAT - or / and remove UFW and keep on going with iptables only. Unfortunately UFW is not telling you exactly what are your iptables chains. –  Jun 05 '15 at 11:16

0 Answers0