Strange connection problems.

Ryan Belcher Ryanb at sealevel.com
Fri Apr 8 23:14:09 CEST 2005


Hi All,

Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
It's on Linux kernel version 2.6.10.

Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.

Does anyone have any ideas?

Thanks,

Ryan
-----------------Snip----------------
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
IFCONFIG=/sbin/ifconfig
AWK=/usr/bin/awk
GETIP=/usr/bin/gethostip
PENGUIN=192.168.0.4
BRENT=192.168.0.12
MERCURY=192.168.0.3
EXTIF="ppp0"
INTIF="eth0"
WIRLS="ath0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo "   Wirleless Interface:  $WIRLS"
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Start doing something...
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
$IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "  INPUT: Allow local connections in.  Nothing from the outside though."
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -i $WIRLS -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#Enable Port forward...Webserver
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80

#Brent
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112

#Common Services to penguin
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN

#BITORRENT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT




echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
-----------------/Snip---------------





More information about the netfilter mailing list