Strange connection problems.

Ryan Belcher Ryanb at sealevel.com
Mon Apr 11 16:38:22 CEST 2005


Hello again,

That was one of the first things I checked and it is set to 0.  (I remembered having the problem with Squid a while back).

Any other ideas?

Ryan

-----Original Message-----
From: Jörg Harmuth [mailto:harmuth at mnemon.de]
Sent: Monday, April 11, 2005 5:34 AM
To: netfilter at lists.netfilter.org
Subject: Re: Strange connection problems.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I had the same problem some time ago. In my case the remote sites were
not capable of ECN. Disabling ECN solved the problem for me:

echo 0 > /proc/sys/net/ipv4/tcp_ecn

Ofcourse, your problem may be totally different - you will see.

Have a nice time,

Jörg


Ryan Belcher schrieb:
> Hi All,
> 
> Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> It's on Linux kernel version 2.6.10.
> 
> Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> 
> Does anyone have any ideas?
> 
> Thanks,
> 
> Ryan
> -----------------Snip----------------
> IPTABLES=/usr/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> AWK=/usr/bin/awk
> GETIP=/usr/bin/gethostip
> PENGUIN=192.168.0.4
> BRENT=192.168.0.12
> MERCURY=192.168.0.3
> EXTIF="ppp0"
> INTIF="eth0"
> WIRLS="ath0"
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> echo "   Wirleless Interface:  $WIRLS"
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "   Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> # Start doing something...
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> $IPTABLES -t filter -F
> $IPTABLES -t mangle -F
> 
> echo "   FWD: Allow all connections OUT and only existing and related ones IN"
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "  INPUT: Allow local connections in.  Nothing from the outside though."
> $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -j ACCEPT
> $IPTABLES -A INPUT -i $WIRLS -j ACCEPT
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> 
> #Enable Port forward...Webserver
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80
> 
> #Brent
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112
> 
> #Common Services to penguin
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN
> 
> #BITORRENT
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT
> 
> 
> 
> 
> echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> -----------------/Snip---------------
> 
> 


- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth at mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/
kEnCandN3ZPnXh4+GhMoLb4=
=7BIz
-----END PGP SIGNATURE-----





More information about the netfilter mailing list