Strange connection problems.

Ryan Belcher Ryanb at sealevel.com
Mon Apr 11 16:51:47 CEST 2005


Hello Luis,

I've already got one running.  All of the sites resolve just fine, but they just won't actually load the pages.  I ran ethereal and compared the client traffic to the traffic generated by the firewall box itself, and the only (effective) differences I saw was the HTTP reply to the HTTP GET request never even reached the ppp0 interface when the clients were connecting.

Ryan



-----Original Message-----
From: Luis Nieto [mailto:luismnieto at gmail.com]
Sent: Monday, April 11, 2005 10:45 AM
To: Ryan Belcher
Subject: Re: Strange connection problems.


install a internal dns server, and configure the dns´s ISP like
forwarders in the de named.conf

On Apr 11, 2005 11:38 AM, Ryan Belcher <Ryanb at sealevel.com> wrote:
> Hello again,
> 
> That was one of the first things I checked and it is set to 0.  (I remembered having the problem with Squid a while back).
> 
> Any other ideas?
> 
> Ryan
> 
> -----Original Message-----
> From: Jörg Harmuth [mailto:harmuth at mnemon.de]
> Sent: Monday, April 11, 2005 5:34 AM
> To: netfilter at lists.netfilter.org
> Subject: Re: Strange connection problems.
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I had the same problem some time ago. In my case the remote sites were
> not capable of ECN. Disabling ECN solved the problem for me:
> 
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> 
> Ofcourse, your problem may be totally different - you will see.
> 
> Have a nice time,
> 
> Jörg
> 
> Ryan Belcher schrieb:
> > Hi All,
> >
> > Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> > It's on Linux kernel version 2.6.10.
> >
> > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> >
> > Does anyone have any ideas?
> >
> > Thanks,
> >
> > Ryan
> > -----------------Snip----------------
> > IPTABLES=/usr/sbin/iptables
> > DEPMOD=/sbin/depmod
> > MODPROBE=/sbin/modprobe
> > IFCONFIG=/sbin/ifconfig
> > AWK=/usr/bin/awk
> > GETIP=/usr/bin/gethostip
> > PENGUIN=192.168.0.4
> > BRENT=192.168.0.12
> > MERCURY=192.168.0.3
> > EXTIF="ppp0"
> > INTIF="eth0"
> > WIRLS="ath0"
> > echo "   External Interface:  $EXTIF"
> > echo "   Internal Interface:  $INTIF"
> > echo "   Wirleless Interface:  $WIRLS"
> > echo "   Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > echo "   Enabling DynamicAddr.."
> > echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> >
> > # Start doing something...
> > echo "   Clearing any existing rules and setting default policy.."
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> > $IPTABLES -t filter -F
> > $IPTABLES -t mangle -F
> >
> > echo "   FWD: Allow all connections OUT and only existing and related ones IN"
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
> > $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -j LOG
> >
> > echo "  INPUT: Allow local connections in.  Nothing from the outside though."
> > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A INPUT -i $INTIF -j ACCEPT
> > $IPTABLES -A INPUT -i $WIRLS -j ACCEPT
> >
> > echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> >
> > #Enable Port forward...Webserver
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80
> >
> > #Brent
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112
> >
> > #Common Services to penguin
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN
> >
> > #BITORRENT
> > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT
> >
> >
> >
> >
> > echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> > -----------------/Snip---------------
> >
> >
> 
> - --
> - -----------------------------------------------------------------------
> mnemon
> Jörg Harmuth
> Marie-Curie.Str. 1
> 53359 Rheinbach
> 
> Tel.: (+49) 22 26  87 18 12
> Fax:  (+49) 22 26 87 18 19
> mail: harmuth at mnemon.de
> Web:  http://www.mnemon.de
> PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
> PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
> - -----------------------------------------------------------------------
> Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
> Software untersucht. Es wurde keine maliziöse Software gefunden.
> 
> This Mail was checked for virusses and other malicious software before
> sending. No malicious software was detected.
> - -----------------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/
> kEnCandN3ZPnXh4+GhMoLb4=
> =7BIz
> -----END PGP SIGNATURE-----
> 
>



More information about the netfilter mailing list