Strange connection problems.

Strange connection problems.

[Ryan Belcher]

Hi All,

Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
It's on Linux kernel version 2.6.10.

Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.

Does anyone have any ideas?

Thanks,

Ryan
-----------------Snip----------------
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
IFCONFIG=/sbin/ifconfig
AWK=/usr/bin/awk
GETIP=/usr/bin/gethostip
PENGUIN=192.168.0.4
BRENT=192.168.0.12
MERCURY=192.168.0.3
EXTIF="ppp0"
INTIF="eth0"
WIRLS="ath0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo "   Wirleless Interface:  $WIRLS"
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Start doing something...
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
$IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "  INPUT: Allow local connections in.  Nothing from the outside though."
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -i $WIRLS -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#Enable Port forward...Webserver
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80

#Brent
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112

#Common Services to penguin
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN

#BITORRENT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT




echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
-----------------/Snip---------------

Re: Strange connection problems.

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I had the same problem some time ago. In my case the remote sites were
not capable of ECN. Disabling ECN solved the problem for me:

echo 0 > /proc/sys/net/ipv4/tcp_ecn

Ofcourse, your problem may be totally different - you will see.

Have a nice time,

Jörg


Ryan Belcher schrieb:
> Hi All,
> 
> Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> It's on Linux kernel version 2.6.10.
> 
> Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> 
> Does anyone have any ideas?
> 
> Thanks,
> 
> Ryan
> -----------------Snip----------------
> IPTABLES=/usr/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> AWK=/usr/bin/awk
> GETIP=/usr/bin/gethostip
> PENGUIN=192.168.0.4
> BRENT=192.168.0.12
> MERCURY=192.168.0.3
> EXTIF="ppp0"
> INTIF="eth0"
> WIRLS="ath0"
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> echo "   Wirleless Interface:  $WIRLS"
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "   Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> # Start doing something...
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> $IPTABLES -t filter -F
> $IPTABLES -t mangle -F
> 
> echo "   FWD: Allow all connections OUT and only existing and related ones IN"
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "  INPUT: Allow local connections in.  Nothing from the outside though."
> $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -j ACCEPT
> $IPTABLES -A INPUT -i $WIRLS -j ACCEPT
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> 
> #Enable Port forward...Webserver
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80
> 
> #Brent
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112
> 
> #Common Services to penguin
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN
> 
> #BITORRENT
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT
> 
> 
> 
> 
> echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> -----------------/Snip---------------
> 
> 


- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/
kEnCandN3ZPnXh4+GhMoLb4=
=7BIz
-----END PGP SIGNATURE-----

RE: Strange connection problems.

[Ryan Belcher]

Hello again,

That was one of the first things I checked and it is set to 0.  (I remembered having the problem with Squid a while back).

Any other ideas?

Ryan

-----Original Message-----
From: Jörg Harmuth [mailto:harmuth@mnemon.de]
Sent: Monday, April 11, 2005 5:34 AM
To: netfilter@lists.netfilter.org
Subject: Re: Strange connection problems.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I had the same problem some time ago. In my case the remote sites were
not capable of ECN. Disabling ECN solved the problem for me:

echo 0 > /proc/sys/net/ipv4/tcp_ecn

Ofcourse, your problem may be totally different - you will see.

Have a nice time,

Jörg


Ryan Belcher schrieb:
> Hi All,
> 
> Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> It's on Linux kernel version 2.6.10.
> 
> Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> 
> Does anyone have any ideas?
> 
> Thanks,
> 
> Ryan
> -----------------Snip----------------
> IPTABLES=/usr/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> AWK=/usr/bin/awk
> GETIP=/usr/bin/gethostip
> PENGUIN=192.168.0.4
> BRENT=192.168.0.12
> MERCURY=192.168.0.3
> EXTIF="ppp0"
> INTIF="eth0"
> WIRLS="ath0"
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> echo "   Wirleless Interface:  $WIRLS"
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "   Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> # Start doing something...
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> $IPTABLES -t filter -F
> $IPTABLES -t mangle -F
> 
> echo "   FWD: Allow all connections OUT and only existing and related ones IN"
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
> $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "  INPUT: Allow local connections in.  Nothing from the outside though."
> $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -j ACCEPT
> $IPTABLES -A INPUT -i $WIRLS -j ACCEPT
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> 
> #Enable Port forward...Webserver
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80
> 
> #Brent
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112
> 
> #Common Services to penguin
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
>  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN
> 
> #BITORRENT
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT
> 
> 
> 
> 
> echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> -----------------/Snip---------------
> 
> 


- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/
kEnCandN3ZPnXh4+GhMoLb4=
=7BIz
-----END PGP SIGNATURE-----

RE: Strange connection problems.

[Ryan Belcher]

Hello Luis,

I've already got one running.  All of the sites resolve just fine, but they just won't actually load the pages.  I ran ethereal and compared the client traffic to the traffic generated by the firewall box itself, and the only (effective) differences I saw was the HTTP reply to the HTTP GET request never even reached the ppp0 interface when the clients were connecting.

Ryan



-----Original Message-----
From: Luis Nieto [mailto:luismnieto@gmail.com]
Sent: Monday, April 11, 2005 10:45 AM
To: Ryan Belcher
Subject: Re: Strange connection problems.


install a internal dns server, and configure the dns´s ISP like
forwarders in the de named.conf

On Apr 11, 2005 11:38 AM, Ryan Belcher <Ryanb@sealevel.com> wrote:
> Hello again,
> 
> That was one of the first things I checked and it is set to 0.  (I remembered having the problem with Squid a while back).
> 
> Any other ideas?
> 
> Ryan
> 
> -----Original Message-----
> From: Jörg Harmuth [mailto:harmuth@mnemon.de]
> Sent: Monday, April 11, 2005 5:34 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: Strange connection problems.
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I had the same problem some time ago. In my case the remote sites were
> not capable of ECN. Disabling ECN solved the problem for me:
> 
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> 
> Ofcourse, your problem may be totally different - you will see.
> 
> Have a nice time,
> 
> Jörg
> 
> Ryan Belcher schrieb:
> > Hi All,
> >
> > Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> > It's on Linux kernel version 2.6.10.
> >
> > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> >
> > Does anyone have any ideas?
> >
> > Thanks,
> >
> > Ryan
> > -----------------Snip----------------
> > IPTABLES=/usr/sbin/iptables
> > DEPMOD=/sbin/depmod
> > MODPROBE=/sbin/modprobe
> > IFCONFIG=/sbin/ifconfig
> > AWK=/usr/bin/awk
> > GETIP=/usr/bin/gethostip
> > PENGUIN=192.168.0.4
> > BRENT=192.168.0.12
> > MERCURY=192.168.0.3
> > EXTIF="ppp0"
> > INTIF="eth0"
> > WIRLS="ath0"
> > echo "   External Interface:  $EXTIF"
> > echo "   Internal Interface:  $INTIF"
> > echo "   Wirleless Interface:  $WIRLS"
> > echo "   Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > echo "   Enabling DynamicAddr.."
> > echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> >
> > # Start doing something...
> > echo "   Clearing any existing rules and setting default policy.."
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> > $IPTABLES -t filter -F
> > $IPTABLES -t mangle -F
> >
> > echo "   FWD: Allow all connections OUT and only existing and related ones IN"
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT
> > $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -j LOG
> >
> > echo "  INPUT: Allow local connections in.  Nothing from the outside though."
> > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A INPUT -i $INTIF -j ACCEPT
> > $IPTABLES -A INPUT -i $WIRLS -j ACCEPT
> >
> > echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> >
> > #Enable Port forward...Webserver
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80
> >
> > #Brent
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112
> >
> > #Common Services to penguin
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \
> >  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN
> >
> > #BITORRENT
> > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT
> >
> >
> >
> >
> > echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> > -----------------/Snip---------------
> >
> >
> 
> - --
> - -----------------------------------------------------------------------
> mnemon
> Jörg Harmuth
> Marie-Curie.Str. 1
> 53359 Rheinbach
> 
> Tel.: (+49) 22 26  87 18 12
> Fax:  (+49) 22 26 87 18 19
> mail: harmuth@mnemon.de
> Web:  http://www.mnemon.de
> PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
> PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
> - -----------------------------------------------------------------------
> Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
> Software untersucht. Es wurde keine maliziöse Software gefunden.
> 
> This Mail was checked for virusses and other malicious software before
> sending. No malicious software was detected.
> - -----------------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/
> kEnCandN3ZPnXh4+GhMoLb4=
> =7BIz
> -----END PGP SIGNATURE-----
> 
>

Re: Strange connection problems.

[Jason Opperisano]

On Fri, Apr 08, 2005 at 05:14:09PM -0400, Ryan Belcher wrote:
> Hi All,
> 
> Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> It's on Linux kernel version 2.6.10.
> 
> Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> 
> Does anyone have any ideas?

sounds like the classic description of an MTU issue.

-j

--
"Tom Tucker: This is Tom Tucker... Tucker's evil twin Todd Tucker
 out to destroy his brother's reputation. Now I'm going to go back inside
 my motel room where I'm going to have freaky sex with my prostitute
 with whom I still have another 45 minutes."
        --Family Guy

RE: Strange connection problems.

[Ryan Belcher]

Gentlemen,

Thank you!  That cleared things up perfectly.  ppp0 had the MTU set for 1492; however, none of the other interfaces did (including eth1 which I failed to mention was actually the path to ppp0).  You are both gentlemen and scholars.

Thanks again!

Ryan

-----Original Message-----
From: Jason Opperisano [mailto:opie@817west.com]
Sent: Monday, April 11, 2005 6:04 PM
To: netfilter@lists.netfilter.org
Subject: Re: Strange connection problems.


On Fri, Apr 08, 2005 at 05:14:09PM -0400, Ryan Belcher wrote:
> Hi All,
> 
> Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> It's on Linux kernel version 2.6.10.
> 
> Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> 
> Does anyone have any ideas?

sounds like the classic description of an MTU issue.

-j

--
"Tom Tucker: This is Tom Tucker... Tucker's evil twin Todd Tucker
 out to destroy his brother's reputation. Now I'm going to go back inside
 my motel room where I'm going to have freaky sex with my prostitute
 with whom I still have another 45 minutes."
        --Family Guy

Re: Strange connection problems.

[Mohamed Eldesoky]

Are you blocking ICMP ??

On 4/13/05, Ryan Belcher <Ryanb@sealevel.com> wrote:
> Gentlemen,
> 
> Thank you!  That cleared things up perfectly.  ppp0 had the MTU set for 1492; however, none of the other interfaces did (including eth1 which I failed to mention was actually the path to ppp0).  You are both gentlemen and scholars.
> 
> Thanks again!
> 
> Ryan
> 
> -----Original Message-----
> From: Jason Opperisano [mailto:opie@817west.com]
> Sent: Monday, April 11, 2005 6:04 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Strange connection problems.
> 
> On Fri, Apr 08, 2005 at 05:14:09PM -0400, Ryan Belcher wrote:
> > Hi All,
> >
> > Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> > It's on Linux kernel version 2.6.10.
> >
> > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> >
> > Does anyone have any ideas?
> 
> sounds like the classic description of an MTU issue.
> 
> -j
> 
> --
> "Tom Tucker: This is Tom Tucker... Tucker's evil twin Todd Tucker
>  out to destroy his brother's reputation. Now I'm going to go back inside
>  my motel room where I'm going to have freaky sex with my prostitute
>  with whom I still have another 45 minutes."
>         --Family Guy
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

RE: Strange connection problems.

[Ryan Belcher]

Kind of depends on how you look at it.  If an ICMP Ping (as an example) goes out of the network, the echo will make it back, but if an unrelated, or unestablished ICMP is directed to the network from the outside, it will be dropped.  I know this could be considered "bad form" in the right context, but I'm not specifically worried about it.

In any case, everything's working as I expect now.

Thanks,

Ryan

-----Original Message-----
From: Mohamed Eldesoky [mailto:eldesoky.lists@gmail.com]
Sent: Wednesday, April 13, 2005 7:43 AM
To: Ryan Belcher; netfilter
Subject: Re: Strange connection problems.


Are you blocking ICMP ??

On 4/13/05, Ryan Belcher <Ryanb@sealevel.com> wrote:
> Gentlemen,
> 
> Thank you!  That cleared things up perfectly.  ppp0 had the MTU set for 1492; however, none of the other interfaces did (including eth1 which I failed to mention was actually the path to ppp0).  You are both gentlemen and scholars.
> 
> Thanks again!
> 
> Ryan
> 
> -----Original Message-----
> From: Jason Opperisano [mailto:opie@817west.com]
> Sent: Monday, April 11, 2005 6:04 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Strange connection problems.
> 
> On Fri, Apr 08, 2005 at 05:14:09PM -0400, Ryan Belcher wrote:
> > Hi All,
> >
> > Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> > It's on Linux kernel version 2.6.10.
> >
> > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> >
> > Does anyone have any ideas?
> 
> sounds like the classic description of an MTU issue.
> 
> -j
> 
> --
> "Tom Tucker: This is Tom Tucker... Tucker's evil twin Todd Tucker
>  out to destroy his brother's reputation. Now I'm going to go back inside
>  my motel room where I'm going to have freaky sex with my prostitute
>  with whom I still have another 45 minutes."
>         --Family Guy
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: Strange connection problems.

[Mohamed Eldesoky]

OK
But I have read in this list before that some ICMP types shouldn't be
blocked, or problems with the MTU may arise !!


On 4/13/05, Ryan Belcher <Ryanb@sealevel.com> wrote:
> Kind of depends on how you look at it.  If an ICMP Ping (as an example) goes out of the network, the echo will make it back, but if an unrelated, or unestablished ICMP is directed to the network from the outside, it will be dropped.  I know this could be considered "bad form" in the right context, but I'm not specifically worried about it.
> 
> In any case, everything's working as I expect now.
> 
> Thanks,
> 
> Ryan
> 
> -----Original Message-----
> From: Mohamed Eldesoky [mailto:eldesoky.lists@gmail.com]
> Sent: Wednesday, April 13, 2005 7:43 AM
> To: Ryan Belcher; netfilter
> Subject: Re: Strange connection problems.
> 
> Are you blocking ICMP ??
> 
> On 4/13/05, Ryan Belcher <Ryanb@sealevel.com> wrote:
> > Gentlemen,
> >
> > Thank you!  That cleared things up perfectly.  ppp0 had the MTU set for 1492; however, none of the other interfaces did (including eth1 which I failed to mention was actually the path to ppp0).  You are both gentlemen and scholars.
> >
> > Thanks again!
> >
> > Ryan
> >
> > -----Original Message-----
> > From: Jason Opperisano [mailto:opie@817west.com]
> > Sent: Monday, April 11, 2005 6:04 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Strange connection problems.
> >
> > On Fri, Apr 08, 2005 at 05:14:09PM -0400, Ryan Belcher wrote:
> > > Hi All,
> > >
> > > Below I've posted my FW config.  It's handling 3 interfaces.  ppp0, eth0, an ath0.
> > > It's on Linux kernel version 2.6.10.
> > >
> > > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network.  For example, penny-arcade.com, americanexpress.com SSL logins, and a few others.  If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways).  If I try connecting from the actual firewalling box itself, it works fine.
> > >
> > > Does anyone have any ideas?
> >
> > sounds like the classic description of an MTU issue.
> >
> > -j
> >
> > --
> > "Tom Tucker: This is Tom Tucker... Tucker's evil twin Todd Tucker
> >  out to destroy his brother's reputation. Now I'm going to go back inside
> >  my motel room where I'm going to have freaky sex with my prostitute
> >  with whom I still have another 45 minutes."
> >         --Family Guy
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE