From: "Gilad Benjamini" <gilad.benjamini@gmail.com>
To: 'TheOldFellow' <theoldfellow@gmail.com>, netfilter@vger.kernel.org
Subject: RE: www.adobe.com
Date: Thu, 13 Nov 2008 01:15:28 -0800 [thread overview]
Message-ID: <491bf03a.29578c0a.78e9.ffffb12c@mx.google.com> (raw)
In-Reply-To: <20081113075231.50345b2c@gmail.com>
The dropped packets are 44 bytes long, which is suspicious.
I would guess that fragmentation is involved.
> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of TheOldFellow
> Sent: Wednesday, November 12, 2008 11:53 PM
> To: netfilter@vger.kernel.org
> Subject: www.adobe.com
>
> My firewall works well, except that I can't get any kind of access to
> www.adobe.com.
>
> This is typical:
>
> # ping www.adobe.com
> PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
> 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
> 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
> 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
> 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
> --- www.wip3.adobe.com ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
>
> so far so good...
>
> # wget http://www.adobe.com/index.html
> --07:45:04-- http://www.adobe.com/index.html
> => `index.html'
> Resolving www.adobe.com... 192.150.18.101
> Connecting to www.adobe.com|192.150.18.101|:80...
>
> it just times out - browsers are the same.
>
> Looking at the log shows the following warnings:
>
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
>
> and my iptables:
> iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http
> ACCEPT udp -- anywhere anywhere udp
> dpt:http
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:irdmi
> ACCEPT udp -- anywhere anywhere udp
> dpt:irdmi
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:ftp
> ACCEPT udp -- anywhere anywhere udp
> dpt:ftp
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:ssh
> ACCEPT udp -- anywhere anywhere udp
> dpt:ssh
> ACCEPT all -- 172.16.1.0/24 anywhere
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:smtp
> ACCEPT udp -- anywhere anywhere udp
> dpt:smtp
> LOG all -- anywhere anywhere LOG level
> warning prefix `IPTABLES:INPUT '
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- 172.16.1.0/24 anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> I'm completely stumped on this. Can anyone suggest a way forward?
>
> Thanks.
>
> R.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-11-13 9:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-13 7:52 www.adobe.com TheOldFellow
2008-11-13 8:33 ` www.adobe.com Покотиленко Костик
2008-11-13 8:42 ` www.adobe.com Wessel
2008-11-13 8:44 ` www.adobe.com Amos Jeffries
2008-11-13 8:59 ` www.adobe.com Покотиленко Костик
2008-11-13 9:15 ` Gilad Benjamini [this message]
2008-11-13 10:02 ` www.adobe.com Pascal Hambourg
2008-11-13 10:52 ` www.adobe.com TheOldFellow
2008-11-13 11:22 ` www.adobe.com Pascal Hambourg
2008-11-13 12:00 ` www.adobe.com TheOldFellow
2008-11-14 9:30 ` www.adobe.com John Haxby
2008-11-15 3:39 ` www.adobe.com Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491bf03a.29578c0a.78e9.ffffb12c@mx.google.com \
--to=gilad.benjamini@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=theoldfellow@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.