www.adobe.com

www.adobe.com

[TheOldFellow]

My firewall works well, except that I can't get any kind of access to
www.adobe.com.

This is typical:

# ping www.adobe.com
PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
--- www.wip3.adobe.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms

so far so good...

# wget http://www.adobe.com/index.html
--07:45:04--  http://www.adobe.com/index.html
           => `index.html'
Resolving www.adobe.com... 192.150.18.101
Connecting to www.adobe.com|192.150.18.101|:80... 

it just times out - browsers are the same.

Looking at the log shows the following warnings:

IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 

and my iptables:
iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:irdmi 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:irdmi 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh 
ACCEPT     all  --  172.16.1.0/24        anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:smtp 
LOG        all  --  anywhere             anywhere            LOG level warning prefix `IPTABLES:INPUT ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     all  --  172.16.1.0/24        anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere 

I'm completely stumped on this.  Can anyone suggest a way forward?

Thanks.

R.

Re: www.adobe.com

[Покотиленко Костик]

В Чтв, 13/11/2008 в 07:52 +0000, TheOldFellow пишет:
> My firewall works well, except that I can't get any kind of access to
> www.adobe.com.
> 
> This is typical:
> 
> # ping www.adobe.com
> PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
> 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
> 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
> 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
> 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
> --- www.wip3.adobe.com ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
> 
> so far so good...
> 
> # wget http://www.adobe.com/index.html
> --07:45:04--  http://www.adobe.com/index.html
>            => `index.html'
> Resolving www.adobe.com... 192.150.18.101
> Connecting to www.adobe.com|192.150.18.101|:80... 
> 
> it just times out - browsers are the same.
> 
> Looking at the log shows the following warnings:
> 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 

It does seem strange for www.adobe.com to have privat IP 192.150.18.101
which is also as I can see the IP of your box. You are pinging your
local box but there are no web server on your box as I see. Either you
edited addresses wrong or your DNS server (or /etc/hosts) has wrong
record for www.adobe.com.

Hope that helps.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Re: www.adobe.com

[Wessel]

Покотиленко Костик wrote:
> В Чтв, 13/11/2008 в 07:52 +0000, TheOldFellow пишет:
>   
>> My firewall works well, except that I can't get any kind of access to
>> www.adobe.com.
>>
>> This is typical:
>>
>> # ping www.adobe.com
>> PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
>> 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
>> 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
>> 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
>> 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
>> --- www.wip3.adobe.com ping statistics ---
>> 4 packets transmitted, 4 packets received, 0% packet loss
>> round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
>>
>> so far so good...
>>
>> # wget http://www.adobe.com/index.html
>> --07:45:04--  http://www.adobe.com/index.html
>>            => `index.html'
>> Resolving www.adobe.com... 192.150.18.101
>> Connecting to www.adobe.com|192.150.18.101|:80... 
>>
>> it just times out - browsers are the same.
>>
>> Looking at the log shows the following warnings:
>>
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
>>     
>
> It does seem strange for www.adobe.com to have privat IP 192.150.18.101
> which is also as I can see the IP of your box. You are pinging your
> local box but there are no web server on your box as I see. Either you
> edited addresses wrong or your DNS server (or /etc/hosts) has wrong
> record for www.adobe.com.
>
> Hope that helps.
>
>   
192.150.18.101 is not  a private ip range 
(http://www.whois.ws/whois-ip/192.150.18.101/) as far as I know.
But it looks like the traffic coming back from adobe is blocked? 
(although, should the SPT and DPT not be the swapped then?)

Guess you need to include your firewall rules to get more help.

Wessel

Re: www.adobe.com

[Amos Jeffries]

Покотиленко Костик wrote:
> В Чтв, 13/11/2008 в 07:52 +0000, TheOldFellow пишет:
>> My firewall works well, except that I can't get any kind of access to
>> www.adobe.com.
>>
>> This is typical:
>>
>> # ping www.adobe.com
>> PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
>> 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
>> 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
>> 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
>> 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
>> --- www.wip3.adobe.com ping statistics ---
>> 4 packets transmitted, 4 packets received, 0% packet loss
>> round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
>>
>> so far so good...
>>
>> # wget http://www.adobe.com/index.html
>> --07:45:04--  http://www.adobe.com/index.html
>>            => `index.html'
>> Resolving www.adobe.com... 192.150.18.101
>> Connecting to www.adobe.com|192.150.18.101|:80... 
>>
>> it just times out - browsers are the same.
>>
>> Looking at the log shows the following warnings:
>>
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
>> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> 
> It does seem strange for www.adobe.com to have privat IP 192.150.18.101
> which is also as I can see the IP of your box. You are pinging your
> local box but there are no web server on your box as I see. Either you
> edited addresses wrong or your DNS server (or /etc/hosts) has wrong
> record for www.adobe.com.
> 
> Hope that helps.
> 

192.150.0.0/16 is global public space for www.wip3.adobe.com.

I think you are confusing with 192.168.0.0/16 the RFC1918 private space.

AYJ

Re: www.adobe.com

[Покотиленко Костик]

В Чтв, 13/11/2008 в 10:33 +0200, Покотиленко Костик пишет:
> В Чтв, 13/11/2008 в 07:52 +0000, TheOldFellow пишет:
> > My firewall works well, except that I can't get any kind of access to
> > www.adobe.com.
> > 
> > This is typical:
> > 
> > # ping www.adobe.com
> > PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
> > 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
> > 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
> > 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
> > 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
> > --- www.wip3.adobe.com ping statistics ---
> > 4 packets transmitted, 4 packets received, 0% packet loss
> > round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
> > 
> > so far so good...
> > 
> > # wget http://www.adobe.com/index.html
> > --07:45:04--  http://www.adobe.com/index.html
> >            => `index.html'
> > Resolving www.adobe.com... 192.150.18.101
> > Connecting to www.adobe.com|192.150.18.101|:80... 
> > 
> > it just times out - browsers are the same.
> > 
> > Looking at the log shows the following warnings:
> > 
> > IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> > IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> > IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> 
> It does seem strange for www.adobe.com to have privat IP 192.150.18.101
> which is also as I can see the IP of your box. You are pinging your
> local box but there are no web server on your box as I see. Either you
> edited addresses wrong or your DNS server (or /etc/hosts) has wrong
> record for www.adobe.com.

Sorry, I got it wrong, 192.150.18.101 is not privat, it's really address
of www.adobe.com

About your logs, if you use -j LOG -j DROP scheme, just find the
blocking rule.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

RE: www.adobe.com

[Gilad Benjamini]

The dropped packets are 44 bytes long, which is suspicious.
I would guess that fragmentation is involved.

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of TheOldFellow
> Sent: Wednesday, November 12, 2008 11:53 PM
> To: netfilter@vger.kernel.org
> Subject: www.adobe.com
> 
> My firewall works well, except that I can't get any kind of access to
> www.adobe.com.
> 
> This is typical:
> 
> # ping www.adobe.com
> PING www.wip3.adobe.com (192.150.18.101): 56 data bytes
> 64 bytes from 192.150.18.101: icmp_seq=0 ttl=243 time=194.939 ms
> 64 bytes from 192.150.18.101: icmp_seq=1 ttl=243 time=193.576 ms
> 64 bytes from 192.150.18.101: icmp_seq=2 ttl=243 time=194.612 ms
> 64 bytes from 192.150.18.101: icmp_seq=3 ttl=243 time=194.844 ms
> --- www.wip3.adobe.com ping statistics ---
> 4 packets transmitted, 4 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 193.576/194.493/194.939/0.542 ms
> 
> so far so good...
> 
> # wget http://www.adobe.com/index.html
> --07:45:04--  http://www.adobe.com/index.html
>            => `index.html'
> Resolving www.adobe.com... 192.150.18.101
> Connecting to www.adobe.com|192.150.18.101|:80...
> 
> it just times out - browsers are the same.
> 
> Looking at the log shows the following warnings:
> 
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
> IPTABLES:INPUT IN=net OUT=
> MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101
> DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP
> SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0
> 
> and my iptables:
> iptables -L
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:http
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:irdmi
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:irdmi
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:ftp
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:ftp
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:ssh
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:ssh
> ACCEPT     all  --  172.16.1.0/24        anywhere
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:smtp
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:smtp
> LOG        all  --  anywhere             anywhere            LOG level
> warning prefix `IPTABLES:INPUT '
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state NEW
> ACCEPT     all  --  172.16.1.0/24        anywhere
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> 
> I'm completely stumped on this.  Can anyone suggest a way forward?
> 
> Thanks.
> 
> R.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: www.adobe.com

[Pascal Hambourg]

Hello,

TheOldFellow a écrit :
> 
> # wget http://www.adobe.com/index.html
> --07:45:04--  http://www.adobe.com/index.html
>            => `index.html'
> Resolving www.adobe.com... 192.150.18.101
> Connecting to www.adobe.com|192.150.18.101|:80... 
> 
> it just times out - browsers are the same.
> 
> Looking at the log shows the following warnings:
> 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=9637 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=45688 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 
> IPTABLES:INPUT IN=net OUT= MAC=00:a0:c9:43:8f:77:00:90:96:f7:74:42:08:00 SRC=192.150.18.101 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=37819 PROTO=TCP SPT=80 DPT=3723 WINDOW=20498 RES=0x00 URGP=0 

Wget hanging after printing "Connecting to..." but before printing 
"connected" seems to indicate that it didn't receive a SYN/ACK packet 
from the server in response to its SYN packet. However the logged and 
dropped packets do not look like SYN/ACK packets, as they do not have 
the SYN and ACK flags set.

Can you provide a capture of the resulting traffic from and to 
192.150.18.101 on interface 'net' with tcpdump, tshark or wireshark when 
running wget ? E.g.

# tcpdump -nvi net host 192.150.18.101

Does the problem happen if you temporarily allow all input traffic (at 
least from 192.150.18.101) ? E.g.

# iptables -I INPUT -s 192.150.18.101 -j ACCEPT

Re: www.adobe.com

[TheOldFellow]

On Thu, 13 Nov 2008 11:02:13 +0100
Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:

> Hello,
> 
> TheOldFellow a écrit :
> > 
> > # wget http://www.adobe.com/index.html
> > --07:45:04--  http://www.adobe.com/index.html
> >            => `index.html'
> > Resolving www.adobe.com... 192.150.18.101
> > Connecting to www.adobe.com|192.150.18.101|:80... 
> > 
> > it just times out - browsers are the same.
<snip>
> 
> Wget hanging after printing "Connecting to..." but before printing 
> "connected" seems to indicate that it didn't receive a SYN/ACK packet 
> from the server in response to its SYN packet. However the logged and 
> dropped packets do not look like SYN/ACK packets, as they do not have 
> the SYN and ACK flags set.
> 
> Can you provide a capture of the resulting traffic from and to 
> 192.150.18.101 on interface 'net' with tcpdump, tshark or wireshark when 
> running wget ? E.g.
> 
> # tcpdump -nvi net host 192.150.18.101
> 
> Does the problem happen if you temporarily allow all input traffic (at 
> least from 192.150.18.101) ? E.g.
> 
> # iptables -I INPUT -s 192.150.18.101 -j ACCEPT


Thanks, and to everyone else who tried to help.

I didn't know about tcpdump, so I had to build and install it first.
The output when executing the wget above is:

$ sudo /usr/sbin/tcpdump -nvi net host 192.150.18.101
tcpdump: listening on net, link-type EN10MB (Ethernet), capture size 68 bytes 10:45:28.743810 IP (tos 0x0, ttl 64, id 55527, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.2.2901 > 192.150.18.101.80: Flags [S], seq 3678776487, win 5840, options [mss 1460,sackOK,TS[|tcp]>
10:45:28.932756 IP (tos 0x0, ttl 53, id 25304, offset 0, flags [none], proto TCP (6), length 44)
    192.150.18.101.80 > 192.168.1.2.2901:  tcp 24 [bad hdr length 0 - too short, < 20]
10:45:31.741831 IP (tos 0x0, ttl 64, id 55528, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.2.2901 > 192.150.18.101.80: Flags [S], seq 3678776487, win 5840, options [mss 1460,sackOK,TS[|tcp]>
10:45:31.930558 IP (tos 0x0, ttl 53, id 46986, offset 0, flags [none], proto TCP (6), length 44)
    192.150.18.101.80 > 192.168.1.2.2901:  tcp 24 [bad hdr length 0 - too short, < 20]
10:45:37.741754 IP (tos 0x0, ttl 64, id 55529, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.2.2901 > 192.150.18.101.80: Flags [S], seq 3678776487, win 5840, options [mss 1460,sackOK,TS[|tcp]>
<snip>
18 packets captured
18 packets received by filter
0 packets dropped by kernel

Allowing all input doesn't change a thing.  Did I capture enough?

Regards,
R.

Re: www.adobe.com

[Pascal Hambourg]

TheOldFellow a écrit :
> 
> 10:45:28.932756 IP (tos 0x0, ttl 53, id 25304, offset 0, flags [none], proto TCP (6), length 44)
>     192.150.18.101.80 > 192.168.1.2.2901:  tcp 24 [bad hdr length 0 - too short, < 20]
[...]
> Allowing all input doesn't change a thing.

I thought so. The TCP header of the first reply packet from the server 
seems to be malformed, so even though iptables accepted it, the TCP 
stack would discard it.

The problem may lie in your router, your network interface card or its 
driver. Anyway it does not seem to be related to netfilter/iptables, as 
tcpdump sees the packet as malformed before it enters the netfilter 
code. Can you try with another router, machine, kernel or network 
interface ?

Re: www.adobe.com

[TheOldFellow]

On Thu, 13 Nov 2008 12:22:00 +0100
Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:

> TheOldFellow a écrit :
> > 
> > 10:45:28.932756 IP (tos 0x0, ttl 53, id 25304, offset 0, flags [none], proto TCP (6), length 44)
> >     192.150.18.101.80 > 192.168.1.2.2901:  tcp 24 [bad hdr length 0 - too short, < 20]
> [...]
> > Allowing all input doesn't change a thing.
> 
> I thought so. The TCP header of the first reply packet from the server 
> seems to be malformed, so even though iptables accepted it, the TCP 
> stack would discard it.
> 
> The problem may lie in your router, your network interface card or its 
> driver. Anyway it does not seem to be related to netfilter/iptables, as 
> tcpdump sees the packet as malformed before it enters the netfilter 
> code. Can you try with another router, machine, kernel or network 
> interface ?

Yes, but it will take time to arrange.  It's very strange that it only
occurs on that range if IP addresses, which are also very similar to
the 192.168.0.0/16 private address range.  I wonder if this would
improve if I changed the address range used on the ADSL router -
firewall to, say, 172.20.1.0.  If it's software/firmware in the router
or NIC that might avoid it.

It's good to know that it isn't my netfilter, as I could not see the
logic in it!  Hardware/firmware seems much more probable.

Anyway, thanks for all your help, I'll report back when I find out more.

Regards,

R.

Re: www.adobe.com

[John Haxby]

TheOldFellow wrote:
> On Thu, 13 Nov 2008 12:22:00 +0100
> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
>
>   
>> The problem may lie in your router, your network interface card or its 
>> driver. Anyway it does not seem to be related to netfilter/iptables, as 
>> tcpdump sees the packet as malformed before it enters the netfilter 
>> code. Can you try with another router, machine, kernel or network 
>> interface ?
>>     
>
> Yes, but it will take time to arrange.  It's very strange that it only
> occurs on that range if IP addresses, which are also very similar to
> the 192.168.0.0/16 private address range.  I wonder if this would
> improve if I changed the address range used on the ADSL router -
> firewall to, say, 172.20.1.0.  If it's software/firmware in the router
> or NIC that might avoid it.
>   

It's perhaps not that strange.   I had a similar problem a little while 
ago -- the networks guy had a set of blacklisted addresses in the router 
that was rather out of date.   He blamed his predecessor :-)

jch

Re: www.adobe.com

[Grant Taylor]

On 11/14/2008 3:30 AM, John Haxby wrote:
> It's perhaps not that strange.   I had a similar problem a little while 
> ago -- the networks guy had a set of blacklisted addresses in the router 
> that was rather out of date.   He blamed his predecessor :-)

Ah, the old two letters bit.  The idea is that your predecessor leaves 
you two letters with instructions to open the first one when you are in 
a real bind and the second one the next time you are in a real bind. 
The first letter says "Blame <what ever> on me." and the second one says 
"It's time for you to write two letters.".



Grant. . . .