LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-22-2003, 04:03 PM   #1
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Rep: Reputation: 15
Cannot access yahoo search ! (firewall issue ?)


Hello there,

I actually have a very strange (for me) problem.
The linux box (Mandrake 9.1) is a firewall and share it's internet (ADSL) connection with other Windows box on the LAN.

IP address of my lan is 192.168.0.0/24.
Firewalling with iptables seems to works fine. (my iptables configuration file is at the end of this mail).

So, now the problem :
any users on any windows box can access http://www.yahoo.fr and other URL without problem. Just one URL is not working : the search button, on the http://fr.yahoo.com page !
The problem is that there is no answer.

From the Linux box itself, there is no problem. From other windows box not behind my Linux box, no problem. It is like the URL called by the search button is DROPPED between the windows box and the Linux box.

Shutting off firewalling don't solve the problem.

FYI the URL called is the following : http://fr.rd.yahoo.com/home/srch/*ht....com/search/fr

which for me not a valid URL !

Any idea ?
Note that the search button on the English version of yahoo is working well !

Any help would be great appreciated.

My iptables configuration :
----------------------------------------------------
# Generated by iptables-save v1.2.7a on Wed Nov 26 23:20:02 2003
# Generated by iptables-save v1.2.7a on Wed Nov 26 23:20:02 2003
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 26 23:20:02 2003
# Generated by iptables-save v1.2.7a on Wed Nov 26 23:20:02 2003
*mangle
:PREROUTING ACCEPT [246:38812]
:INPUT ACCEPT [246:38812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [245:38575]
:POSTROUTING ACCEPT [245:38575]
COMMIT
# Completed on Wed Nov 26 23:20:02 2003
# Generated by iptables-save v1.2.7a on Wed Nov 26 23:20:02 2003
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport ssh -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport http -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport ssh -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport http -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport https -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport webmin -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport netbios-ns -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport netbios-dgm -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport netbios-ssn -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/24 -i eth0 --dport netbios-ns -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/24 -i eth0 --dport netbios-dgm -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/24 -i eth0 --dport netbios-ssn -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 -i eth0 --dport swat -j ACCEPT
-A INPUT -p icmp -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/18 -i ppp0 -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport ssh -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport http -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport https -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport webmin -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -o ppp0 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o ppp0 --dport ftp -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o ppp0 --dport ssh -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o ppp0 --dport smtp -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o ppp0 --dport http -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o ppp0 --dport https -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp --dport domain -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport domain -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp -o ppp0 --dport http -j ACCEPT
-A OUTPUT -p tcp -m tcp -o ppp0 --dport smtp -j ACCEPT
-A OUTPUT -p tcp -m tcp -o ppp0 --dport pop3 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 192.168.0.0/24 -o eth0 --dport 137:138 -j ACCEPT
-A OUTPUT -p udp -m udp -d 192.168.0.0/24 -o eth0 --dport 137:138 -j ACCEPT
COMMIT
# Completed on Wed Nov 26 23:20:02 2003

-----------------------------------------------------------------------------------
 
Old 12-22-2003, 04:35 PM   #2
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
On my Windows box, I get: "La boîte de recherche était vide. Inscrivez-y un ou plusieurs mots-clés" which apparently means "The box of research was empty. Register one or more key words there" - is this what should be seen?

The actual url is http://fr.search.yahoo.com/search/fr - although I doubt that is the problem.

Which browser are you using? It could be that your browser (Konqueror?") isn't allowing that page for some reason.
 
Old 12-22-2003, 05:04 PM   #3
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by XavierP
On my Windows box, I get: "La boîte de recherche était vide. Inscrivez-y un ou plusieurs mots-clés" which apparently means "The box of research was empty. Register one or more key words there" - is this what should be seen?
This is what I should see. But I get no answer from Windows box.

Quote:
The actual url is http://fr.search.yahoo.com/search/fr - although I doubt that is the problem.
The complete URL is http://fr.rd.yahoo.com/home/srch/*ht....com/search/fr
I've seen this from the source of the page

Quote:
Which browser are you using? It could be that your browser (Konqueror?") isn't allowing that page for some reason. [/B]
No, from Konqueror, on the Linux box so, it's OK.
It's not ok from the Windows boxes (after the firewall) with internet explorer.
 
Old 12-22-2003, 05:19 PM   #4
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
I am using Mozilla 1.5 in Windows XP Pro - and both versions of the link work for me. If it is just that page, and not any other in fr.yahoo.com, I would not think it is the firewall. Especially since other Yahoo search pages work. Does the shorter link work?

You don't have a content blocker running, do you?
 
Old 12-22-2003, 05:48 PM   #5
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by XavierP
I am using Mozilla 1.5 in Windows XP Pro - and both versions of the link work for me. If it is just that page, and not any other in fr.yahoo.com, I would not think it is the firewall.
I think so.

Quote:
Does the shorter link work?[/B]
Yes. The shorter link answer "Do you yahoo ?"

Quote:
You don't have a content blocker running, do you?
No. Only a firewall based on iptables.

Anyway, Thank's for helping me ...

Is there any need of TCP flag filtering with iptables ? or is it not necessary ?
If yahoo make an redirection or URL rewriting or something like that, do I need something in my config to handle that or is it transparent ?
 
Old 12-22-2003, 05:53 PM   #6
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
Oooh, those questions are beyond me.

So I'm throwing it open to the panel - can anyone else help?
 
Old 12-30-2003, 06:24 AM   #7
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
Help - Help - Help - Help - Help

Quote:
Originally posted by XavierP
Oooh, those questions are beyond me.

So I'm throwing it open to the panel - can anyone else help?
I've got the same kind of problems with other sites :
http://www.mappy.com and http://karatenergy.chez.tiscali.fr

It's very important for me to have a solution because this is an enterprise server and users are begining to be angry....

Help me please.
 
Old 12-30-2003, 11:38 AM   #8
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
I'll will be fired ......
Please help.
 
Old 12-30-2003, 11:40 AM   #9
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
When you try to access the pages, what does your log show?
 
Old 12-31-2003, 11:55 AM   #10
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
Thank's for the answer,

I've got no logs in /var/log/*. No answer from the web site.
Is there any packet sniffer I can install to see what happens ?

Perhaps there is one shipped with Mandrake9.1 ?
 
Old 12-31-2003, 12:00 PM   #11
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
Give Ethereal a go, I think that tends to be the standard.
 
Old 02-28-2004, 09:57 AM   #12
jmcollin92
Member
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 76

Original Poster
Rep: Reputation: 15
Thumbs up SOLUTION

It was an MTU/MRU or Clamp MSS problem.
The solution is to type this command :
iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
or this command :
iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --set-mss 1452

More informations are available on this link :
ici
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Webcam behind NAT Firewall cyberjun Linux - Networking 0 09-29-2005 02:31 AM
Block Yahoo Messanger via Firewall omid1979 Linux - Security 3 07-07-2005 10:43 AM
Gui Search issue with KDE! Captain Scarlet Fedora 5 12-10-2004 04:39 PM
gAIM/Yahoo booting issue errorduck Linux - Newbie 1 07-01-2004 07:19 PM
monitoring and/or blocking yahoo messenger at firewall chrisfirestar Linux - General 1 10-27-2003 09:06 AM


All times are GMT -5. The time now is 01:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration