cannot connect to particular website w/ firewall running
 

Hi Guys,

I have a small networking problem. I am using fw-jay to set up my iptables rules. nothing fancy, just opening some ports needed.

The problem is that i cannot connect to a particular website (blackboard) although other websites work perfectly. this happens when my firewall is running, when i turn it off, BB website works again.

I have tried to capture the packets when i ping the server, i capture all packets icmp echo request from me, and icmp echo reply from server. tcpdump says 20 packets captured, 0 dropped from kernel. However on my ping prompt, nothing is there... ?!

I also tried to telnet to port 80, and the connection times out. in tcpdump, it shows the SYN, SYN ACK from server, then my host keeps SYN'ing a fresh connection so the server sends an R for the previous connection.

Any ideas?

Thanks

If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed?
If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN.

Do you mean trying to listen to the loopback interface? e.g tcpdump -i lo ....
I have tried that but no packet are captured here.

About the SYN/ACKs matching the SYN; in my capture, the SYN/ACK from the server has the ACK field of the seq. number + 1 of SYN packet. however my host keeps SYNing ignoring the SYN/ACK.

Maybe I am missing something so here is the tcpdump:

So the host is where you're using tcpdump.
If your scrubbed ip-address is the same in the syn and the syn ack, it should work.
Maybe it's a firewall issue.
try looking up

Thanks for the reply,

It is something weird.
iptables -L -v shows a lot of rules, interesting one:
I think this allows any connections above port 1024 to come in if they were established, which is the case in the SYN/ACK packet. trying telnet again, will cause a SYN/ACK to some other random port, which is also not "seen" by my host although the tcpdump shows 0 packets dropped by kernel..
telnetting other websites works.

If that's the same machine the rule needs to be in the INPUT chain.
Maybe see if you can see any DROP which increases while you're trying to connect.
You can delete the statistic with
iptables -Z
which will make it easier to see.

Hi,
Yes it is in the input chain.
I am not sure I understand correctly but i did look at the dropped packets from /var/log/messages (this is where iptables logs them, i didn't check before since tcpdump shows 0 packets dropped by kernel ?!)


i pinged the website, this is what i found
it shows ICMP 0 (echo reply) dropped:

The IP SRC & DST match the website and my machine respectively.
When I telnet the website, however, no packets are dropped but cannot connect.

I hope you still can help.

I've got to admit that I don't have a clue what that means or how to fix it. I've never had any SPOOFED Packets.
But that's most likely the reason.

Earlier I thought maybe it's a nat or mangle thing, but I don't know if that could somehow be connected with it.

You could of course still look into
iptables -L -v -t nat
or
iptables -L -v -t mangle
but I doubt that's the reason. With mangle you can change the ip addresses, and that's what a spoofed packed is about. But probably it's not on your machine.

I suggest you open another thread, so others will have a look at it.
I'll follow your post, so I can learn something new as well.

Can you explain more about these websites? what is blackboard? Where are these sites located? Can you show us ALL the rules? From the tcpdump it looks like the SYN/ACK is being blocked by iptables, so not getting back to the client to complete the handshake.

Hi,
Well blackboard is a software used by colleges to post content etc. for students. Since I am on campus, i am accessing the private ip address of it. The external IP address is also giving the same problems. SYN/ACK and ping failures happen only for this particular website...
i am no expert in iptables, just using a script (fw-jay) to set the rules.
iptables -L -v gives:
cheers

So what is the IP you're hitting? are you hitting other internal websites by IP? There are plenty of drops there for private subnets, so it looks reasonable that it's one of them doing it.

your tcpdump and iptables outputs would be clearer with an -n added to them, to stop host name resolution and show the IP addresses involved.

This is the IP address i am hitting: 10.220.0.25
My address is one of 10.220.12.107/24 (dynamic by dhcp)
Note that if I access the public IP address of that site, the same issue happens.

Right so you can see it's being twunted by the JAY_SPOOFING table. I think it's the DROP entry in there, with 1280 hits, I think that's your man, as there doesn't seem to be any ESTABLISHED rule being encountered first. The public IP is getting dropped elsewhere.

Baaaaaasically, and please don't take this the wrong way, I would say that you've not taken the time to learn how to use this firewall script. I've no experience of it, but it looks pretty heavyweight to be dumping out all these tables. Looking at the flow, things are happening in the wrong order etc, but I expect that there's a reason for this which, given full configuration in its own gui, would make much more sense when reading the output. Either configure it properly or stop using it, and just use a normal tool. I'm sure slackware has one by default, and SuSe will have Yast. Or just edit the rules directly, it's really pretty easy one you've ditched all those confusing tables.

On a redhat server, the default list that is loaded by its iptables service just looks like this:

It's pretty simple, and you can probably see yourself what you'd need to duplicate and tweak to allow another incoming port. But as you don't even need to do that in the first place... a default firewall config like this would "just work".

Thanks for your help!

Here is what happened:
I removed the rule that would drop 10.0.0.0/8 connections, but it still didn't work. added a rule that allows incoming related,established connections above port 1024 from BB website, but still no luck
heck i even disabled the firewall, and still..
So i tested the wifi in the hallway, to see if the website is up and running. it is, and with the same internal IP that i am using.

As a final resort, i plugged my ethernet cable to a different socket and voila! It seems pretty strange, not sure what to make of it.
The traceroute:
Another thing, my orig. IP address was 10.220.12.76, in the other socket it was 10.220.12.107. I plugged back to my old socket, set the IP manually to 10.220.12.107 and it worked. then i switched back to 10.220.12.76, didn't work. switched back to 10.220.12.107 didn't work again. So it just worked for a little while on my old socket then it stopped?!
Maybe MAC address filtering, but then it worked for a while before stopping..

Now that i removed the rule that is responsible for dropping connections, attempting to connect traceroute shows more than 30 hops, although I KNOW it is one hop away..
I think i need to call Tech support :D

Cheers