cannot connect to particular website w/ firewall running
Hi Guys,
I have a small networking problem. I am using fw-jay to set up my iptables rules. nothing fancy, just opening some ports needed. The problem is that i cannot connect to a particular website (blackboard) although other websites work perfectly. this happens when my firewall is running, when i turn it off, BB website works again. I have tried to capture the packets when i ping the server, i capture all packets icmp echo request from me, and icmp echo reply from server. tcpdump says 20 packets captured, 0 dropped from kernel. However on my ping prompt, nothing is there... ?! I also tried to telnet to port 80, and the connection times out. in tcpdump, it shows the SYN, SYN ACK from server, then my host keeps SYN'ing a fresh connection so the server sends an R for the previous connection. Any ideas? Thanks |
If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed? If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN. |
Quote:
I have tried that but no packet are captured here. About the SYN/ACKs matching the SYN; in my capture, the SYN/ACK from the server has the ACK field of the seq. number + 1 of SYN packet. however my host keeps SYNing ignoring the SYN/ACK. Maybe I am missing something so here is the tcpdump: Code:
reading from file tcpdump.out, link-type EN10MB (Ethernet) |
So the host is where you're using tcpdump.
If your scrubbed ip-address is the same in the syn and the syn ack, it should work. Maybe it's a firewall issue. try looking up Code:
iptables -L -v |
Thanks for the reply,
It is something weird. iptables -L -v shows a lot of rules, interesting one: Code:
618K 304M ACCEPT tcp -- any any anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED telnetting other websites works. |
If that's the same machine the rule needs to be in the INPUT chain.
Maybe see if you can see any DROP which increases while you're trying to connect. You can delete the statistic with iptables -Z which will make it easier to see. |
Hi,
Yes it is in the input chain. I am not sure I understand correctly but i did look at the dropped packets from /var/log/messages (this is where iptables logs them, i didn't check before since tcpdump shows 0 packets dropped by kernel ?!) i pinged the website, this is what i found it shows ICMP 0 (echo reply) dropped: Code:
Oct 17 01:55:56 slackbox kernel: SPOOFED Packet IN=eth0 OUT= MAC=00:16:36:14:b0:e4:00:1f:0a:1f:22:19:08:00 SRC=10.220.0.25 DST=10.220.12.76 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=1334 PROTO=ICMP TYPE=0 CODE=0 ID=11111 SEQ=8 When I telnet the website, however, no packets are dropped but cannot connect. I hope you still can help. |
I've got to admit that I don't have a clue what that means or how to fix it. I've never had any SPOOFED Packets.
But that's most likely the reason. Earlier I thought maybe it's a nat or mangle thing, but I don't know if that could somehow be connected with it. You could of course still look into iptables -L -v -t nat or iptables -L -v -t mangle but I doubt that's the reason. With mangle you can change the ip addresses, and that's what a spoofed packed is about. But probably it's not on your machine. I suggest you open another thread, so others will have a look at it. I'll follow your post, so I can learn something new as well. |
Can you explain more about these websites? what is blackboard? Where are these sites located? Can you show us ALL the rules? From the tcpdump it looks like the SYN/ACK is being blocked by iptables, so not getting back to the client to complete the handshake.
|
Hi,
Well blackboard is a software used by colleges to post content etc. for students. Since I am on campus, i am accessing the private ip address of it. The external IP address is also giving the same problems. SYN/ACK and ping failures happen only for this particular website... i am no expert in iptables, just using a script (fw-jay) to set the rules. iptables -L -v gives: Code:
Chain INPUT (policy DROP 0 packets, 0 bytes) |
So what is the IP you're hitting? are you hitting other internal websites by IP? There are plenty of drops there for private subnets, so it looks reasonable that it's one of them doing it.
your tcpdump and iptables outputs would be clearer with an -n added to them, to stop host name resolution and show the IP addresses involved. |
This is the IP address i am hitting: 10.220.0.25
My address is one of 10.220.12.107/24 (dynamic by dhcp) Note that if I access the public IP address of that site, the same issue happens. |
Right so you can see it's being twunted by the JAY_SPOOFING table. I think it's the DROP entry in there, with 1280 hits, I think that's your man, as there doesn't seem to be any ESTABLISHED rule being encountered first. The public IP is getting dropped elsewhere.
Baaaaaasically, and please don't take this the wrong way, I would say that you've not taken the time to learn how to use this firewall script. I've no experience of it, but it looks pretty heavyweight to be dumping out all these tables. Looking at the flow, things are happening in the wrong order etc, but I expect that there's a reason for this which, given full configuration in its own gui, would make much more sense when reading the output. Either configure it properly or stop using it, and just use a normal tool. I'm sure slackware has one by default, and SuSe will have Yast. Or just edit the rules directly, it's really pretty easy one you've ditched all those confusing tables. On a redhat server, the default list that is loaded by its iptables service just looks like this: Code:
*filter |
Thanks for your help!
Here is what happened: I removed the rule that would drop 10.0.0.0/8 connections, but it still didn't work. added a rule that allows incoming related,established connections above port 1024 from BB website, but still no luck heck i even disabled the firewall, and still.. So i tested the wifi in the hallway, to see if the website is up and running. it is, and with the same internal IP that i am using. As a final resort, i plugged my ethernet cable to a different socket and voila! It seems pretty strange, not sure what to make of it. The traceroute: Code:
traceroute 10.220.0.25 Maybe MAC address filtering, but then it worked for a while before stopping.. Now that i removed the rule that is responsible for dropping connections, attempting to connect traceroute shows more than 30 hops, although I KNOW it is one hop away.. Code:
Cheers |
All times are GMT -5. The time now is 09:16 AM. |