cannot connect to particular website w/ firewall running
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
cannot connect to particular website w/ firewall running
Hi Guys,
I have a small networking problem. I am using fw-jay to set up my iptables rules. nothing fancy, just opening some ports needed.
The problem is that i cannot connect to a particular website (blackboard) although other websites work perfectly. this happens when my firewall is running, when i turn it off, BB website works again.
I have tried to capture the packets when i ping the server, i capture all packets icmp echo request from me, and icmp echo reply from server. tcpdump says 20 packets captured, 0 dropped from kernel. However on my ping prompt, nothing is there... ?!
I also tried to telnet to port 80, and the connection times out. in tcpdump, it shows the SYN, SYN ACK from server, then my host keeps SYN'ing a fresh connection so the server sends an R for the previous connection.
If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed?
If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN.
If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed?
If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN.
Do you mean trying to listen to the loopback interface? e.g tcpdump -i lo ....
I have tried that but no packet are captured here.
About the SYN/ACKs matching the SYN; in my capture, the SYN/ACK from the server has the ACK field of the seq. number + 1 of SYN packet. however my host keeps SYNing ignoring the SYN/ACK.
Maybe I am missing something so here is the tcpdump:
So the host is where you're using tcpdump.
If your scrubbed ip-address is the same in the syn and the syn ack, it should work.
Maybe it's a firewall issue.
try looking up
It is something weird.
iptables -L -v shows a lot of rules, interesting one:
Code:
618K 304M ACCEPT tcp -- any any anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
I think this allows any connections above port 1024 to come in if they were established, which is the case in the SYN/ACK packet. trying telnet again, will cause a SYN/ACK to some other random port, which is also not "seen" by my host although the tcpdump shows 0 packets dropped by kernel..
telnetting other websites works.
If that's the same machine the rule needs to be in the INPUT chain.
Maybe see if you can see any DROP which increases while you're trying to connect.
You can delete the statistic with
iptables -Z
which will make it easier to see.
Hi,
Yes it is in the input chain.
I am not sure I understand correctly but i did look at the dropped packets from /var/log/messages (this is where iptables logs them, i didn't check before since tcpdump shows 0 packets dropped by kernel ?!)
i pinged the website, this is what i found
it shows ICMP 0 (echo reply) dropped:
I've got to admit that I don't have a clue what that means or how to fix it. I've never had any SPOOFED Packets.
But that's most likely the reason.
Earlier I thought maybe it's a nat or mangle thing, but I don't know if that could somehow be connected with it.
You could of course still look into
iptables -L -v -t nat
or
iptables -L -v -t mangle
but I doubt that's the reason. With mangle you can change the ip addresses, and that's what a spoofed packed is about. But probably it's not on your machine.
I suggest you open another thread, so others will have a look at it.
I'll follow your post, so I can learn something new as well.
Can you explain more about these websites? what is blackboard? Where are these sites located? Can you show us ALL the rules? From the tcpdump it looks like the SYN/ACK is being blocked by iptables, so not getting back to the client to complete the handshake.
Hi,
Well blackboard is a software used by colleges to post content etc. for students. Since I am on campus, i am accessing the private ip address of it. The external IP address is also giving the same problems. SYN/ACK and ping failures happen only for this particular website...
i am no expert in iptables, just using a script (fw-jay) to set the rules.
iptables -L -v gives:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 JAY_LANIN all -- wlan0 any anywhere anywhere
19 3975 JAY_INETIN all -- eth0 any anywhere anywhere
5 1296 JAY_LDROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 JAY_FWD_INET_LAN all -- eth0 wlan0 anywhere anywhere
0 0 JAY_FWD_LAN_INET all -- wlan0 eth0 anywhere anywhere
0 0 JAY_LDROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 6 packets, 634 bytes)
pkts bytes target prot opt in out source destination
0 0 JAY_LANOUT all -- any wlan0 anywhere anywhere
86 10394 JAY_INETOUT all -- any eth0 anywhere anywhere
Chain JAY_CHECK_ICMP (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
0 0 DROP icmp -- any any anywhere anywhere icmp network-redirect
0 0 DROP icmp -- any any anywhere anywhere icmp host-redirect
0 0 DROP icmp -- any any anywhere anywhere icmp TOS-network-redirect
0 0 DROP icmp -- any any anywhere anywhere icmp TOS-host-redirect
0 0 DROP icmp -- any any anywhere anywhere icmp timestamp-request
0 0 DROP icmp -- any any anywhere anywhere icmp timestamp-reply
0 0 DROP icmp -- any any anywhere anywhere icmp address-mask-request
0 0 ACCEPT all -- any any anywhere anywhere
Chain JAY_CHECK_TCP (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 DROP tcp -- any any anywhere anywhere tcp option=64
0 0 DROP tcp -- any any anywhere anywhere tcp option=128
Chain JAY_FWD_INET_LAN (1 references)
pkts bytes target prot opt in out source destination
0 0 JAY_CHECK_TCP tcp -- any any anywhere anywhere
0 0 JAY_CHECK_ICMP icmp -- any any anywhere anywhere
0 0 JAY_SPOOFING all -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain JAY_FWD_LAN_INET (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- any any anywhere anywhere icmp echo-reply limit: avg 1/sec burst 1 LOG level info prefix `Dopped PING reply to outside'
0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
0 0 DROP icmp -- any any anywhere anywhere state INVALID
0 0 JAY_CHECK_TCP tcp -- any any anywhere anywhere
0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 DROP all -f any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state NEW,RELATED,ESTABLISHED
Chain JAY_FWD_LAN_LAN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain JAY_INETIN (1 references)
pkts bytes target prot opt in out source destination
19 3975 JAY_SPOOFING all -- any any anywhere anywhere
1 60 JAY_INETIN_TCP tcp -- any any anywhere anywhere
7 1952 JAY_INETIN_UDP udp -- any any anywhere anywhere
0 0 JAY_CHECK_ICMP icmp -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
Chain JAY_INETIN_TCP (1 references)
pkts bytes target prot opt in out source destination
0 0 JAY_SYNFLOOD tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
1 60 JAY_CHECK_TCP all -- any any anywhere anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:9050 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:5554 state NEW,ESTABLISHED
1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain JAY_INETIN_UDP (1 references)
pkts bytes target prot opt in out source destination
2 656 ACCEPT udp -- any any 10.220.12.1 anywhere udp spt:bootps dpt:bootpc
0 0 ACCEPT udp -- any any 10.221.0.101 anywhere udp spt:domain state ESTABLISHED
0 0 ACCEPT udp -- any any 10.221.0.102 anywhere udp spt:domain state ESTABLISHED
0 0 ACCEPT udp -- any any 10.221.0.103 anywhere udp spt:domain state ESTABLISHED
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:ntp state NEW,ESTABLISHED
0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED
Chain JAY_INETOUT (1 references)
pkts bytes target prot opt in out source destination
Chain JAY_LANIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain JAY_LANOUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any wlan0 anywhere 192.168.1.0/24
Chain JAY_LDROP (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `TCP Dropped '
5 1296 LOG udp -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `UDP Dropped '
0 0 LOG icmp -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `ICMP Dropped '
0 0 LOG all -f any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `FRAGMENT Dropped '
5 1296 DROP all -- any any anywhere anywhere
Chain JAY_SPOOFING (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any 0.0.0.0/8 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
6 1280 LOG all -- any any 10.0.0.0/8 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any loopback/8 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 169.254.0.0/16 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 172.16.0.0/12 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 192.0.2.0/24 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 192.168.0.0/16 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any base-address.mcast.net/4 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 240.0.0.0/5 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 248.0.0.0/5 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 255.255.255.255 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 10.220.12.107 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any 192.168.1.0/24 anywhere limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
4 624 LOG all -- any any anywhere 255.255.255.255 limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 LOG all -- any any anywhere 0.0.0.0 limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet '
0 0 DROP all -- any any 0.0.0.0/8 anywhere
11 1963 DROP all -- any any 10.0.0.0/8 anywhere
0 0 DROP all -- any any loopback/8 anywhere
0 0 DROP all -- any any 169.254.0.0/16 anywhere
0 0 DROP all -- any any 172.16.0.0/12 anywhere
0 0 DROP all -- any any 192.0.2.0/24 anywhere
0 0 DROP all -- any any 192.168.0.0/16 anywhere
0 0 DROP all -- any any base-address.mcast.net/4 anywhere
0 0 DROP all -- any any 240.0.0.0/5 anywhere
0 0 DROP all -- any any 248.0.0.0/5 anywhere
0 0 DROP all -- any any 255.255.255.255 anywhere
0 0 DROP all -- any any 10.220.12.107 anywhere
0 0 DROP all -- any any 192.168.1.0/24 anywhere
0 0 DROP all -- any any anywhere 255.255.255.255
0 0 DROP all -- any any anywhere 0.0.0.0
Chain JAY_SYNFLOOD (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere limit: avg 12/sec burst 24
0 0 DROP all -- any any anywhere anywhere
So what is the IP you're hitting? are you hitting other internal websites by IP? There are plenty of drops there for private subnets, so it looks reasonable that it's one of them doing it.
your tcpdump and iptables outputs would be clearer with an -n added to them, to stop host name resolution and show the IP addresses involved.
This is the IP address i am hitting: 10.220.0.25
My address is one of 10.220.12.107/24 (dynamic by dhcp)
Note that if I access the public IP address of that site, the same issue happens.
Right so you can see it's being twunted by the JAY_SPOOFING table. I think it's the DROP entry in there, with 1280 hits, I think that's your man, as there doesn't seem to be any ESTABLISHED rule being encountered first. The public IP is getting dropped elsewhere.
Baaaaaasically, and please don't take this the wrong way, I would say that you've not taken the time to learn how to use this firewall script. I've no experience of it, but it looks pretty heavyweight to be dumping out all these tables. Looking at the flow, things are happening in the wrong order etc, but I expect that there's a reason for this which, given full configuration in its own gui, would make much more sense when reading the output. Either configure it properly or stop using it, and just use a normal tool. I'm sure slackware has one by default, and SuSe will have Yast. Or just edit the rules directly, it's really pretty easy one you've ditched all those confusing tables.
On a redhat server, the default list that is loaded by its iptables service just looks like this:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
It's pretty simple, and you can probably see yourself what you'd need to duplicate and tweak to allow another incoming port. But as you don't even need to do that in the first place... a default firewall config like this would "just work".
Last edited by acid_kewpie; 10-18-2012 at 01:15 PM.
Here is what happened:
I removed the rule that would drop 10.0.0.0/8 connections, but it still didn't work. added a rule that allows incoming related,established connections above port 1024 from BB website, but still no luck
heck i even disabled the firewall, and still..
So i tested the wifi in the hallway, to see if the website is up and running. it is, and with the same internal IP that i am using.
As a final resort, i plugged my ethernet cable to a different socket and voila! It seems pretty strange, not sure what to make of it.
The traceroute:
Code:
traceroute 10.220.0.25
traceroute to 10.220.0.25 (10.220.0.25), 30 hops max, 60 byte packets
1 10.220.12.2 (10.220.12.2) 0.743 ms 1.052 ms 1.377 ms
2 10.220.0.25 (10.220.0.25) 0.241 ms 0.256 ms 0.232 ms
Another thing, my orig. IP address was 10.220.12.76, in the other socket it was 10.220.12.107. I plugged back to my old socket, set the IP manually to 10.220.12.107 and it worked. then i switched back to 10.220.12.76, didn't work. switched back to 10.220.12.107 didn't work again. So it just worked for a little while on my old socket then it stopped?!
Maybe MAC address filtering, but then it worked for a while before stopping..
Now that i removed the rule that is responsible for dropping connections, attempting to connect traceroute shows more than 30 hops, although I KNOW it is one hop away..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.