LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 10-13-2012, 05:32 PM   #1
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Rep: Reputation: 4
cannot connect to particular website w/ firewall running


Hi Guys,

I have a small networking problem. I am using fw-jay to set up my iptables rules. nothing fancy, just opening some ports needed.

The problem is that i cannot connect to a particular website (blackboard) although other websites work perfectly. this happens when my firewall is running, when i turn it off, BB website works again.

I have tried to capture the packets when i ping the server, i capture all packets icmp echo request from me, and icmp echo reply from server. tcpdump says 20 packets captured, 0 dropped from kernel. However on my ping prompt, nothing is there... ?!

I also tried to telnet to port 80, and the connection times out. in tcpdump, it shows the SYN, SYN ACK from server, then my host keeps SYN'ing a fresh connection so the server sends an R for the previous connection.

Any ideas?

Thanks
 
Old 10-15-2012, 03:05 AM   #2
KatrinAlec
Member
 
Registered: Feb 2012
Posts: 56

Rep: Reputation: 8
If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed?
If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN.
 
Old 10-15-2012, 08:15 AM   #3
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
Quote:
Originally Posted by KatrinAlec View Post
If you use tcpdump on the internal interface (i.e. the one connected to your host) or on your host itself,
do the SYN ACKs fit the SYNs, that means same ip address and same ports, just reversed?
If it doesn't the SYN ACK isn't recognized as the correct answer to the SYN and the host would send another SYN.
Do you mean trying to listen to the loopback interface? e.g tcpdump -i lo ....
I have tried that but no packet are captured here.

About the SYN/ACKs matching the SYN; in my capture, the SYN/ACK from the server has the ACK field of the seq. number + 1 of SYN packet. however my host keeps SYNing ignoring the SYN/ACK.

Maybe I am missing something so here is the tcpdump:

Code:
reading from file tcpdump.out, link-type EN10MB (Ethernet)
16:06:51.300846 IP slackbox.home.39684 > [SCRUBBED].edu.http: Flags [S], seq 4012778385, win 5840, options [mss 1460,sackOK,TS val 147435025 ecr 0,nop,wscale 6], length 0
16:06:51.301064 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951946563 ecr 147435025], length 0
16:06:51.302576 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951946563 ecr 147435025], length 0
16:06:54.298088 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951946863 ecr 147435025], length 0
16:06:54.300727 IP slackbox.home.39684 > [SCRUBBED].edu.http: Flags [S], seq 4012778385, win 5840, options [mss 1460,sackOK,TS val 147438025 ecr 0,nop,wscale 6], length 0
16:06:54.332533 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951946863 ecr 147435025], length 0
16:07:00.298242 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951947463 ecr 147435025], length 0
16:07:00.300727 IP slackbox.home.39684 > [SCRUBBED].edu.http: Flags [S], seq 4012778385, win 5840, options [mss 1460,sackOK,TS val 147444025 ecr 0,nop,wscale 6], length 0
16:07:00.322667 IP [SCRUBBED].edu.http > slackbox.home.39684: Flags [S.], seq 324687457, ack 4012778386, win 8192, options [mss 1460,sackOK,TS val 951947463 ecr 147435025], length 0
 
Old 10-15-2012, 08:37 AM   #4
KatrinAlec
Member
 
Registered: Feb 2012
Posts: 56

Rep: Reputation: 8
So the host is where you're using tcpdump.
If your scrubbed ip-address is the same in the syn and the syn ack, it should work.
Maybe it's a firewall issue.
try looking up
Code:
iptables -L -v
 
Old 10-15-2012, 03:41 PM   #5
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
Thanks for the reply,

It is something weird.
iptables -L -v shows a lot of rules, interesting one:
Code:
618K  304M ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:1024:65535 state RELATED,ESTABLISHED
I think this allows any connections above port 1024 to come in if they were established, which is the case in the SYN/ACK packet. trying telnet again, will cause a SYN/ACK to some other random port, which is also not "seen" by my host although the tcpdump shows 0 packets dropped by kernel..
telnetting other websites works.
 
Old 10-16-2012, 02:35 AM   #6
KatrinAlec
Member
 
Registered: Feb 2012
Posts: 56

Rep: Reputation: 8
If that's the same machine the rule needs to be in the INPUT chain.
Maybe see if you can see any DROP which increases while you're trying to connect.
You can delete the statistic with
iptables -Z
which will make it easier to see.
 
Old 10-16-2012, 06:27 PM   #7
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
Hi,
Yes it is in the input chain.
I am not sure I understand correctly but i did look at the dropped packets from /var/log/messages (this is where iptables logs them, i didn't check before since tcpdump shows 0 packets dropped by kernel ?!)


i pinged the website, this is what i found
it shows ICMP 0 (echo reply) dropped:

Code:
Oct 17 01:55:56 slackbox kernel: SPOOFED Packet IN=eth0 OUT= MAC=00:16:36:14:b0:e4:00:1f:0a:1f:22:19:08:00 SRC=10.220.0.25 DST=10.220.12.76 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=1334 PROTO=ICMP TYPE=0 CODE=0 ID=11111 SEQ=8 
Oct 17 01:55:57 slackbox kernel: SPOOFED Packet IN=eth0 OUT= MAC=00:16:36:14:b0:e4:00:1f:0a:1f:22:19:08:00 SRC=10.220.0.25 DST=10.220.12.76 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=1355 PROTO=ICMP TYPE=0 CODE=0 ID=11111 SEQ=9 
Oct 17 01:55:58 slackbox kernel: SPOOFED Packet IN=eth0 OUT= MAC=00:16:36:14:b0:e4:00:1f:0a:1f:22:19:08:00 SRC=10.220.0.25 DST=10.220.12.76 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=1361 PROTO=ICMP TYPE=0 CODE=0 ID=11111 SEQ=10
The IP SRC & DST match the website and my machine respectively.
When I telnet the website, however, no packets are dropped but cannot connect.

I hope you still can help.
 
Old 10-17-2012, 02:45 AM   #8
KatrinAlec
Member
 
Registered: Feb 2012
Posts: 56

Rep: Reputation: 8
I've got to admit that I don't have a clue what that means or how to fix it. I've never had any SPOOFED Packets.
But that's most likely the reason.

Earlier I thought maybe it's a nat or mangle thing, but I don't know if that could somehow be connected with it.

You could of course still look into
iptables -L -v -t nat
or
iptables -L -v -t mangle
but I doubt that's the reason. With mangle you can change the ip addresses, and that's what a spoofed packed is about. But probably it's not on your machine.

I suggest you open another thread, so others will have a look at it.
I'll follow your post, so I can learn something new as well.
 
Old 10-18-2012, 04:16 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Can you explain more about these websites? what is blackboard? Where are these sites located? Can you show us ALL the rules? From the tcpdump it looks like the SYN/ACK is being blocked by iptables, so not getting back to the client to complete the handshake.
 
Old 10-18-2012, 05:41 AM   #10
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
Hi,
Well blackboard is a software used by colleges to post content etc. for students. Since I am on campus, i am accessing the private ip address of it. The external IP address is also giving the same problems. SYN/ACK and ping failures happen only for this particular website...
i am no expert in iptables, just using a script (fw-jay) to set the rules.
iptables -L -v gives:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 JAY_LANIN  all  --  wlan0  any     anywhere             anywhere            
   19  3975 JAY_INETIN  all  --  eth0   any     anywhere             anywhere            
    5  1296 JAY_LDROP  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 JAY_FWD_INET_LAN  all  --  eth0   wlan0   anywhere             anywhere            
    0     0 JAY_FWD_LAN_INET  all  --  wlan0  eth0    anywhere             anywhere            
    0     0 JAY_LDROP  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 6 packets, 634 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 JAY_LANOUT  all  --  any    wlan0   anywhere             anywhere            
   86 10394 JAY_INETOUT  all  --  any    eth0    anywhere             anywhere            

Chain JAY_CHECK_ICMP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp network-redirect 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp host-redirect 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp TOS-network-redirect 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp TOS-host-redirect 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp timestamp-request 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp timestamp-reply 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp address-mask-request 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain JAY_CHECK_TCP (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=64 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=128 

Chain JAY_FWD_INET_LAN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 JAY_CHECK_TCP  tcp  --  any    any     anywhere             anywhere            
    0     0 JAY_CHECK_ICMP  icmp --  any    any     anywhere             anywhere            
    0     0 JAY_SPOOFING  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

Chain JAY_FWD_LAN_INET (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        icmp --  any    any     anywhere             anywhere            icmp echo-reply limit: avg 1/sec burst 1 LOG level info prefix `Dopped PING reply to outside' 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-reply 
    0     0 DROP       icmp --  any    any     anywhere             anywhere            state INVALID 
    0     0 JAY_CHECK_TCP  tcp  --  any    any     anywhere             anywhere            
    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    0     0 DROP       all  -f  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state NEW,RELATED,ESTABLISHED 

Chain JAY_FWD_LAN_LAN (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain JAY_INETIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   19  3975 JAY_SPOOFING  all  --  any    any     anywhere             anywhere            
    1    60 JAY_INETIN_TCP  tcp  --  any    any     anywhere             anywhere            
    7  1952 JAY_INETIN_UDP  udp  --  any    any     anywhere             anywhere            
    0     0 JAY_CHECK_ICMP  icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state ESTABLISHED 

Chain JAY_INETIN_TCP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 JAY_SYNFLOOD  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    1    60 JAY_CHECK_TCP  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:9050 state NEW,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:5554 state NEW,ESTABLISHED 
    1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:1024:65535 state RELATED,ESTABLISHED 

Chain JAY_INETIN_UDP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 ACCEPT     udp  --  any    any     10.220.12.1          anywhere            udp spt:bootps dpt:bootpc 
    0     0 ACCEPT     udp  --  any    any     10.221.0.101         anywhere            udp spt:domain state ESTABLISHED 
    0     0 ACCEPT     udp  --  any    any     10.221.0.102         anywhere            udp spt:domain state ESTABLISHED 
    0     0 ACCEPT     udp  --  any    any     10.221.0.103         anywhere            udp spt:domain state ESTABLISHED 
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:ntp state NEW,ESTABLISHED 
    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:domain state NEW,ESTABLISHED 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpts:1024:65535 state RELATED,ESTABLISHED 

Chain JAY_INETOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain JAY_LANIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            

Chain JAY_LANOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    wlan0   anywhere             192.168.1.0/24      

Chain JAY_LDROP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  any    any     anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info prefix `TCP Dropped ' 
    5  1296 LOG        udp  --  any    any     anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info prefix `UDP Dropped ' 
    0     0 LOG        icmp --  any    any     anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info prefix `ICMP Dropped ' 
    0     0 LOG        all  -f  any    any     anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info prefix `FRAGMENT Dropped ' 
    5  1296 DROP       all  --  any    any     anywhere             anywhere            

Chain JAY_SPOOFING (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     0.0.0.0/8            anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    6  1280 LOG        all  --  any    any     10.0.0.0/8           anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     loopback/8           anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     169.254.0.0/16       anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     172.16.0.0/12        anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     192.0.2.0/24         anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     192.168.0.0/16       anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     base-address.mcast.net/4  anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     240.0.0.0/5          anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     248.0.0.0/5          anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     255.255.255.255      anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     10.220.12.107        anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     192.168.1.0/24       anywhere            limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    4   624 LOG        all  --  any    any     anywhere             255.255.255.255     limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 LOG        all  --  any    any     anywhere             0.0.0.0             limit: avg 1/sec burst 1 LOG level info prefix `SPOOFED Packet ' 
    0     0 DROP       all  --  any    any     0.0.0.0/8            anywhere            
   11  1963 DROP       all  --  any    any     10.0.0.0/8           anywhere            
    0     0 DROP       all  --  any    any     loopback/8           anywhere            
    0     0 DROP       all  --  any    any     169.254.0.0/16       anywhere            
    0     0 DROP       all  --  any    any     172.16.0.0/12        anywhere            
    0     0 DROP       all  --  any    any     192.0.2.0/24         anywhere            
    0     0 DROP       all  --  any    any     192.168.0.0/16       anywhere            
    0     0 DROP       all  --  any    any     base-address.mcast.net/4  anywhere            
    0     0 DROP       all  --  any    any     240.0.0.0/5          anywhere            
    0     0 DROP       all  --  any    any     248.0.0.0/5          anywhere            
    0     0 DROP       all  --  any    any     255.255.255.255      anywhere            
    0     0 DROP       all  --  any    any     10.220.12.107        anywhere            
    0     0 DROP       all  --  any    any     192.168.1.0/24       anywhere            
    0     0 DROP       all  --  any    any     anywhere             255.255.255.255     
    0     0 DROP       all  --  any    any     anywhere             0.0.0.0             

Chain JAY_SYNFLOOD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            limit: avg 12/sec burst 24 
    0     0 DROP       all  --  any    any     anywhere             anywhere
cheers
 
Old 10-18-2012, 06:44 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
So what is the IP you're hitting? are you hitting other internal websites by IP? There are plenty of drops there for private subnets, so it looks reasonable that it's one of them doing it.

your tcpdump and iptables outputs would be clearer with an -n added to them, to stop host name resolution and show the IP addresses involved.
 
Old 10-18-2012, 01:19 PM   #12
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
This is the IP address i am hitting: 10.220.0.25
My address is one of 10.220.12.107/24 (dynamic by dhcp)
Note that if I access the public IP address of that site, the same issue happens.
 
Old 10-18-2012, 02:13 PM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Right so you can see it's being twunted by the JAY_SPOOFING table. I think it's the DROP entry in there, with 1280 hits, I think that's your man, as there doesn't seem to be any ESTABLISHED rule being encountered first. The public IP is getting dropped elsewhere.

Baaaaaasically, and please don't take this the wrong way, I would say that you've not taken the time to learn how to use this firewall script. I've no experience of it, but it looks pretty heavyweight to be dumping out all these tables. Looking at the flow, things are happening in the wrong order etc, but I expect that there's a reason for this which, given full configuration in its own gui, would make much more sense when reading the output. Either configure it properly or stop using it, and just use a normal tool. I'm sure slackware has one by default, and SuSe will have Yast. Or just edit the rules directly, it's really pretty easy one you've ditched all those confusing tables.

On a redhat server, the default list that is loaded by its iptables service just looks like this:

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
It's pretty simple, and you can probably see yourself what you'd need to duplicate and tweak to allow another incoming port. But as you don't even need to do that in the first place... a default firewall config like this would "just work".

Last edited by acid_kewpie; 10-18-2012 at 02:15 PM.
 
1 members found this post helpful.
Old 10-18-2012, 05:32 PM   #14
DutchGeek
Member
 
Registered: Sep 2006
Distribution: SuSE, Slackware
Posts: 55

Original Poster
Rep: Reputation: 4
Thanks for your help!

Here is what happened:
I removed the rule that would drop 10.0.0.0/8 connections, but it still didn't work. added a rule that allows incoming related,established connections above port 1024 from BB website, but still no luck
heck i even disabled the firewall, and still..
So i tested the wifi in the hallway, to see if the website is up and running. it is, and with the same internal IP that i am using.

As a final resort, i plugged my ethernet cable to a different socket and voila! It seems pretty strange, not sure what to make of it.
The traceroute:
Code:
traceroute 10.220.0.25
traceroute to 10.220.0.25 (10.220.0.25), 30 hops max, 60 byte packets
 1  10.220.12.2 (10.220.12.2)  0.743 ms  1.052 ms  1.377 ms
 2  10.220.0.25 (10.220.0.25)  0.241 ms  0.256 ms  0.232 ms
Another thing, my orig. IP address was 10.220.12.76, in the other socket it was 10.220.12.107. I plugged back to my old socket, set the IP manually to 10.220.12.107 and it worked. then i switched back to 10.220.12.76, didn't work. switched back to 10.220.12.107 didn't work again. So it just worked for a little while on my old socket then it stopped?!
Maybe MAC address filtering, but then it worked for a while before stopping..

Now that i removed the rule that is responsible for dropping connections, attempting to connect traceroute shows more than 30 hops, although I KNOW it is one hop away..
Code:
 
traceroute 10.220.0.25
traceroute to 10.220.0.25, 30 hops max, 60 byte packets

 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
I think i need to call Tech support

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Firewall + website blocking hallows1 Linux - Security 5 03-26-2007 12:50 AM
Do I Need To Take My Firewall Of To Run My Domain Website? dominic95 General 2 01-01-2007 04:49 PM
Cant access website behind firewall supertrout Linux - Networking 2 10-15-2004 02:10 AM
Behind Router/Firewall ?website impossible ? my-unix-dream Linux - Newbie 12 07-05-2004 08:02 AM


All times are GMT -5. The time now is 06:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration