LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 01-05-2010, 11:35 AM   #16
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542

Sorry to barge in here but I notice that your --clamp-mss-to-pmtu arguments are in both the *nat and *filter tables, where IIRC they do not work correctly (perhaps don't belong there), but it should be in the *mangle table.

This may have nothing at all to do with your current problem, but I wanted to point it out just in case.

Sasha
 
Old 01-05-2010, 12:28 PM   #17
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
--clamp-mss-to-pmtu

Hello Sasha,

I am not sure I totally grasp your comment:

1. Are you suggesting that --clamp-mss-to-pmtu does not belong to the chains I have put it in?
2. I am not using any *mangle in my script. Should I still put this potion in the *mangle chains?

Thanks in advance
 
Old 01-05-2010, 12:37 PM   #18
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542
Hi,

Yes, you understand me correctly, but I'm not 100% on this, and as mentioned, it may well NOT be the root of your problem anyhow -- I just mentioned it because I noticed it, and had been reading about it lately.

My firewall also puts --clamp-mss-to-pmtu in the filter chain, but during research on the net about it (I got sidetracked!) I came across several mailing list thread regarding IPtables, one of them is here: https://dev.openwrt.org/ticket/5890 which claims that clamping didn't actually do what it was supposed to in that case, when in the *filter chain, but when moved to the *mangle chain it performed correctly.

I am still reading, and haven't yet decided if I will adjust my own firewall in this area, because I don't use the clamping anyhow, but when someone *else* uses my firewall, I want this to be correct.

Input from more experienced users on this subject would be good too

Sasha
 
Old 01-05-2010, 02:32 PM   #19
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
The full IPTABLES script

Hello there,

Thank you Sasha, I have read the link you posted and have therefore removed the --clamp-mss-to-pmtu from the INPUT, OUTPUT and FORWARD chains. However, it did not solve my issue.

I attach my full script in case the error is somewhere else in the script ...

The script has been largely inspired from http://www.nbs-system.com/dossiers/howto-iptables.html

Thank you in advance for any help
Attached Files
File Type: txt script_firewall.txt (15.1 KB, 6 views)
 
Old 01-05-2010, 11:38 PM   #20
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
NiceLittleRabbit, a lot of rules there... but I could not find one to ACCEPT port 80 INPUTs... is it there somewhere?
 
Old 01-06-2010, 12:01 AM   #21
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Accept INPUT http rule

Hello Jeff_K,

First of all, I envy you of living in such a marvelous city as San Diego ...

Indeed, there is one rule that accepts http from the internal network:

Quote:
$IPTABLES -A CHECK_INPUT_TRAFFIC -i $INTIF -m iprange --src-range $INTIPRANGE2 -p tcp --dport $http -j ACCEPT
However, as you point out, none accepts http from the Internet.

My reasoning has been as follows:

1. The server accepts OUTPUT http
2. The server accepts INPUT and OUTPUT ESTABLISHED and RELATED communications
3. Therefore, the server accepts http communications originating from the server

Is there an error in the reasoning?

Thanks in advance
 
Old 01-06-2010, 12:13 AM   #22
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
Sounds reasonable.
And yes, it's a good time of year to be here. I took any excuse I could today to go outside to take a walk.
Sorry to not be more help, I'll keep looking as time permits, given you're still shut down.
 
Old 01-06-2010, 12:24 AM   #23
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
NiceLittleRabbit, have you tried temporarily allowing all outbound traffic to confirm that the problem is in your iptables outbound rules?
Sometimes these problems can be more elementary than you expect... that might be an easy debugging check.
 
Old 01-06-2010, 11:29 AM   #24
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
I've been trying to catch up on this and not quite there, but to browse the web from the server you have to accept NEW on OUTPUT for http. When you fire up your browser on the server and you go to say google.com that is a NEW connection on output to port 80.

You do have some logging going on so the obvious question is did you check the logs for port 80 drops? You can always add logging targets to your CHECK_OUTPUT_TRAFFIC and OUTPUT chains so that the drops will be logged. With a good description in the log-prefix you should be able to narrow down what chain is dropping the traffic.
 
1 members found this post helpful.
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pipe gnuplot + while read does not behave as expected Geneset Linux - General 1 03-29-2009 03:23 PM
Getting a scanner to behave .... expatCM Linux - Software 1 01-04-2009 07:33 AM
Port redirection with iptables not working as expected. Eric-Mtl Linux - Networking 1 08-16-2007 07:42 AM
popen() doesn't behave as expected Kimbo Programming 4 07-28-2007 06:26 AM
iptables rules doesn't work as expected.. Shioni Linux - Security 4 11-15-2006 01:37 AM


All times are GMT -5. The time now is 06:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration