i have a server with two nics

eth1=public
eth0=private

dnsmasq is serving dhcp leases on eth0; clients correctly receive their address and can do nslookups

samba is running on eth0 only; clients can access public and private shares ok

all local traffic i have tested succeeds (http, ping, smb, etc)

all ICMP, ARP and DNS lookups to public machines outside of the network succeed

LAN-client machines can load their company homepage (i didn't make any explicit rules for this) from the public web

LAN-client HTTP and HTTPS to all other websites just hangs (no timeout, no error)

when on the router i can load web pages through links/lynx

when not at this physical location, and behind another firewall/router, this server routes http perfectly --> but each time we bring it to the client's property for testing it fails.

the firewall i am using is in use in many places for us (runs our network too) and is as below:


iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward







a linksys router works fine with the other hardware in place, a cisco router also works fine, the modem (i don't know the model) has four WAN ports on it and the fire-system is also plugged into it





EDIT: I would appreciate any advice on where I may have a misconfiguration, or places I should check for problems

I also should mention that this box has webmin on it for the client's samba management and that the ISP at their property is time warner (our testing location is comcast)

What is the output of

iptables -L -nv
iptables -t nat -L -nv

?

thanks for even attempting to help. here's the output:



EDIT: i lost access to the machine before i could run these commands. i think the client moved it behind their backup firewall until i get onsite to fix this....i could run them on a similar box if that would help, but prob it won't

Well, here's my guess. You have (probably) a policy of DROP on FORWARD. You set a rule on iptables to let the packets going from your LAN to WAN to pass through but then there's no rule to allow the packets that come back to go through the FW.

If the policy _is_ set to DROP, add something like:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

That should do.

that would make sense. i'll check that asap and let you know. thanks for the input


is it just dumb luck that my firewall works on some ISPs and not on others or is that even possible?

Luck? I don't think so.... I mean, words like that fit in a Windows-based environment (I have a saying that goes: Windows = Esoterism, GNU/Linux = determinism). There has to be a reason why it doesn't work.

# iptables -L -nv
Chain INPUT (policy ACCEPT 17301 packets, 2180K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 36 packets, 3495 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 7441 packets, 834K bytes)
pkts bytes target prot opt in out source destination



# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 2869 packets, 439K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1059 packets, 116K bytes)
pkts bytes target prot opt in out source destination
2 180 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1107 packets, 120K bytes)
pkts bytes target prot opt in out source destination



is this as expected?

Well, well.... it doesn't look like a firewall problem. Everything is set to "ACCEPT", so netfilter is not filtering anything right now. I think a sniffer run (tshark, wireshark, even tcpdump) is highly desirable. Have fun!

from client interface:
# tcpdump -i eth0 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:47:17.562902 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [S], seq 1938104511, win 5840, options [mss 1460,sackOK,TS val 4952229 ecr 0,nop,wscale 6], length 0
10:47:17.623667 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [S.], seq 1415809077, ack 1938104512, win 5672, options [mss 1430,sackOK,TS val 4042873563 ecr 4952229,nop,wscale 6], length 0
10:47:17.623731 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952290 ecr 4042873563], length 0
10:47:17.626311 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 524
10:47:17.626334 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 68
10:47:17.690812 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [.], ack 525, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:17.690942 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [.], ack 593, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:17.694781 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [P.], ack 593, win 106, options [nop,nop,TS val 4042873634 ecr 4952293], length 478
10:47:17.694825 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 479, win 108, options [nop,nop,TS val 4952361 ecr 4042873634], length 0
10:47:17.728750 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [S], seq 1954726409, win 5840, options [mss 1460,sackOK,TS val 4952395 ecr 0,nop,wscale 6], length 0
10:47:17.782851 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [S.], seq 428526385, ack 1954726410, win 5672, options [mss 1430,sackOK,TS val 1178097641 ecr 4952395,nop,wscale 6], length 0
10:47:17.782931 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952449 ecr 1178097641], length 0
10:47:17.784289 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 596
10:47:17.784564 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 524
10:47:17.784589 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 72
10:47:17.839500 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [.], ack 525, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:17.839928 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [.], ack 597, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:17.849555 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [P.], ack 597, win 106, options [nop,nop,TS val 1178097705 ecr 4952451], length 174
10:47:17.849607 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952516 ecr 1178097698,nop,nop,sack 1 {4255:4429}], length 0





from router internal interface:
# tcpdump -i eth0 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:47:37.622051 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [S], seq 1938104511, win 5840, options [mss 1460,sackOK,TS val 4952229 ecr 0,nop,wscale 6], length 0
10:47:37.682711 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [S.], seq 1415809077, ack 1938104512, win 5672, options [mss 1430,sackOK,TS val 4042873563 ecr 4952229,nop,wscale 6], length 0
10:47:37.682875 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952290 ecr 4042873563], length 0
10:47:37.685518 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 524
10:47:37.685527 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 68
10:47:37.749854 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [.], ack 525, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:37.749961 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [.], ack 593, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:37.753784 IP gw-in-f100.google.com.http > 192.168.1.5.33392: Flags [P.], ack 593, win 106, options [nop,nop,TS val 4042873634 ecr 4952293], length 478
10:47:37.753972 IP 192.168.1.5.33392 > gw-in-f100.google.com.http: Flags [.], ack 479, win 108, options [nop,nop,TS val 4952361 ecr 4042873634], length 0
10:47:37.787908 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [S], seq 1954726409, win 5840, options [mss 1460,sackOK,TS val 4952395 ecr 0,nop,wscale 6], length 0
10:47:37.841910 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [S.], seq 428526385, ack 1954726410, win 5672, options [mss 1430,sackOK,TS val 1178097641 ecr 4952395,nop,wscale 6], length 0
10:47:37.842091 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952449 ecr 1178097641], length 0
10:47:37.843515 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 596
10:47:37.843794 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 524
10:47:37.843802 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 72
10:47:37.898565 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [.], ack 525, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:37.898672 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [.], ack 597, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:37.908604 IP yo-in-f104.google.com.http > 192.168.1.5.59493: Flags [P.], ack 597, win 106, options [nop,nop,TS val 1178097705 ecr 4952451], length 174
10:47:37.908775 IP 192.168.1.5.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952516 ecr 1178097698,nop,nop,sack 1 {4255:4429}], length 0





from router public interface:
# tcpdump -i eth1 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:47:37.622062 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [S], seq 1938104511, win 5840, options [mss 1460,sackOK,TS val 4952229 ecr 0,nop,wscale 6], length 0
10:47:37.682705 IP gw-in-f100.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.33392: Flags [S.], seq 1415809077, ack 1938104512, win 5672, options [mss 1430,sackOK,TS val 4042873563 ecr 4952229,nop,wscale 6], length 0
10:47:37.682881 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952290 ecr 4042873563], length 0
10:47:37.685524 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 524
10:47:37.685530 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952293 ecr 4042873563], length 68
10:47:37.749849 IP gw-in-f100.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.33392: Flags [.], ack 525, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:37.749957 IP gw-in-f100.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.33392: Flags [.], ack 593, win 106, options [nop,nop,TS val 4042873630 ecr 4952293], length 0
10:47:37.753779 IP gw-in-f100.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.33392: Flags [P.], ack 593, win 106, options [nop,nop,TS val 4042873634 ecr 4952293], length 478
10:47:37.753978 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [.], ack 479, win 108, options [nop,nop,TS val 4952361 ecr 4042873634], length 0
10:47:37.787921 IP rrcs-208-105-173-89.nys.biz.rr.com.59493 > yo-in-f104.google.com.http: Flags [S], seq 1954726409, win 5840, options [mss 1460,sackOK,TS val 4952395 ecr 0,nop,wscale 6], length 0
10:47:37.841901 IP yo-in-f104.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.59493: Flags [S.], seq 428526385, ack 1954726410, win 5672, options [mss 1430,sackOK,TS val 1178097641 ecr 4952395,nop,wscale 6], length 0
10:47:37.842097 IP rrcs-208-105-173-89.nys.biz.rr.com.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952449 ecr 1178097641], length 0
10:47:37.843799 IP rrcs-208-105-173-89.nys.biz.rr.com.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 524
10:47:37.843806 IP rrcs-208-105-173-89.nys.biz.rr.com.59493 > yo-in-f104.google.com.http: Flags [P.], ack 1, win 92, options [nop,nop,TS val 4952451 ecr 1178097641], length 72
10:47:37.898560 IP yo-in-f104.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.59493: Flags [.], ack 525, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:37.898668 IP yo-in-f104.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.59493: Flags [.], ack 597, win 106, options [nop,nop,TS val 1178097698 ecr 4952451], length 0
10:47:37.908598 IP yo-in-f104.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.59493: Flags [P.], ack 597, win 106, options [nop,nop,TS val 1178097705 ecr 4952451], length 174
10:47:37.908781 IP rrcs-208-105-173-89.nys.biz.rr.com.59493 > yo-in-f104.google.com.http: Flags [.], ack 1, win 92, options [nop,nop,TS val 4952516 ecr 1178097698,nop,nop,sack 1 {4255:4429}], length 0
10:48:37.767060 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [F.], seq 593, ack 479, win 108, options [nop,nop,TS val 5012369 ecr 4042873634], length 0
10:48:37.828403 IP gw-in-f100.google.com.http > rrcs-208-105-173-89.nys.biz.rr.com.33392: Flags [F.], seq 479, ack 594, win 106, options [nop,nop,TS val 4042933698 ecr 5012369], length 0
10:48:37.828580 IP rrcs-208-105-173-89.nys.biz.rr.com.33392 > gw-in-f100.google.com.http: Flags [.], ack 480, win 108, options [nop,nop,TS val 5012430 ecr 4042933698], length 0

But you have traffic going forth and back. Do you have problems there?

just for the sake of checking things i called the isp and they said that traffic off the box looks ok and that they are not blocking anything


another possibly helpful command:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
208.105.172.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 208.105.172.1 0.0.0.0 UG 0 0 0 eth1



any thoughts?

yes, i do i have issues: all webpages time out without loading for all clients (windows 98, xp, linux) but from the router they load fine

From a linux client try this on the terminal:

(echo "GET http://www.yahoo.com HTTP/1.0"; echo; ) | netcat www.yahoo.com 80

What is the output?

i dont have netcat on this machine currently is there anything else i can do? i'll get it install soon. thanks for the lead

Though with netcat it's just a copy/paste, you can do it with telnet

telnet www.yahoo.com 80

Once inside, write a line that says
GET http://www.yahoo.com HTTP/1.0

Then an empty line.... and there should be a lot of output from the web server. IF there is output coming from the web server, you can forget about a problem with networking (if you ask me).