no http

the_cranky_don · 05-05-2005, 09:08 AM

I have set up a Slackware 9.0 box as a router/firewall.
eth0 (10.0.0.1 static) is connected to an ADSL router (10.0.0.138)
eth1 (192.168.1.1 static) is connected to a switch to provide the rest of the LAN (WinXP machines) with 'net access.
I have a dhcp server running on eth1 giving 192.168.1.x addresses to the LAN
I have setup shorewall as the firewall
I can access the linux box webmin on 192.168.1.1 (or 10.0.0.1) from the LAN
I can ping all addresses on the network from the LAN (192.168.1.1 10.0.0.1 10.0.0.138)

I can ping 'net hosts (www.google.com etc)
I can telnet ok (telent'ed to the router)
I can ftp net hosts (ftp.cdrom.com ftp.mcom.com)
I cannot access any web pages. When requesting a page from WinXP machines on the LAN, the host is resolved then the browser stays on 'connecting to www.google.com...' then times out.

I have used a packet sniffer on the XP machine and can see packets going in and out when using ftp. When trying a webpage I only see packets going out, none coming in.
I tried lynx from the linux box but it sits there with no progress as well. I have no gui on the linux box so I cannot use a graphical browser.

It does this if the firewall is running or not.

From the above I have concluded that:
a) the box is routing OK.

b) the box is resolving or forwarding resolving requests OK
c) the box is forwarding most packets OK
d) the box is not forwarding or is blocking http packets
e) I am at a loss

Any suggestions?
Need any clarification or results of diagnostic commands?

Thanks,
Don =)

Darin · 05-05-2005, 09:32 AM

To eliminate the firewall:

Code:

iptables -F
iptables -t nat -A POSTROUTING -o 10.0.0.1 -j MASQUERADE

Then see if you can get http working. If so, look at shorewall and adjust the firewall rules.

If not then post the results of running iptables -L *before* you run the commands above, such as right after a reboot or after re-running the firewall script.

In lynx, are you sure it has no progress, or is it waiting for confirmation on something like cookies? You can also use telnet to get to a web server, just telent to port 80 with:

Code:

telnet www.somesite.com 80

and if it connects you can blindly hold shift, or caps lock, and type GET and press return which will dump some HTML code onto your screen and exit to the shell prompt.

the_cranky_don · 05-05-2005, 06:57 PM

I tried your suggestion of telent'ing to port 80 of a website.
I could reach it OK with the firewall off but when I started the firewall -no go.

I looked at my firewall rules and policies and removed a rule stopping port 80

I can surf OK now, I just need to check that my firewall is still secure.
Can you please review my firewall files.

Here is my Shorewall Policy file...

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc all ACCEPT -
$FW all ACCEPT -
#
# THE FOLLOWING POLICY MUST BE LAST
#
net all DROP info
wls net ACCEPT -
wls loc DROP -
all all REJECT info

and here is my Shorewall Rules file...

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc all ACCEPT -
$FW all ACCEPT -
#
# THE FOLLOWING POLICY MUST BE LAST
#
net all DROP info
wls net ACCEPT -
wls loc DROP -
all all REJECT info

If you would prefer it in iptables, here is the result of iptables -L...

> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
wlan0_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP !icmp -- anywhere anywhere state INVALID
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
wlan0_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
fw2wls all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain Drop (2 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:loc-srv
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:loc-srv
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900

Chain Reject (3 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:loc-srv
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:loc-srv
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain all2all (6 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dmz2fw (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain dmz2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain dmz2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain dmz2wls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN

Chain dynamic (6 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
tcpflags tcp -- anywhere anywhere
net2loc all -- anywhere anywhere
net2wls all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2wls all -- anywhere anywhere

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
loc2fw all -- anywhere anywhere

Chain fw2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere

Chain fw2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere

Chain icmpdef (0 references)
target prot opt source destination

Chain loc2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere

Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere

Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere

Chain loc2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere

Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags

ROP:'
DROP all -- anywhere anywhere

Chain net2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all

ROP:'
DROP all -- anywhere anywhere

Chain net2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere

Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere

Chain net2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere

Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- 172.16.0.0/12 anywhere
rfc1918 all -- anywhere anywhere ctorigdst 172.16.0.0/12
rfc1918 all -- 192.168.0.0/16 anywhere
rfc1918 all -- anywhere anywhere ctorigdst 192.168.0.0/16
rfc1918 all -- external/8 anywhere
rfc1918 all -- anywhere anywhere ctorigdst external/8

Chain reject (10 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 10.255.255.255 anywhere
DROP all -- 192.168.1.255 anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:rfc1918

ROP:'
DROP all -- anywhere anywhere

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 10.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs

ROP:'
DROP all -- 10.255.255.255 anywhere
LOG all -- 192.168.1.255 anywhere LOG level info prefix `Shorewall:smurfs

ROP:'
DROP all -- 192.168.1.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs

ROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs

ROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere

Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:SYN,RST,ACK/SYN

Chain wlan0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
wls2net all -- anywhere anywhere
wls2loc all -- anywhere anywhere

Chain wlan0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
wls2fw all -- anywhere anywhere

Chain wls2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain wls2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere

Chain wls2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain wls2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere

Thanks,
Don =)