mikey79 |
08-20-2005 04:26 PM |
pls help: debian router => some websites won't load (though pinging works)
hey folks, i really hope you can help me out with my problem here.
i used to have a dlink hardware router and now switched to a debian software router. i use one desktop pc behind the router to connect the internet.
i set everything up (dhcp, networking, iptables) and everything seems to be working so far, however, on some websites loading takes an inifite amount of time. however, if i plug in my dlink router again, the websites load pretty fast and if i connect reconnect my desktop to the debian machine again, the websites still work (even if i surf on those websites). however: if i reboot my machines and try this thingie again: no websites any more. only if i resplug my desktop to the dlink router and start over again. i think this has to be some caching issues....i dont know. i am not really into networking :-(
so here's the deal....
the website i am talking about is www_quoka_de
i can ping it (even if i cannot load the website):
Code:
Pinging www_quoka_de [217.237.190.136] with 32 bytes of data:
Reply from 217.237.190.136: bytes=32 time=11ms TTL=119
Reply from 217.237.190.136: bytes=32 time=10ms TTL=119
Reply from 217.237.190.136: bytes=32 time=11ms TTL=119
Reply from 217.237.190.136: bytes=32 time=13ms TTL=119
Ping statistics for 217.237.190.136:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 13ms, Average = 11ms
if i do a tracert i get this (and i get exact the same with my dlink router!):
Tracing route to www_quoka_de [217.237.190.136]
over a maximum of 30 hops:
Code:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 5 ms 5 ms 5 ms bsn2.fra.qsc.de [213.148.128.56]
3 6 ms 6 ms 6 ms core2.fra.qsc.de [213.148.139.177]
4 6 ms 6 ms 6 ms 62.156.139.121
5 9 ms 8 ms 9 ms ma-ag4.MA.DE.net.DTAG.DE [62.154.37.178]
6 9 ms 9 ms 9 ms 052058-1-1-gw.MA.DE.net.DTAG.DE [62.154.39.77]
7 20 ms * 10 ms 217.237.191.36
8 * * * Request timed out.
9 11 ms 16 ms 11 ms 217.237.190.136
it seems the connection is broken somehow outside....but i get the very same with my dlink router and the website is loading there! and i can ping it anyway...... :-(
my setup is as follows:
desktop -> router (eth0) ....... router (eth1) -> dsl-model ->internet
if you need my iptables script, here it is:
Code:
IPTABLES=`which iptables` # pfad zu iptables
DEV_EXT=ppp0 # externes interface
DEV_INT=eth0 # internes interface
p_high=1024:65535
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# löschen aller alten evtl noch vorhandenen rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# default-policies festlegen
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# laden der module für iptables-connection-tracking
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc
# logging
$IPTABLES -A FORWARD -j LOG --log-prefix "BEFORE: "
#$IPTABLES -A OUTPUT -j LOG
#$IPTABLES -A INPUT -j LOG
# open loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
# enable masquerading
$IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE
# set ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#-----------------------------------------------------------------------------
######################################################
# ssh
######################################################
$IPTABLES -A INPUT -i $DEV_INT -p TCP --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -p TCP --sport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# dns
#####################################################
$IPTABLES -A FORWARD -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport domain -j ACCEPT
$IPTABLES -A FORWARD -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport domain -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport domain -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport domain -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport domain -j ACCEPT
#####################################################
# http
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p TCP --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p UDP --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport 80 -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport 80 -j ACCEPT
#####################################################
# http ssl
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p TCP --sport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p UDP --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport 443 -j ACCEPT
$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport 443 -j ACCEPT
#####################################################
# samba
#####################################################
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 137 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 138 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 139 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 137 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 138 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 139 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# icmp
#####################################################
# type 0 echo-reply (ping)
$IPTABLES -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
# type 3 destination-unreachable (port-unreachable, fragmentation-needed
$IPTABLES -A INPUT -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
# type 8 echo request
$IPTABLES -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
#type 11 time exceeded
$IPTABLES -A INPUT -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
#type 13 timestamp request
$IPTABLES -A INPUT -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
#type 14 timestamp reply
$IPTABLES -A INPUT -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
#####################################################
# imap
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 143 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# imap ssl
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 993 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# smtp
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# smtp ssl
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 465 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# pop3
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 110 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# pop3 ssl
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 995 -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# usenet
#####################################################
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 119 -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----------------------------------------------------------------------------
# logging
#$IPTABLES -A OUTPUT -j LOG
#$IPTABLES -A INPUT -j LOG
$IPTABLES -A FORWARD -j LOG --log-prefix "AFTER: "
my kernel version is (telling from cat /proc/version):
[CODE ]
Linux version 2.4.27-2-386
[/CODE]
so, anybody has any ideas please? i don't know what to do to be honest......
any help is much appreciated!
thx
|