Can't access a particular website thru a linux router

WindowBreaker · 02-16-2006, 06:29 PM

I have a LAN that accesses the Internet thru a linux router, which uses iptables for firewall/NAT, etc.

The router is setup to allow all outgoing connections, and all incoming connections which are responses. The relevant iptables commands are as follows:

Code:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to $WAN_IP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT

Very simple router, not the most secure I know.

Nobody on the LAN can access the www.wsba.org website. Nobody can ping it, but that's because their site won't respond to pings.

I have tried it on various computers, using both Internet Explorer and Firefox web browsers.

The ip address for www.wsba.org resolves to: 216.211.129.9

What I did was run tcpdump to sniff packets on the linux router, while a user tried to access the site simultaneously.

What I noticed is that when a user types in http://www.wsba.org in the browser, the responses coming back are from fptest.adhost.com.

fptest.adhost.com resolves to the same ip as the site mentioned above, wihch is 216.211.129.9

I think the problem is that the linux server sees the responses as if they are NEW packets, and not responses to outgoing packets. For this reason it doesn't properly translate the packets and return them to the internal user's machine.

Any ideas on how to fix or further troubleshoot this problem?

philix · 02-17-2006, 12:26 AM

Hi WindowBreaker,

Your finding is true , Virtual host configuration in that web server which has capability of hosting diffenet websites under the banner of same IP address.
Could please inform that Is wsba site is only site that your LAN can't access or any other site ?

Thanks
Philix

WindowBreaker · 02-17-2006, 12:38 AM

I believe there may be another site but not sure right now. However, many (if not most) hosting companies share an ip and use name-based virtual hosting, right? What is the problem with this site? What else could possibly be blocking this site?

I have one new finding:
I work on another LAN with a virtually identical firewall/NAT setup, and their LAN can access the site (and all other sites I know of) without a problem.

Does anybody know of a kernel parameter somewhere under /proc/sys/net/ipv4 that could be set incorrectly and causing this problem?

Thanks

mikehaun · 03-25-2006, 03:06 PM

Window Breaker;
Did you ever get this figured out? I have a very similar problem.

philix · 03-29-2006, 07:06 PM

Hi Window Breaker,

Why can't you flush out the Iptables rules and then try to browse the website?
Espcially the "iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT" rule ?
Is the forwarding enabled ?

Philix

WRSpithead · 03-29-2006, 08:44 PM

This is a pretty n00bish workaround, but you could write an ettercap filter that changes the hostname back to www.wsba.org when it gets a packet from that IP address.

mikehaun · 03-30-2006, 05:46 AM

I fixed my problem by upgrading the firmware on my Linux router. All is fine now.