I have a LAN that accesses the Internet thru a linux router, which uses iptables for firewall/NAT, etc.
The router is setup to allow all outgoing connections, and all incoming connections which are responses. The relevant iptables commands are as follows:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to $WAN_IP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
Very simple router, not the most secure I know.
Nobody on the LAN can access the
www.wsba.org website. Nobody can ping it, but that's because their site won't respond to pings.
I have tried it on various computers, using both Internet Explorer and Firefox web browsers.
The ip address for
www.wsba.org resolves to: 216.211.129.9
What I did was run tcpdump to sniff packets on the linux router, while a user tried to access the site simultaneously.
What I noticed is that when a user types in
http://www.wsba.org in the browser, the responses coming back are from fptest.adhost.com.
fptest.adhost.com resolves to the same ip as the site mentioned above, wihch is 216.211.129.9
I think the problem is that the linux server sees the responses as if they are NEW packets, and not responses to outgoing packets. For this reason it doesn't properly translate the packets and return them to the internal user's machine.
Any ideas on how to fix or further troubleshoot this problem?