LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-26-2007, 03:31 AM   #1
Robert S
Member
 
Registered: Oct 2006
Location: Canberra
Distribution: gentoo, debian
Posts: 40

Rep: Reputation: 15
iptables router: can't browse certain sites


I have set up a router as per the instructions at http://www.gentoo.org/doc/en/home-router-howto.xml. I've listed it at the bottom of this message. I use pppoe to connect to the internet on eth1.

When I try to use certain websites on other PCs on my LAN, they won't load and timeout - particularly www.bebo.com. This won't load on Win or Lin machines - even when the firewall is switched off on the client machine. I can get this site to load on the machine that has the router installed. Windows Messenger doesn't work on some PCs either.

Can anybody help?

#!/bin/bash
opts="status info"
PATH=/sbin:$PATH
export NETWORK=192.168.2.0/255.255.255.0

#First we flush our current rules
iptables -F
iptables -t nat -F

#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Copy and paste these examples ...
export LAN=eth0
export WAN=ppp0

#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -j ACCEPT

#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.2.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.2.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.2.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
 
Old 11-26-2007, 12:55 PM   #2
framp
Member
 
Registered: Apr 2003
Location: Stuttgart, BW Germany
Distribution: SuSE 10.3-11.0, Knoppix, Ubuntu 8.10, Fedora 10
Posts: 119
Blog Entries: 5

Rep: Reputation: 15
That's most probably an MTU issue.

Add
Code:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
on your router to have your clients to use the correct MTU.

Last edited by framp; 11-26-2007 at 12:57 PM.
 
Old 11-27-2007, 02:44 AM   #3
Robert S
Member
 
Registered: Oct 2006
Location: Canberra
Distribution: gentoo, debian
Posts: 40

Original Poster
Rep: Reputation: 15
Many thanks LinuxQuestions.org comes up trumps again. I had to compile the following modules to get this to work:
Quote:
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
Are there any other glaring problems with my firewall script? - I've just posted the bare bones of it for simplicity. Should I set the policy to DROP? This is quite a difficult topic for n00bs.
 
Old 11-27-2007, 05:30 AM   #4
framp
Member
 
Registered: Apr 2003
Location: Stuttgart, BW Germany
Distribution: SuSE 10.3-11.0, Knoppix, Ubuntu 8.10, Fedora 10
Posts: 119
Blog Entries: 5

Rep: Reputation: 15
I'd use a firewall rule generator, e.g. shorewall. Or have theses generators generate rules and use them as samples if you want to write your own rules for some reasons.

At least I'd drop all packets for all interfaces per default and open only connections/ports which are required. In addition I'd use stateful packet inspection with iptables
Code:
-m state --state ESTABLISHED,RELATED
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I Can't use Linux Firefox or Opera to browse the web-sites I need to, under SUSE 10.0 DeekBeek Linux - Software 9 06-20-2006 04:12 PM
help cannot ping to sites but can browse :( madagascar2k Linux - Newbie 3 03-24-2006 01:37 AM
Can't get to all sites using nat router? Moloko Linux - Networking 12 01-28-2005 07:30 PM
cannot browse the inernet sites in fc2 shams Linux - Networking 1 10-18-2004 04:09 AM
Unable to Browse Sites tanmay_79 Linux - Networking 1 09-05-2002 02:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration