some websites invisible after rerun iptables

298 · 05-19-2007, 01:16 PM

I have a Debian Etch running as a firewall and router with a DSL modem in front of it and a few Ubuntus behind it. After rerunning the iptables script, the Ubuntus cannot connect to certain websites, but the Debian still can. Things get back to normal after restarting the PPP interface on the gateway.

Could this have anything to do with the connection tracking done by iptables? I tried clr_conns
on the Debian, but it didn't help. Is there any way to flush everything the firewall knows? Restarting the PPP connection isn't that good a solution because it will result in a new IP address which needs to be sent to DynDNS again, etc. Would be nice to have something simple that I could add to the iptables script.

Mara · 05-19-2007, 04:56 PM

Make sure the connections you have are closed after you restart iptables. Closing and opening a web browser should work, for instance, because iptables will get the whole new connection, so it should trace it correctly. After restarting iptables packets from existing connections may be dropped, because they will not be found in the connection cache.

298 · 05-19-2007, 10:57 PM

Restarting Firefox didn't help. The situation is the same. As I said, there are only some websites that are not reachable. My company's webmail (MS Exchange) and lists.digium.com are among them, this one here is not.

Other applications affected are the Weather Forecast Applet on my Gnome desktop and getmail running on my laptop. The latter is started by a cron job, so there shouldn't be any open connections. (It uses POP3 to connect to the same server that runs my company's webmail.) I just tried it again, it's repeatable. Running the iptables script breaks these things, poff/pon fixes them again.

Mara · 05-20-2007, 02:31 PM

As an experiment, restart the firewall and reset one of the clients. I guess it will then connect just fine. I'd also look in netstat result to see how many connections (and where) you have.

If it all doesn't help, it may be worth looking into the Debian firewall script. Do you have an option to log all dropped packets (just for debug purposes)? Looking into that log will show which rule drops your connections (if it's iptables fault at all). You may have enough debug at this time, so first look into the iptables log to see if it shows something interesting.