Weird Iptables + pppoe + access https websites sites

fbsoft · 01-14-2019, 12:54 PM

Hey,
I'm new to this forum, and i hope i can make myself understood in describing the problem i am having.

The same settings and iptables ( almost everything ) is reinstalled from an ubuntu that crashed and on a new machine.

The issue is with accesing https sites like wetransfer.com or mail.yahoo.com but surprisingly gmail works... The internet is forwarded from my ISP to LAN, and the connection is on PPPOE. The same firewall was set, with small renaming of the interfaces, that now are enp4s0 and enp5s1 instead of eth0 and eth1, are used to access the internet.

When i try to acces wetransfer from a local machine i get establishing secure connection on Chrome and after that the site took too long to respond and it gives an error. On the machine all works well. all sites can be accesed

My iptables t nat is

Code:

 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 83 packets, 6615 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1977 to:192.168.0.2:5000
    0     0 DNAT       udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1977 to:192.168.0.2:5000

Chain INPUT (policy ACCEPT 24 packets, 1455 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 68 packets, 4546 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 8 packets, 480 bytes)
 pkts bytes target     prot opt in     out     source               destination
  112  8442 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

while the rules, which are made to be as simple as possible following several tutorials and searching for ideas left me with the following

Code:

iptables -nvL
Chain INPUT (policy ACCEPT 417 packets, 46085 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.2          tcp dpt:1977 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
23694 2708K ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0
41352   42M ACCEPT     all  --  *      *       0.0.0.0/0            192.168.0.0/24

Chain OUTPUT (policy ACCEPT 353 packets, 53476 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       192.168.0.2          0.0.0.0/0            udp spt:1977 state NEW,RELATED,ESTABLISHED

Chain Badflags (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/min burst 5 LOG flags 0 level 4 prefix "Badflags: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain f2b-dos (0 references)
 pkts bytes target     prot opt in     out     source               destination
18906 3783K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain f2b-pureftpd (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       175.11.211.170       0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I also have apache2 running. I thought of changing the port 443 from apache2 to make it run on 444 just to be sure that apache2 is not interfering .. and still nothing

Why aren't the web sites on https working ? On my server i can run them and load them.

I had installed lynx to see if something is loaded and information from them is loaded.
What am i missing ?
Thanks

fbsoft · 01-14-2019, 01:01 PM

and i even tried to dangle with the MTU, but i cannot say i did a good job or not.
The MTU were 1500 for internal nics and for pppoe it was set to 1492 ...

not it looks like this

ifconfig
enp4s0 Link encap:Ethernet HWaddr 00:1a:4d:54:f0:5d
inet addr:192.168.0.1 Bcast:192.168.3.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:169271 errors:0 dropped:0 overruns:0 frame:0
TX packets:504881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21019102 (21.0 MB) TX bytes:589996772 (589.9 MB)

enp5s1 Link encap:Ethernet HWaddr 00:1b:21:02:c5:25
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:524678 errors:0 dropped:0 overruns:0 frame:0
TX packets:179358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:595273506 (595.2 MB) TX bytes:26988370 (26.9 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:9727 errors:0 dropped:0 overruns:0 frame:0
TX packets:9727 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2904285 (2.9 MB) TX bytes:2904285 (2.9 MB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:82.xxx.xxx.xxx P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1484 Metric:1
RX packets:492982 errors:0 dropped:0 overruns:0 frame:0
TX packets:167698 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:555126729 (555.1 MB) TX bytes:21654166 (21.6 MB)

fbsoft · 01-15-2019, 02:04 AM

Thanks to some research and a friend that guided me in the right place... i've found that it was MTU related

the 2 missing iptables rules were

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

Thanks Alex.V for the good advice !