Hi
I made a complex firewall script that had very strange problems. It
took me plenty of time trying to find out what was wrong until I found
that even this simple script (that is said to be working in NAT-HOWTO on
netfilter website) had the same problems :
# Begin script
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# End script
These are the strange behavior, that occurs from a computer in the
LAN (and not from the firewall) :
- Can access some http website (www.lemonde.fr www.google.com ...)
- Can't access some http website (www.yahoo.fr www.meteo-france.fr
www.kernel.org ...)
- Some apps that were working under a firewall under ipchains (the
roaring penguin ADSL firewall script) do not work any more.
Accessing to a website was tested with mozilla, msie, and finally, I
tried a simple "telnet www.yahoo.fr 80" to see what was wrong,
connection was accepted only the second time (it seems to be always like
this, I've had "no date" warning boxes popping the first time with
mozilla) then I could type "GET" that produced no output (for the
concerned server : www.kernel.org www.yahoo.fr ...). (Although, we can
note that typing 'GET robots.txt' on these server works fine).
I can ping all these server.
A friend told me that it could be the website with cookies that are
involved in the problem.
My config :
Firewall :
Processor : 486 DX 33 (is it enough ?)
Connection type : ADSL (France telecom, modem ECI) on ppp0
Kernel : - Linux 2.4.18 + patch-o-matic 1.2.6a
changing back to a fresh Linux 2.4.18 didn't change my problems
IPtable ver : 1.2.6a
LAN device : NE2000 (10BASET) compatible device on eth0
ECN support doesn't change anything (it's currently off)
Syncookie are off too (and didn't change anything too)
LAN computer :
Linux or win2000, with bigger config than Firewall connected on 100
Mbits network device.
DNSes are those of the provider or an internal DNS. (that doesn't
change anything to my problems)
I'm quite surprised on this behavior, because my last firewall was
under ipchains, and worked fine. (i'm currently switching back and on
between the 2 firewall to test the configurations). The ipchains script
used on my previous working firewall was the one Roaring penguin
provides in his PPPoe scripts for ADSL dynamic IP connection.
I would appreciate a quick help. I'm quite new to firewall and
iptables, so even if you haven't the solution, i'll be glad to learn
more. Do not hesitate to answers if you have something in mind.
Valentin LAB
mail : vaab at wanadoo.fr
Note 1: changing MASQUERADE to SNAT was tested and worked as MASQUERADED
with the same behavior.
Note 2: of course, my policies are set to ACCEPT all packets.
