cant access certain pages through iptables fw/router

sonicx · #1 (**permalink**) 12-20-2007

hey,
i have a problem with my routing setup i cant figure out. there is a unix router using iptables, and behind that a small lan. everything works when requesting directly from the router, but the machines behind that router cant access certain webpages, ie drupal.org (waits forever to establish connection), but everything else works fine here too. read lots of logs and tried lots of thing, cant fix it.
please help me out.

some info from the router:

Code:

Chain FW_INTERFACES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 970K  897M OK         all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
 727K  314M OK         all  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
    0     0 OK         all  --  lo     *       0.0.0.0/0            0.0.0.0/0   

Chain FW_OPEN (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.2         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.2         tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.2         tcp dpt:20
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.100       tcp dpt:6969
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.100       tcp dpt:6999
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.100       tcp dpt:9696
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.100       udp dpt:6969
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.100       udp dpt:6999
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.100       udp dpt:9696
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.100       udp dpt:9697

Chain FW_POST (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `REJECT: '
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable

Chain FW_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 OK         all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 TCPMSS     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1400:1536 TCPMSS clamp to PMTU

Chain FW_STANDARD (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain INPUT (policy DROP 1 packets, 228 bytes)
 pkts bytes target     prot opt in     out     source               destination 
2608K  482M INTERFACES  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
 4038  343K PRE        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
 3424  289K OPEN       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
 3293  278K POST       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
1698K 1210M FW_INTERFACES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FW_PRE     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 FW_OPEN    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 FW_POST    all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain INTERFACES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
2604K  482M OK         all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
    0     0 OK         all  --  lo     *       0.0.0.0/0            0.0.0.0/0   

Chain LOGDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 3293  278K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `DROP: '
 3293  278K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain OK (17 references)
 pkts bytes target     prot opt in     out     source               destination 
4302K 1692M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain OPEN (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    0     0 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20
  131 10251 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6969
    0     0 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6999
    0     0 OK         tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9696
    0     0 OK         udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:6969
    0     0 OK         udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:6999
    0     0 OK         udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:9696
    0     0 OK         udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:9697

Chain OUTPUT (policy ACCEPT 4143K packets, 5712M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POST (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 3293  278K LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  250 23762 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  !ppp0  *       0.0.0.0/0            0.0.0.0/0           state NEW
  364 30979 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 16/sec burst 5
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/hour burst 5 LOG flags 0 level 4 prefix `ICMP Flood: '
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
Chain PREROUTING (policy ACCEPT 18728 packets, 1305K bytes)
 pkts bytes target     prot opt in     out     source               destination 
    2    96 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.0.2:80
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 to:192.168.0.2:21
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 to:192.168.0.2:20
    3478  205K DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6969 to:192.168.0.100
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6999 to:192.168.0.100
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9696 to:192.168.0.100
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9697 to:192.168.0.100
  565 50450 DNAT       udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:6969 to:192.168.0.100
    0     0 DNAT       udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:9696 to:192.168.0.100
  951 90273 DNAT       udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:6999 to:192.168.0.100

Chain POSTROUTING (policy ACCEPT 5189 packets, 361K bytes)
 pkts bytes target     prot opt in     out     source               destination 
16441 1163K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0  

Chain OUTPUT (policy ACCEPT 289 packets, 20792 bytes)
 pkts bytes target     prot opt in     out     source               destination 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
lo1.br01.wup.de *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
default         *               0.0.0.0         U     0      0        0 ppp0


eth0      Link encap:Ethernet  HWaddr 00:18:4D:6F:03:EA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:133859952 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135042664 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1071938187 (1022.2 MiB)  TX bytes:3382055794 (3.1 GiB)
          Interrupt:12 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 00:0A:5E:5C:A2:C8
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:738524734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1069843970 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1548990245 (1.4 GiB)  TX bytes:4268974017 (3.9 GiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10513 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10513 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:508468 (496.5 KiB)  TX bytes:508468 (496.5 KiB)

ppp0      Link encap:Point-to-Point Protocol
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:731961 errors:0 dropped:0 overruns:0 frame:0
          TX packets:969751 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:313855937 (299.3 MiB)  TX bytes:895551024 (854.0 MiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

sysgate · #2 (**permalink**) 12-21-2007

I don't see nothing wrong in the config, I hope I didn't miss something. Is it possible that the user of the machine behind the router did something, on his side, to prevent access to certain sites ? What does the ping and traceroute say about the sites in question ? Is this the only machine behind the router having issues with access ?

Other UNIX.COM Threads You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Linux LiveCD Router 2.0.27 (Default Router branch)	iBot	Software Releases - RSS News	0	05-14-2008 04:30 PM
Linux LiveCD Router 2.0.26 (Default Router branch)	iBot	Software Releases - RSS News	0	03-03-2008 01:00 AM
Help needed in IPTables firewall/router setup - Linux	chandan_m	Security	0	08-24-2007 03:20 PM
Internet access via home router / cablemodem and Solaris9	bpmoran3	IP Networking	3	02-26-2004 05:51 AM
Need help to access/mount so to access folder/files on a Remote System using Linux OS	S.Vishwanath	UNIX for Dummies Questions & Answers	2	07-30-2001 05:17 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode