cant access certain pages through iptables fw/router
hey,
i have a problem with my routing setup i cant figure out. there is a unix router using iptables, and behind that a small lan. everything works when requesting directly from the router, but the machines behind that router cant access certain webpages, ie drupal.org (waits forever to establish connection), but everything else works fine here too. read lots of logs and tried lots of thing, cant fix it.
please help me out.
some info from the router:
Code:
Chain FW_INTERFACES (1 references)
pkts bytes target prot opt in out source destination
970K 897M OK all -- eth1 * 0.0.0.0/0 0.0.0.0/0
727K 314M OK all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 OK all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FW_OPEN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.2 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.2 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.2 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:6969
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:6999
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.100 tcp dpt:9696
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.100 udp dpt:6969
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.100 udp dpt:6999
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.100 udp dpt:9696
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.100 udp dpt:9697
Chain FW_POST (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `REJECT: '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain FW_PRE (1 references)
pkts bytes target prot opt in out source destination
0 0 OK all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain FW_STANDARD (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 1 packets, 228 bytes)
pkts bytes target prot opt in out source destination
2608K 482M INTERFACES all -- * * 0.0.0.0/0 0.0.0.0/0
4038 343K PRE all -- * * 0.0.0.0/0 0.0.0.0/0
3424 289K OPEN all -- * * 0.0.0.0/0 0.0.0.0/0
3293 278K POST all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1698K 1210M FW_INTERFACES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FW_PRE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FW_OPEN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FW_POST all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERFACES (1 references)
pkts bytes target prot opt in out source destination
2604K 482M OK all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 OK all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain LOGDROP (1 references)
pkts bytes target prot opt in out source destination
3293 278K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP: '
3293 278K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OK (17 references)
pkts bytes target prot opt in out source destination
4302K 1692M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OPEN (1 references)
pkts bytes target prot opt in out source destination
0 0 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
131 10251 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969
0 0 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6999
0 0 OK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9696
0 0 OK udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6969
0 0 OK udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6999
0 0 OK udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:9696
0 0 OK udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:9697
Chain OUTPUT (policy ACCEPT 4143K packets, 5712M bytes)
pkts bytes target prot opt in out source destination
Chain POST (1 references)
pkts bytes target prot opt in out source destination
3293 278K LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE (1 references)
pkts bytes target prot opt in out source destination
250 23762 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
364 30979 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 16/sec burst 5
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/hour burst 5 LOG flags 0 level 4 prefix `ICMP Flood: '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 18728 packets, 1305K bytes)
pkts bytes target prot opt in out source destination
2 96 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.2:80
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.0.2:21
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 to:192.168.0.2:20
3478 205K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6969 to:192.168.0.100
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6999 to:192.168.0.100
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9696 to:192.168.0.100
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697 to:192.168.0.100
565 50450 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6969 to:192.168.0.100
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:9696 to:192.168.0.100
951 90273 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6999 to:192.168.0.100
Chain POSTROUTING (policy ACCEPT 5189 packets, 361K bytes)
pkts bytes target prot opt in out source destination
16441 1163K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 289 packets, 20792 bytes)
pkts bytes target prot opt in out source destination
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
lo1.br01.wup.de * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default * 0.0.0.0 U 0 0 0 ppp0
eth0 Link encap:Ethernet HWaddr 00:18:4D:6F:03:EA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:133859952 errors:0 dropped:0 overruns:0 frame:0
TX packets:135042664 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1071938187 (1022.2 MiB) TX bytes:3382055794 (3.1 GiB)
Interrupt:12 Base address:0x6000
eth1 Link encap:Ethernet HWaddr 00:0A:5E:5C:A2:C8
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:738524734 errors:0 dropped:0 overruns:0 frame:0
TX packets:1069843970 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1548990245 (1.4 GiB) TX bytes:4268974017 (3.9 GiB)
Interrupt:5
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10513 errors:0 dropped:0 overruns:0 frame:0
TX packets:10513 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508468 (496.5 KiB) TX bytes:508468 (496.5 KiB)
ppp0 Link encap:Point-to-Point Protocol
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:731961 errors:0 dropped:0 overruns:0 frame:0
TX packets:969751 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:313855937 (299.3 MiB) TX bytes:895551024 (854.0 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
I don't see nothing wrong in the config, I hope I didn't miss something. Is it possible that the user of the machine behind the router did something, on his side, to prevent access to certain sites ? What does the ping and traceroute say about the sites in question ? Is this the only machine behind the router having issues with access ?
I set up remote printing on a clients Unix server to my Windows XP USB printer. My USB printer is connected directly to my PC (no print server and no network input on printer). With my Win XP PC connected to my cable modem (without the router), i can do
lp -dhp842c /etc/hosts and it prints. I... (7 Replies)
HI all,
I have setup IPTables firewall/Router and my home network, with address space 192.168.10.XXX
Form my private network hosts, i can ping the gateway ( 192.168.10.101 ) , but the reverse is not happening.
Can someone help me as of what i need to do, so that i can ping my private... (1 Reply)
Hi guys,
I want to setup AP using an NETGEAR WGR614 54 Mbps 802.11g Wireless Router
The router works fine, but I don't have internet access. I will describe the structure of the net to explain it:
I have one server (Free BSD 7) with 2 LAN PCI cards:
re0 - it is connected to my ISP
... (2 Replies)
Hello all,
Let me preface this note by expressing my thanks to anyone that can help.
I have cable modem access to the internet and a D-Link router (which is also running DHCP) for multiple machine access. I have 3 windows machines running XP Pro and '98 working OK and able to access... (3 Replies)
