Hello again, That was one of the first things I checked and it is set to 0. (I remembered having the problem with Squid a while back). Any other ideas? Ryan -----Original Message----- From: Jörg Harmuth [mailto:harmuth@xxxxxxxxx] Sent: Monday, April 11, 2005 5:34 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Strange connection problems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I had the same problem some time ago. In my case the remote sites were not capable of ECN. Disabling ECN solved the problem for me: echo 0 > /proc/sys/net/ipv4/tcp_ecn Ofcourse, your problem may be totally different - you will see. Have a nice time, Jörg Ryan Belcher schrieb: > Hi All, > > Below I've posted my FW config. It's handling 3 interfaces. ppp0, eth0, an ath0. > It's on Linux kernel version 2.6.10. > > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network. For example, penny-arcade.com, americanexpress.com SSL logins, and a few others. If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways). If I try connecting from the actual firewalling box itself, it works fine. > > Does anyone have any ideas? > > Thanks, > > Ryan > -----------------Snip---------------- > IPTABLES=/usr/sbin/iptables > DEPMOD=/sbin/depmod > MODPROBE=/sbin/modprobe > IFCONFIG=/sbin/ifconfig > AWK=/usr/bin/awk > GETIP=/usr/bin/gethostip > PENGUIN=192.168.0.4 > BRENT=192.168.0.12 > MERCURY=192.168.0.3 > EXTIF="ppp0" > INTIF="eth0" > WIRLS="ath0" > echo " External Interface: $EXTIF" > echo " Internal Interface: $INTIF" > echo " Wirleless Interface: $WIRLS" > echo " Enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward > echo " Enabling DynamicAddr.." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > # Start doing something... > echo " Clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT DROP > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > $IPTABLES -t filter -F > $IPTABLES -t mangle -F > > echo " FWD: Allow all connections OUT and only existing and related ones IN" > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT > $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -j LOG > > echo " INPUT: Allow local connections in. Nothing from the outside though." > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A INPUT -i $INTIF -j ACCEPT > $IPTABLES -A INPUT -i $WIRLS -j ACCEPT > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" > > #Enable Port forward...Webserver > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80 > > #Brent > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747 > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112 > > #Common Services to penguin > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN > > #BITORRENT > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT > > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > -----------------/Snip--------------- > > - -- - ----------------------------------------------------------------------- mnemon Jörg Harmuth Marie-Curie.Str. 1 53359 Rheinbach Tel.: (+49) 22 26 87 18 12 Fax: (+49) 22 26 87 18 19 mail: harmuth@xxxxxxxxx Web: http://www.mnemon.de PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F - ----------------------------------------------------------------------- Diese Mail wurde vor dem Versenden auf Viren und andere schädliche Software untersucht. Es wurde keine maliziöse Software gefunden. This Mail was checked for virusses and other malicious software before sending. No malicious software was detected. - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/ kEnCandN3ZPnXh4+GhMoLb4= =7BIz -----END PGP SIGNATURE-----
