Hello Luis, I've already got one running. All of the sites resolve just fine, but they just won't actually load the pages. I ran ethereal and compared the client traffic to the traffic generated by the firewall box itself, and the only (effective) differences I saw was the HTTP reply to the HTTP GET request never even reached the ppp0 interface when the clients were connecting. Ryan -----Original Message----- From: Luis Nieto [mailto:luismnieto@xxxxxxxxx] Sent: Monday, April 11, 2005 10:45 AM To: Ryan Belcher Subject: Re: Strange connection problems. install a internal dns server, and configure the dns´s ISP like forwarders in the de named.conf On Apr 11, 2005 11:38 AM, Ryan Belcher <Ryanb@xxxxxxxxxxxx> wrote: > Hello again, > > That was one of the first things I checked and it is set to 0. (I remembered having the problem with Squid a while back). > > Any other ideas? > > Ryan > > -----Original Message----- > From: Jörg Harmuth [mailto:harmuth@xxxxxxxxx] > Sent: Monday, April 11, 2005 5:34 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Strange connection problems. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I had the same problem some time ago. In my case the remote sites were > not capable of ECN. Disabling ECN solved the problem for me: > > echo 0 > /proc/sys/net/ipv4/tcp_ecn > > Ofcourse, your problem may be totally different - you will see. > > Have a nice time, > > Jörg > > Ryan Belcher schrieb: > > Hi All, > > > > Below I've posted my FW config. It's handling 3 interfaces. ppp0, eth0, an ath0. > > It's on Linux kernel version 2.6.10. > > > > Pretty much everything works as I expect except for a strange issue with certain websites while trying to connect from clients within my network. For example, penny-arcade.com, americanexpress.com SSL logins, and a few others. If you want to poke at this configuration, penny-arcade will appear to begin connection but after the SYN, ACK, then HTTP GET sequence, the HTTP response never gets here (according to Ethereal anyways). If I try connecting from the actual firewalling box itself, it works fine. > > > > Does anyone have any ideas? > > > > Thanks, > > > > Ryan > > -----------------Snip---------------- > > IPTABLES=/usr/sbin/iptables > > DEPMOD=/sbin/depmod > > MODPROBE=/sbin/modprobe > > IFCONFIG=/sbin/ifconfig > > AWK=/usr/bin/awk > > GETIP=/usr/bin/gethostip > > PENGUIN=192.168.0.4 > > BRENT=192.168.0.12 > > MERCURY=192.168.0.3 > > EXTIF="ppp0" > > INTIF="eth0" > > WIRLS="ath0" > > echo " External Interface: $EXTIF" > > echo " Internal Interface: $INTIF" > > echo " Wirleless Interface: $WIRLS" > > echo " Enabling forwarding.." > > echo "1" > /proc/sys/net/ipv4/ip_forward > > echo " Enabling DynamicAddr.." > > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > > > # Start doing something... > > echo " Clearing any existing rules and setting default policy.." > > $IPTABLES -P INPUT DROP > > $IPTABLES -F INPUT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -F OUTPUT > > $IPTABLES -P FORWARD DROP > > $IPTABLES -F FORWARD > > $IPTABLES -t nat -F > > $IPTABLES -t filter -F > > $IPTABLES -t mangle -F > > > > echo " FWD: Allow all connections OUT and only existing and related ones IN" > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > $IPTABLES -A FORWARD -i $WIRLS -o $EXTIF -j ACCEPT > > $IPTABLES -A FORWARD -i $INTIF -o $WIRLS -j ACCEPT > > $IPTABLES -A FORWARD -i $WIRLS -o $INTIF -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $WIRLS -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -j LOG > > > > echo " INPUT: Allow local connections in. Nothing from the outside though." > > $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A INPUT -i $INTIF -j ACCEPT > > $IPTABLES -A INPUT -i $WIRLS -j ACCEPT > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > > > EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" > > > > #Enable Port forward...Webserver > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \ > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $PENGUIN:80 > > > > #Brent > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4747 -m state \ > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4747 -j DNAT --to $BRENT:4747 > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state \ > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $BRENT:6112 > > > > #Common Services to penguin > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:25 -m state \ > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20:25 -j DNAT --to $PENGUIN > > > > #BITORRENT > > $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6880:6899 -j ACCEPT > > > > > > > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > -----------------/Snip--------------- > > > > > > - -- > - ----------------------------------------------------------------------- > mnemon > Jörg Harmuth > Marie-Curie.Str. 1 > 53359 Rheinbach > > Tel.: (+49) 22 26 87 18 12 > Fax: (+49) 22 26 87 18 19 > mail: harmuth@xxxxxxxxx > Web: http://www.mnemon.de > PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc > PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F > - ----------------------------------------------------------------------- > Diese Mail wurde vor dem Versenden auf Viren und andere schädliche > Software untersucht. Es wurde keine maliziöse Software gefunden. > > This Mail was checked for virusses and other malicious software before > sending. No malicious software was detected. > - ----------------------------------------------------------------------- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCWkRut9fkjiZ7IE8RAo+BAJwJEVwkWIzcSbOAcnbYW5ZNjs5jsgCfTc4/ > kEnCandN3ZPnXh4+GhMoLb4= > =7BIz > -----END PGP SIGNATURE----- > >