[clug] iptables won't let www/http traffic through

Rousak, Boris Boris.Rousak at actewagl.com.au
Fri Jun 25 02:00:36 GMT 2004 

Greetings all,

OK, I am trying to configure an IPtables firewall to act as a
firewall/router to my home network. Please assume not much previous
experience configuring iptables or ipchains :)

I have set it up so that there are 2 network interfaces, eth0 pointing at my
home network and eth1 pointing at my ADSL modem. 

I am using the nat masquerade thing to do forwarding and that works fine.

The filtering side is configured so that it starts out by blocking
absolutely everything - and by blocking I mean dropping (no replies) on both
ends. Subsequently I start opening ports to allow traffic through.

I am able to open port 53 for DNS requests, port 21 for ftp or port 6667 for
IRC etc on the internal network side and it all works fine, ie an internal
machine can connect to an external IRC/FTP server, 
However every time I try to open port 80 both TCP and UDP for the WWW I
can't get my browser to see anything. 

A quick snoop of the traffic reveals that, when there is no firewall the
browser is able to complete the 3 way handshake thingy with the website ie
syn, syn ack, ack. When the firewall is on though, browser sends out a syn
and gets back a RST, ACK instead of a SYN ACK, so then it sends another SYN
again and gets the same reply. This goes on until the browser times out. As
you can see the weird thing is that the packets gat back from the internet
to my machine behind the firewall.

Can anyone explain to me what's going on here, or point me in the direction
where of where I should be looking.

Cheers,
Boris

************************************************************************
*PLEASE NOTE*  This email and any attachments may
be confidential. If received in error, please delete all 
copies and advise the sender. The reproduction or 
dissemination of this email or its attachments is 
prohibited without the consent of the sender.

WARNING RE VIRUSES:  Our computer systems sweep
outgoing email to guard against viruses, but no warranty 
is given that this email or its attachments are virus free. 
Before opening or using attachments, please check for 
viruses.  Our liability is limited to the re-supply of any 
affected attachments.

Any views expressed in this message are those of the 
individual sender, except where the sender expressly,
and with authority, states them to be the views of the 
organisation.
************************************************************************

More information about the linux mailing list