NAT help?
Murray, WJ (Bill)
W.J.Murray at rl.ac.uk
Sun Sep 18 21:32:15 UTC 2005
Hello list,
I have a small problem with my home network - maybe someone
could help?
I have a firewall/router doing NAT, which works for machines behind
it 99% of the time, but some websites are inaccessible.
e.g. Linuxtoday.com
If I look at the ethereal logs for all interfaces on the router box,
and run firefox on the firewall machine itself I see an [ACK] packet
from port 33439 followed by a [SYN] from 33440. And then the rest
happens. Doing the same thing on a machine inside I see that the
the TCP packet [ACK] first going in, as from [my-local-address] to
[linxutoday.com] and then out as [my-global-address] to
[linuxtoday.com], both from port 35598 but no [SYN] packet is sent.
It just hangs at that point.
It wouldn't be too bad, but many financial WWW sites hang here.
konqueror hangs too, so it seems to be NAT related. My rules are simple:
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
Plus 1 or two specific ports accepted.
Can anyone see an obvious problem?
Thank you,
Bill
More information about the users
mailing list