Re: iptables firewall and web sites not loading

To: debian-user@lists.debian.org
Subject: Re: iptables firewall and web sites not loading
From: john doe <johndoe65534@mail.com>
Date: Tue, 10 Dec 2019 06:18:37 +0100
Message-id: <[🔎] 56f82f6a-15a6-5363-5bae-1e2c52445c99@mail.com>
In-reply-to: <[🔎] 20191209224818.54571c0f@nektarioskatakis.xyz>
References: <[🔎] 20191209224818.54571c0f@nektarioskatakis.xyz>

On 12/10/2019 12:01 AM, Nektarios Katakis wrote:
> Hello,
>
> I am running an iptables firewall on an openwrt router I ve got. Which
> acts as Firewall/gateway and performs NATing for my internal network -
> debian PCs and android phones.
>
> All good but specific web sites are not loading for the machines that
> are sitting behind the home router.
>
> When attempting on the browser (firefox but tried different ones) the
> browser stays at `Performing a TLS handshake to bitbucket.org`. wget has
> similar results:
> ```
> wget  https://bitbucket.org
> --2019-12-09 22:07:32--  https://bitbucket.org/
> Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1,
> 18.205.93.2, ... Connecting to bitbucket.org
> (bitbucket.org)|18.205.93.0|:443... connected.
> ```
> When doing a tcpdump on the router side I can see some initial TCP
> session establishment and then nothing:
> ```
> tcpdump -vvvi br-lan port 443 | grep bitbucket.org
> tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size
> 262144 bytes
>     192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3
> (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val
> 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 >
> 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq
> 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val
> 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 >
> bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win
> 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0
> 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5
> (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684
> ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440:
> Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options
> [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 >
> 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668,
> ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684],
> length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum
> 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val
> 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ```
>
> Of course doing a wget from the router itself works fine as it also
> works fine on my desktop if I do dynamic port-forwarding with eg. `ssh
> -D 1050 router` (and configure of course firefox to use it).
>
> I m not sure what might be wrong here tbh. Of course other (most) sites
> work fine without dynamic forwarding or anything.
>
> I am attaching the output of `iptables --list-rules` for whoever is
> patient enough to read.
>
> Any help would be appreciated.
>

Are you still seeing the error if you do:

$ /etc/init.d/firewall stop


WARNING: You will not have any firewall protection if you do that

Is the issue still manifesting itself if the configuration is reset to
factory default?


This is a Debian mailing list, you might be better off on the OpenWrt forum.

--
John Doe

Reply to:

References:
- iptables firewall and web sites not loading
  - From: Nektarios Katakis <nektarios@mail.nektarioskatakis.xyz>

Prev by Date: Re: Shouldn't a window manager has xserver as dependency ?
Next by Date: Re: Best/Proper way to dist-upgrade Debian Testing except the kernel?
Previous by thread: iptables firewall and web sites not loading
Next by thread: Re: iptables firewall and web sites not loading
Index(es):
- Date
- Thread