masquerading problem with some websites
hi
i have a woody dsl gateway setup running kernel 2.4.17 and a self made
iptables firewall/masquerading script.
everything works fine, except some websites. two examples are
www.ubl.com and www.spiegel.de. i can reach both without any problem
from the gateway but not from the masqueraded machines. i tested with
wget -d <url>
ubl.com gives me a HTTP 302 and the new location ubl.artistdirect.com. i
even get a HTTP 200 from there but then wget is stuck trying to load.
for spiegel.de i don't even get a response for the first request. on the
gateway wget gets a HTTP 200 and mentions a cache hit.
below i listed the outputs of the wget calls on both machines to both
targets. first i thought my firewall rules are responsible, but it
doesn't even work with the minimum firewall script listed at the bottom.
what's wrong here? please help me.
bye
fabian
----------------------------------------------------------------------
request to ubl from gateway
----------------------------------------------------------------------
wget -d www.ubl.com
DEBUG output created by Wget 1.7 on linux-gnu.
parseurl ("www.ubl.com") -> host www.ubl.com -> opath -> dir -> file
-> ndir
newpath: /
--16:33:38-- http://www.ubl.com/
=> `index.html.3'
Connecting to www.ubl.com:80... Caching www.ubl.com <-> 216.52.241.170
Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.7
Host: www.ubl.com
Accept: */*
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response... HTTP/1.1 302 Found
Date: Tue, 01 Jan 2002 22:33:12 GMT
Server: Apache/1.3.17 (Unix) PHP/4.0.4pl1
Location: http://ubl.artistdirect.com/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Location: http://ubl.artistdirect.com/ [following]
Closing fd 3
parseurl ("http://ubl.artistdirect.com/") -> host ubl.artistdirect.com
-> opath -> dir -> file -> ndir
newpath: /
--16:33:43-- http://ubl.artistdirect.com/
=> `index.html.3'
Connecting to ubl.artistdirect.com:80... Caching ubl.artistdirect.com
<-> 216.52.241.225
Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.7
Host: ubl.artistdirect.com
Accept: */*
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response... HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Tue, 01 Jan 2002 22:32:33 GMT
Set-cookie: AM_IDENTITY=73666e2a-1dd2-11b2-bf77-cee6d6f1e4a4;
expires=Wed, 01 Jan 2003 22:32:34 GMT; path=/; domain=.artistdirect.com;
cdm: 1 2 3 4 5 6 7 8
Stored cookie .artistdirect.com 80 / permanent 0 Wed Jan 1 16:32:34
2003
AM_IDENTITY 73666e2a-1dd2-11b2-bf77-cee6d6f1e4a4
Set-cookie: AM_ORIGIN=NOORIGIN; path=/; domain=.artistdirect.com;
cdm: 1 2 3 4 5 6 7 8
Stored cookie .artistdirect.com 80 / nonpermanent 0 Wed Dec 31 17:59:59
1969
AM_ORIGIN NOORIGIN
Content-type: text/html
Connection: close
Length: unspecified [text/html]
0K .......... .......... .......... .......... .......... @ 74.40
KB/s
50K @ 21.48
KB/s
Closing fd 3
16:33:49 (74.44 KB/s) - `index.html.3' saved [51222]
----------------------------------------------------------------------
request to ubl from workstation
----------------------------------------------------------------------
wget -d www.ubl.com
DEBUG output created by Wget 1.5.3 on linux-gnu.
parseurl ("www.ubl.com") -> host www.ubl.com -> opath -> dir -> file
-> ndir
--16:33:34-- http://www.ubl.com:80/
=> `index.html.1'
Connecting to www.ubl.com:80... Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.5.3
Host: www.ubl.com:80
Accept: */*
---request end---
HTTP request sent, awaiting response... HTTP/1.1 302 Found
Date: Tue, 01 Jan 2002 22:36:29 GMT
Server: Apache/1.3.17 (Unix) PHP/4.0.4pl1
Location: http://ubl.artistdirect.com/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Location: http://ubl.artistdirect.com/ [following]
Closing fd 3
parseurl ("www.ubl.com") -> host www.ubl.com -> opath -> dir -> file
-> ndir
parseurl ("http://ubl.artistdirect.com/") -> host ubl.artistdirect.com
-> opath -> dir -> file -> ndir
parseurl ("http://ubl.artistdirect.com/") -> host ubl.artistdirect.com
-> opath -> dir -> file -> ndir
--16:33:34-- http://ubl.artistdirect.com:80/
=> `index.html.1'
Connecting to ubl.artistdirect.com:80... Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.5.3
Host: ubl.artistdirect.com:80
Accept: */*
---request end---
HTTP request sent, awaiting response... HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Tue, 01 Jan 2002 22:35:46 GMT
Set-cookie: AM_IDENTITY=e5f33fd6-1dd1-11b2-9af1-820c0dc65bbe;
expires=Wed, 01 Jan 2003 22:35:46 GMT; path=/; domain=.artistdirect.com;
Set-cookie: AM_ORIGIN=NOORIGIN; path=/; domain=.artistdirect.com;
Content-type: text/html
Connection: close
Length: unspecified [text/html]
0K ->
----------------------------------------------------------------------
request to spiegel from gateway
----------------------------------------------------------------------
wget -d www.spiegel.de
DEBUG output created by Wget 1.7 on linux-gnu.
parseurl ("www.spiegel.de") -> host www.spiegel.de -> opath -> dir ->
file -> ndir
newpath: /
--16:26:37-- http://www.spiegel.de/
=> `index.html.2'
Connecting to www.spiegel.de:80... Caching www.spiegel.de <->
194.64.249.245
Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.7
Host: www.spiegel.de
Accept: */*
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response... HTTP/1.0 200 OK
Date: Tue, 01 Jan 2002 22:24:39 GMT
Server: Apache/1.3.12 (Unix) mod_oas/4.65
Cache-Control: max-age=60
Expires: Tue, 01 Jan 2002 22:25:39 GMT
Content-Type: text/html
Via: 1.1 www.spiegel.de
Last-Modified: Tue, 01 Jan 2002 22:24:39 GMT
Age: 51
X-Cache: HIT from prx016.spiegel.ision.net
Connection: close
Length: unspecified [text/html]
0K .......... .......... .......... .......... .......... @ 57.87
KB/s
50K .......... .......... .......... . @ 80.09
KB/s
Closing fd 3
16:26:43 (64.76 KB/s) - `index.html.2' saved [83020]
----------------------------------------------------------------------
request to spiegel from workstation
----------------------------------------------------------------------
DEBUG output created by Wget 1.5.3 on linux-gnu.
parseurl ("www.spiegel.de") -> host www.spiegel.de -> opath -> dir ->
file -> ndir
--16:32:19-- http://www.spiegel.de:80/
=> `index.html.1'
Connecting to www.spiegel.de:80... Created fd 3.
connected!
---request begin---
GET / HTTP/1.0
User-Agent: Wget/1.5.3
Host: www.spiegel.de:80
Accept: */*
---request end---
HTTP request sent, awaiting response...
----------------------------------------------------------------------
firewall/routing script
----------------------------------------------------------------------
#!/bin/bash
#===============================================================
# myFirewall
#===============================================================
# network interface
INTERFACES="lo eth0 eth1"
# private subnet
MYNET="192.168.0.0/24"
# route to interface
ROUTE_IF="ppp0"
#===============================================================
# end of config
#===============================================================
case "$1" in
start)
echo "Starting firewall..."
iptables -F
#===============================================================
# Load kernel modules
#===============================================================
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
#===============================================================
# Set kernel parameters
#===============================================================
# explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
#===============================================================
# ROUTING
#===============================================================
if [ ! "$ROUTE_IF" == "" ]; then
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# route stuff to interface
iptables -t nat -A POSTROUTING -o ${ROUTE_IF} -j MASQUERADE
# default policy for FORWARD is ACCEPT
iptables -P FORWARD ACCEPT
fi
#===============================================================
# INPUT
#===============================================================
# default policy for INPUT is DROP
iptables -P INPUT DROP
# accept incoming connections that we started
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
#===============================================================
# OUTPUT
#===============================================================
# default policy for OUTPUT is ACCEPT
iptables -P OUTPUT ACCEPT
echo "ok"
;;
stop)
echo "Stopping firewall..."
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
echo "ok"
;;
restart)
sh $0 stop
sh $0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
Reply to: