Can't access a site from Masqueraded host
I'm trying to understand why I can't access a host from my NAT network.
I thought my firewall must be blocking. I enabled logging of dropped
packets but still didn't see what wasn't working.
So I disabled it and now have a very basic masquerading setup -- no
dropping (shown below). NAT is working from my internal laptop:
moseley@laptop:~$ ping debian.org
PING debian.org (192.25.206.10): 56 data bytes
64 bytes from 192.25.206.10: icmp_seq=0 ttl=49 time=98.0 ms
iptables is running on "mardy". The site doesn't respond to ping -- I
assume they are blocking (I've tried from a number of other hosts, too):
moseley@mardy:~$ ping www.pge.com
PING www.pge.com (131.89.128.50): 56 data bytes
Still, I can fetch their web page from host "mardy":
moseley@mardy:~$ HEAD www.pge.com
200 OK
Connection: close
Date: Mon, 08 Sep 2003 16:02:11 GMT
Server: Netscape-Enterprise/4.1
Content-Length: 0
Content-Type: text/html
Client-Date: Mon, 08 Sep 2003 16:02:12 GMT
Client-Response-Num: 1
But I cannot from the inside network:
moseley@laptop:~$ HEAD www.pge.com
500 Can't connect to www.pge.com:80 (connect: timeout)
Client-Date: Mon, 08 Sep 2003 16:06:16 GMT
I assume that they are blocking some packets (because they seem to be
blocking pings and traceroute) and also maybe blocking my NAT'ed
packets. But I don't see how they would be able to tell NAT'ed packets
from "laptop" any differently than from "mardy".
I'm not very good at tcpdump, so I don't understand the difference in
the flags I'm seeing:
mardy:/etc# tcpdump host www.pge.com
tcpdump: listening on eth0
Here's trying to connect from "laptop" inside the NAT:
09:14:43.972161 mardy.hank.org.32768 > can10.pge.com.domain: 7254 [1au] AAAA? www.pge.com. OPT UDPsize=2048 (40) (DF)
09:14:43.993925 can10.pge.com.domain > mardy.hank.org.32768: 7254* 0/1/1 (94) (DF)
09:14:52.369502 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 942432 0,nop,wscale 0> (DF)
09:14:55.365293 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 942732 0,nop,wscale 0> (DF)
09:15:01.365691 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 943332 0,nop,wscale 0> (DF)
Here's connecting (successfully) from "mardy":
09:16:51.246177 mardy.hank.org.57886 > www.pge.com.www: S 1784081886:1784081886(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF)
09:16:51.264643 www.pge.com.www > mardy.hank.org.57886: S 3679981607:3679981607(0) ack 1784081887 win 9660 <nop,nop,sackOK,mss 1380> (DF)
09:16:51.264681 mardy.hank.org.57886 > www.pge.com.www: . ack 1 win 5840 (DF)
09:16:51.266057 mardy.hank.org.57886 > www.pge.com.www: P 1:88(87) ack 1 win 5840 (DF)
09:16:51.290761 www.pge.com.www > mardy.hank.org.57886: . ack 88 win 9660 (DF)
09:16:51.293569 www.pge.com.www > mardy.hank.org.57886: P 1:153(152) ack 88 win 9660 (DF)
09:16:51.293587 mardy.hank.org.57886 > www.pge.com.www: . ack 153 win 5840 (DF)
09:16:51.294467 www.pge.com.www > mardy.hank.org.57886: F 153:153(0) ack 88 win 9660 (DF)
09:16:51.304638 mardy.hank.org.57886 > www.pge.com.www: F 88:88(0) ack 154 win 5840 (DF)
09:16:51.320796 www.pge.com.www > mardy.hank.org.57886: . ack 89 win 9660 (DF)
Here's the iptables setup I'm uisng during all of this:
mardy:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
mardy:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--
Bill Moseley
moseley@hank.org
Reply to: