[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: diagnosis - was Re: some reality about iptables, please

Bret Comstock Waldow wrote:

On Thu, 2003-08-28 at 02:35, Jacob Anawalt wrote:


Browser from Linux account or in VMWare Win98 works? Try both and let us know.
IE from Win98 works, Mozilla from Debian doesn't.

With these rules, samba couldn't restore the mapped drive I have from
Win98 to /home/user.

OK, lets start with just getting web browsing from Linux going.


Does https to some secure server work from either/both?
Yes from IE in Win98.
No from Debian Mozilla.  Here's an example of the messages:
Aug 28 17:35:55 ganesha kernel: DROPl:IN= OUT=eth0 SRC=
DST= LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=21328 DF

I'm curious that IN is blank.


I don't know why IN is blank. A web browsing program running on your system (but not in VMWare) should only hit the OUTPUT chain. Looking at your rules on OUTPUT for www:

Chain OUTPUT (policy DROP)
target prot opt source destination [snip]
DROPl      tcp  --  anywhere             anywhere           tcp dpt:www
DROPl      udp  --  anywhere             anywhere           udp dpt:www
REJECTl all -- anywhere anywhere

Ok, so http/www traffic from anywhere to anywhere hitting the OUTPUT chain jumps to rule DROPl (drop log). I must have overlooked the DROPl for https, or it isn't there and https is hitting the last rule, REJECTl. Your log is for http://tgftp.nws.noaa.gov/, not an https example.

Then again, you say ftp works (is that ftp using a web browser, or a command line FTP client that isn't in PASV mode?) If it is working from the command line in linux, then I guess these ftp rules are ACCEPTING the traffic, and https should work.

ACCEPT tcp -- anywhere tcp dpt:https flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW
If that's the case, then I guess the ftp client is binding to before starting traffic. Maybe Mozilla is trying to bind to your external or your loopback interfaces if https doesn't work.

Anyway, my guess is that all the local http traffic is hitting the DROPl chain:

Chain DROPl (168 references)
target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `DROPl:' DROP all -- anywhere anywhere
So you can't browse the web, or use apt-get http://bla/ (Again, VMWare is a different case.) Maybe you meant to have some accept cases before the DROPl ones for specific types of HTTP traffic. Have you tried changing the default OUTPUT chain policy to ACCEPT and flush your OUTPUT chain for a minute? All you should be "open to" is software on your system (authorized or not) talking out on the internet.

Lets see how that goes before tackling the SMB mount and VMWare email.


Reply to: