Re: diagnosis - was Re: some reality about iptables, please

[Jacob Anawalt <jacob@cachevalley.com>]

Bret Comstock Waldow wrote:

> On Thu, 2003-08-28 at 02:35, Jacob Anawalt wrote:
[snip]

>  
>
> > Browser from Linux account or in VMWare Win98 works? Try both and let us 
> > know.
> >    
> IE from Win98 works, Mozilla from Debian doesn't.
>
> With these rules, samba couldn't restore the mapped drive I have from
> Win98 to /home/user.
>
>  
OK, lets start with just getting web browsing from Linux going.

[snip]

> > Does https to some secure server work from either/both?
> >    
> Yes from IE in Win98.
> No from Debian Mozilla.  Here's an example of the messages:
> Aug 28 17:35:55 ganesha kernel: DROPl:IN= OUT=eth0 SRC=192.168.2.30
> DST=205.156.51.200 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=21328 DF
> PROTO=TCP SPT=34131 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>
> I'm curious that IN is blank.
>
> Thanks,
> Bret
>
>  
I don't know why IN is blank. A web browsing program running on your 
system (but not in VMWare) should only hit the OUTPUT chain. Looking at 
your rules on OUTPUT for www:

Chain OUTPUT (policy DROP)
target     prot opt source               destination  
[snip]
DROPl      tcp  --  anywhere             anywhere           tcp dpt:www
DROPl      udp  --  anywhere             anywhere           udp dpt:www
[snip]
REJECTl    all  --  anywhere             anywhere           


Ok, so http/www traffic from anywhere to anywhere hitting the OUTPUT chain jumps to rule DROPl (drop log). I must have overlooked the DROPl for https, or it isn't there and https is hitting the last rule, REJECTl. Your log is for http://tgftp.nws.noaa.gov/, not an https example.

Then again, you say ftp works (is that ftp using a web browser, or a command line FTP client that isn't in PASV mode?) If it is working from the command line in linux, then I guess these ftp rules are ACCEPTING the traffic, and https should work.

ACCEPT     tcp  --  192.168.2.30         anywhere           tcp dpt:https flags:SYN,RST,ACK/SYN state NEW 
ACCEPT     tcp  --  192.168.2.30         anywhere           tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW 
ACCEPT     tcp  --  192.168.2.30         anywhere           tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW 

If that's the case, then I guess the ftp client is binding to 192.168.2.30 before starting traffic. Maybe Mozilla is trying to bind to your external or your loopback interfaces if https doesn't work.

Anyway, my guess is that all the local http traffic is hitting the DROPl chain:

Chain DROPl (168 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `DROPl:' 
DROP       all  --  anywhere             anywhere           

So you can't browse the web, or use apt-get http://bla/ (Again, VMWare is a different case.) Maybe you meant to have some accept cases before the DROPl ones for specific types of HTTP traffic. Have you tried changing the default OUTPUT chain policy to ACCEPT and flush your OUTPUT chain for a minute? All you should be "open to" is software on your system (authorized or not) talking out on the internet.

Lets see how that goes before tackling the SMB mount and VMWare email.

Jacob