why my firewall script work only for some sites?

To: debian-user <debian-user@lists.debian.org>
Subject: why my firewall script work only for some sites?
From: Long Wind <longwind2009@gmail.com>
Date: Fri, 18 Sep 2009 21:07:21 -0400
Message-id: <[🔎] 2107b77c0909181807y78df3ab0mb4ec4539a208149e@mail.gmail.com>

I have a firewall script
It provides NAT and allow clients to visit only 3 sites plus DNS servers
On client machine the 1st site (www.debian.org) can be viewed.
but other two sites have problems
the browser display only title bar
in other words it is displayed partially
Note the other two sites are in Chinese
After I uncomment two commands(which reduce security),
the two sites can be viewed.
It seems to me that the problem is specific to etch (kernel 2.6)
The script works fine for  the two sites in sarge (kernel 2.4)
below is my firewall script:

#!/bin/sh
#
# rc.firewall-iptables
FWVER=0.76

echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

DNS1="219.233.241.166"
DNS2="211.167.97.67"
SITE1="www.debian.org"

SITE2="trade.gtja.com"
SITE50="ebank.spdb.com.cn"


EXTIF="eth1"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

echo -en "   loading modules: "

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a


echo "----------------------------------------------------------------------"

echo -en "ip_tables, "
$MODPROBE ip_tables


echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

echo -en "iptable_nat, "
$MODPROBE iptable_nat


echo "----------------------------------------------------------------------"
echo -e "   Done loading modules.\n"

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

#$IPTABLES -A INPUT  -j ACCEPT
#$IPTABLES -A OUTPUT  -j ACCEPT

$IPTABLES -A FORWARD -s $DNS1 -j ACCEPT
$IPTABLES -A FORWARD -d $DNS1 -j ACCEPT
$IPTABLES -A FORWARD -s $DNS2 -j ACCEPT
$IPTABLES -A FORWARD -d $DNS2 -j ACCEPT

$IPTABLES -A INPUT -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -s $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -d $DNS2 -j ACCEPT

$IPTABLES -A FORWARD -s $SITE1 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE1 -j ACCEPT
$IPTABLES -A FORWARD -s $SITE2 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE2 -j ACCEPT
$IPTABLES -A FORWARD -s $SITE50 -j ACCEPT
$IPTABLES -A FORWARD -d $SITE50 -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-iptables v$FWVER done.\n"

Reply to:

Follow-Ups:
- Re: why my firewall script work only for some sites?
  - From: Niu Kun <haoniukun@gmail.com>

Prev by Date: Re: aptitude still running after terminal crash
Next by Date: Cloning
Previous by thread: Re: URL conversion from %?? to UTF-8
Next by thread: Re: why my firewall script work only for some sites?
Index(es):
- Date
- Thread