| View previous topic :: View next topic |
| Author |
Message |
babaganosh
n00b
Joined: 25 Nov 2011
Posts: 4
Location: Canada
|
 Posted: Fri Nov 25, 2011 4:44 pm Post subject: Unable to connect to any website but able to ping |
 |
|
HI,
I currently have a gentoo server running shorewall as a firewall for my home network and I have strange problem I can ping external website by either name or ip from any workstation within the network.
I can remote into the network from an external site
however I am unable to use any browser on any computer it just hangs on loading and sometimes I get the generic DNS error.
Here are my configs for shorewall and net as I suspect that is where the problem is. Any help would be muchly appreciated
Thanks
Shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect tcpflags,routefilter,routeback
net eth0 detect tcpflags,blacklist,norfc1918,routefilter
vpn tap1 detect tcpflags,routeback
#
Shorewall/masq
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 eth1
shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:BURST
# LEVEL BURST MASK
loc net ACCEPT
net all DROP info
fw net ACCEPT
fw loc ACCEPT
fw vpn ACCEPT
vpn fw ACCEPT
loc vpn ACCEPT
vpn loc ACCEPT
# the Following must always apear last!!!
all all REJECT info
shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
loc ipv4
net ipv4
vpn ipv4
shorewall/rules
$
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE $
# PORT PORT(S) DEST LIMIT$
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
## office traffic
ACCEPT net:xx.xxx.xx.xxx fw all
##All local traffic
##ACCEPT loc fw all
## Teamspeak Windows
DNAT net loc:192.168.0.2 tcp 9987
DNAT net loc:192.168.0.2 udp 9987
## Teamspeak gentoo
#DNAT net loc:192.168.1.10 udp 9988
#DNAT net loc:192.168.1.10 tcp 9988
## Killingfloor
DNAT net loc:192.168.0.100 udp 7707
DNAT net loc:192.168.0.100 udp 7708
DNAT net loc:192.168.0.100 udp 7717
DNAT net loc:192.168.0.100 tcp 28852
DNAT net loc:192.168.0.100 udp 28852
DNAT net loc:192.168.0.100 tcp 8075
DNAT net loc:192.168.0.100 tcp 20560
DNAT net loc:192.168.0.100 udp 20560
## Torrents
DNAT net loc:192.168.0.100 tcp 27363
/etc/conf.d/net
dns_domain_lo="tyria"
## Eth0 Onboard external shaw
config_eth0=( "dhcp" )
depend_eth0 () {
before openvpn
}
## Eth1 dlink pci card internal network
config_eth1=( "192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255" )
#tap 1 OPEN VPN
#tuntap_tap1="tap"
#config_tap1=( "null" )
#depend_tap1 |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Nov 25, 2011 8:55 pm Post subject: |
|
|
Please post the output of iptables-save -c ; curl -o /dev/null http://www.google.com/ ; curl -o /dev/null https://www.google.com/.
[Edit: fixed curl https command line.]
Last edited by Hu on Sun Nov 27, 2011 5:33 am; edited 1 time in total |
|
| Back to top |
|
|
babaganosh
n00b
Joined: 25 Nov 2011
Posts: 4
Location: Canada
|
| Posted: Fri Nov 25, 2011 10:14 pm Post subject: |
|
|
# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011
*raw
:PREROUTING ACCEPT [228:32266]
:OUTPUT ACCEPT [292:37746]
COMMIT
# Completed on Fri Nov 25 15:04:50 2011
# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011
*nat
:PREROUTING ACCEPT [58:11999]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:407]
:POSTROUTING ACCEPT [6:407]
:dnat - [0:0]
:eth0_masq - [0:0]
:net_dnat - [0:0]
[58:11999] -A PREROUTING -j dnat
[11:687] -A POSTROUTING -o eth0 -j eth0_masq
[26:8482] -A dnat -i eth0 -j net_dnat
[5:280] -A eth0_masq -s 192.168.0.0/24 -j MASQUERADE
[0:0] -A net_dnat -p tcp -m tcp --dport 9987 -j DNAT --to-destination 192.168.0.2
[0:0] -A net_dnat -p udp -m udp --dport 9987 -j DNAT --to-destination 192.168.0.2
[0:0] -A net_dnat -p udp -m udp --dport 9988 -j DNAT --to-destination 192.168.1.10
[0:0] -A net_dnat -p tcp -m tcp --dport 9988 -j DNAT --to-destination 192.168.1.10
[0:0] -A net_dnat -p udp -m udp --dport 7707 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p udp -m udp --dport 7708 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p udp -m udp --dport 7717 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p tcp -m tcp --dport 28852 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p udp -m udp --dport 28852 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p tcp -m tcp --dport 8075 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p tcp -m tcp --dport 20560 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p udp -m udp --dport 20560 -j DNAT --to-destination 192.168.0.100
[0:0] -A net_dnat -p tcp -m tcp --dport 27363 -j DNAT --to-destination 192.168.0.100
COMMIT
# Completed on Fri Nov 25 15:04:50 2011
# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011
*mangle
:PREROUTING ACCEPT [237:32626]
:INPUT ACCEPT [172:18101]
:FORWARD ACCEPT [63:12816]
:OUTPUT ACCEPT [318:41706]
:POSTROUTING ACCEPT [381:54522]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[237:32626] -A PREROUTING -j tcpre
[172:18101] -A INPUT -j tcin
[63:12816] -A FORWARD -j MARK --set-xmark 0x0/0xff
[63:12816] -A FORWARD -j tcfor
[318:41706] -A OUTPUT -j tcout
[381:54522] -A POSTROUTING -j tcpost
COMMIT
# Completed on Fri Nov 25 15:04:50 2011
# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Invalid - [0:0]
:NotSyn - [0:0]
:Reject - [0:0]
:blacklst - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:loc2vpn - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:net2vpn - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:vpn2fw - [0:0]
:vpn2loc - [0:0]
:vpn2net - [0:0]
:vpn_frwd - [0:0]
[53:11719] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
[138:8017] -A INPUT -i eth1 -j loc2fw
[38:10244] -A INPUT -i eth0 -j net2fw
[0:0] -A INPUT -i tap1 -j vpn2fw
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -j Reject
[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
[0:0] -A INPUT -g reject
[35:6348] -A FORWARD -i eth1 -j loc_frwd
[28:6468] -A FORWARD -i eth0 -j net_frwd
[0:0] -A FORWARD -i tap1 -j vpn_frwd
[0:0] -A FORWARD -j Reject
[0:0] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
[0:0] -A FORWARD -g reject
[315:42228] -A OUTPUT -o eth1 -j fw2loc
[14:1002] -A OUTPUT -o eth0 -j fw2net
[0:0] -A OUTPUT -o tap1 -j fw2vpn
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -j Reject
[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
[0:0] -A OUTPUT -g reject
[21:1789] -A Broadcast -d 192.168.0.255/32 -j DROP
[30:9794] -A Broadcast -d 255.255.255.255/32 -j DROP
[0:0] -A Broadcast -d 255.255.255.255/32 -j DROP
[0:0] -A Broadcast -d 224.0.0.0/4 -j DROP
[26:8482] -A Drop
[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
[26:8482] -A Drop -j Broadcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -j Invalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
[0:0] -A Drop -p tcp -j NotSyn
[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A Invalid -m conntrack --ctstate INVALID -j DROP
[0:0] -A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[27:3237] -A Reject
[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
[27:3237] -A Reject -j Broadcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[2:136] -A Reject -j Invalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject
[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject
[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
[0:0] -A Reject -p tcp -j NotSyn
[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[315:42228] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A fw2loc -j ACCEPT
[7:535] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[7:467] -A fw2net -j ACCEPT
[0:0] -A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A fw2vpn -j ACCEPT
[27:3237] -A loc2fw -m conntrack --ctstate INVALID,NEW -j dynamic
[111:4780] -A loc2fw -p tcp -j tcpflags
[111:4780] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT
[27:3237] -A loc2fw -j Reject
[2:136] -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6
[2:136] -A loc2fw -g reject
[28:5956] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[7:392] -A loc2net -j ACCEPT
[0:0] -A loc2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2vpn -j ACCEPT
[7:392] -A loc_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
[33:6204] -A loc_frwd -p tcp -j tcpflags
[0:0] -A loc_frwd -o eth1 -j ACCEPT
[35:6348] -A loc_frwd -o eth0 -j loc2net
[0:0] -A loc_frwd -o tap1 -j loc2vpn
[0:0] -A logdrop -j DROP
[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
[0:0] -A logflags -j DROP
[0:0] -A logreject -j reject
[26:8482] -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic
[26:8482] -A net2fw -m conntrack --ctstate INVALID,NEW -j blacklst
[5:895] -A net2fw -p tcp -j tcpflags
[12:1762] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2fw -s 68.179.52.192/27 -j ACCEPT
[0:0] -A net2fw -p udp -m udp --dport 4880 -j ACCEPT
[26:8482] -A net2fw -j Drop
[0:0] -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
[0:0] -A net2fw -j DROP
[28:6468] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2loc -d 192.168.0.2/32 -p tcp -m tcp --dport 9987 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.2/32 -p udp -m udp --dport 9987 -j ACCEPT
[0:0] -A net2loc -d 192.168.1.10/32 -p udp -m udp --dport 9988 -j ACCEPT
[0:0] -A net2loc -d 192.168.1.10/32 -p tcp -m tcp --dport 9988 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7707 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7708 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7717 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 28852 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 28852 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 8075 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 20560 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 20560 -j ACCEPT
[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 27363 -j ACCEPT
[0:0] -A net2loc -j Drop
[0:0] -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
[0:0] -A net2loc -j DROP
[0:0] -A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2vpn -j Drop
[0:0] -A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:DROP:" --log-level 6
[0:0] -A net2vpn -j DROP
[0:0] -A net_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
[0:0] -A net_frwd -m conntrack --ctstate INVALID,NEW -j blacklst
[25:4740] -A net_frwd -p tcp -j tcpflags
[28:6468] -A net_frwd -o eth1 -j net2loc
[0:0] -A net_frwd -o tap1 -j net2vpn
[0:0] -A reject -d 192.168.0.255/32 -j DROP
[0:0] -A reject -d 255.255.255.255/32 -j DROP
[0:0] -A reject -d 255.255.255.255/32 -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[2:136] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
[0:0] -A vpn2fw -m conntrack --ctstate INVALID,NEW -j dynamic
[0:0] -A vpn2fw -p tcp -j tcpflags
[0:0] -A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A vpn2fw -j ACCEPT
[0:0] -A vpn2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A vpn2loc -j ACCEPT
[0:0] -A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A vpn2net -j Reject
[0:0] -A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6
[0:0] -A vpn2net -g reject
[0:0] -A vpn_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
[0:0] -A vpn_frwd -p tcp -j tcpflags
[0:0] -A vpn_frwd -o eth1 -j vpn2loc
[0:0] -A vpn_frwd -o eth0 -j vpn2net
[0:0] -A vpn_frwd -o tap1 -j ACCEPT
COMMIT
# Completed on Fri Nov 25 15:04:50 2011
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 218 100 218 0 0 2860 0 --:--:-- --:--:-- --:--:-- 5736
curl: no URL specified!
curl: try 'curl --help' for more information |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Sat Nov 26, 2011 1:39 am Post subject: |
|
|
| babaganosh wrote: | # Completed on Fri Nov 25 15:04:50 2011
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 218 100 218 0 0 2860 0 --:--:-- --:--:-- --:--:-- 5736
curl: no URL specified!
curl: try 'curl --help' for more information |
HTTP seems to work fine. It looks like you mishandled the second curl invocation, but seeing one was enough for this. Are you sure that your browsers are configured correctly? |
|
| Back to top |
|
|
babaganosh
n00b
Joined: 25 Nov 2011
Posts: 4
Location: Canada
|
| Posted: Sun Nov 27, 2011 3:58 am Post subject: |
|
|
Every browser is set to automatic for network settings
I have also set up a small test network with 1 workstation and a dlink router for dhcp and recompiled with legacy dns support enabled and the problem persists |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Sun Nov 27, 2011 5:24 am Post subject: |
|
|
| Given that HTTP does work from the gateway and that you get a generic error page in the browser itself, this seems like a browser configuration problem, not a shorewall problem. Which browser are you using on the gateway? What is providing the "automatic" settings? |
|
| Back to top |
|
|
babaganosh
n00b
Joined: 25 Nov 2011
Posts: 4
Location: Canada
|
| Posted: Sun Nov 27, 2011 8:32 pm Post subject: |
|
|
I have gone back to what I had last week. Except instead of using the cable modems built in firewall I have a dlink in its place.
That is Internet comes in from cable modem. Cable modem is connected to Dlink router with dhcp on a different subnet
Eth0 on Gentoo box picks up dhcp address and I set the DMZ on the DLink to go to that IP
Everything else remains the same on the network and it all works.
Last week I had my ISP flash the modem to remove the firewall portion and it just acts as a basic cable modem so that I could get my DDclient working. I may just live without it |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
