1 |
Friends, |
2 |
|
3 |
I've set up routers several times with gentoo systems and |
4 |
iptables. The second-to-last system I set up works over DSL on the |
5 |
Qwest network. Everything is working as planned ( the same setup as |
6 |
the gentoo home router guide), except for one strange problem. |
7 |
|
8 |
A few websites (www.thepiratebay.org, comcast.net) aren't |
9 |
loading up properly from behind the NAT. The router itself can access |
10 |
the sites; they can also be accessed through TOR. However, behind the |
11 |
firewall, there is no access. |
12 |
|
13 |
I know you're all going to want to see the firewall rules. |
14 |
I've opened them all up to ACCEPT all packets. The only rule is for |
15 |
masquerading IPs going out on ppp0, and that's working fine for the |
16 |
most part. There are also Fail2Ban tables for SSH, but |
17 |
these tables appear to be working fine. Full iptables are listed below. |
18 |
|
19 |
I tested access through my firewall, and of course it worked |
20 |
fine. I am really stumped on this one; not sure if it's a problem with |
21 |
the way thepiratebay.org website works, the firewall, being the first |
22 |
I set up over DSL, or some other problem. Somebody suggested MTU |
23 |
problems; we tried turning the MTU on the ethernet interface bound to |
24 |
the ppp0 device from 1500 to 1492, but no luck came of it. |
25 |
|
26 |
any suggestions would be greatly appreciated. |
27 |
|
28 |
sincerely, |
29 |
|
30 |
dan farrell |
31 |
|
32 |
================================================================== |
33 |
IPTABLES |
34 |
--------------------------------------------------------------- |
35 |
hermes ~ # iptables -L -v |
36 |
Chain INPUT (policy ACCEPT 91953 packets, 23M bytes) |
37 |
pkts bytes target prot opt in out source |
38 |
destination |
39 |
84 9704 fail2ban-SSH tcp -- any any anywhere |
40 |
anywhere tcp dpt:ssh |
41 |
|
42 |
Chain FORWARD (policy ACCEPT 649K packets, 553M bytes) |
43 |
pkts bytes target prot opt in out source |
44 |
destination |
45 |
2729 129K TCPMSS tcp -- any any anywhere |
46 |
anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU |
47 |
|
48 |
Chain OUTPUT (policy ACCEPT 459K packets, 64M bytes) |
49 |
pkts bytes target prot opt in out source |
50 |
destination |
51 |
|
52 |
Chain fail2ban-SSH (1 references) |
53 |
pkts bytes target prot opt in out source |
54 |
destination |
55 |
20 3084 DROP all -- any any |
56 |
60-244-101-40.vdslpro.static.apol .com.tw anywhere |
57 |
64 6620 RETURN all -- any any anywhere |
58 |
anywhere |
59 |
----------------------------------------------------------- |
60 |
NAT table |
61 |
----------------------------------------------------------- |
62 |
hermes ~ # iptables -t nat -L -v |
63 |
Chain PREROUTING (policy ACCEPT 72794 packets, 7040K bytes) |
64 |
pkts bytes target prot opt in out source |
65 |
destination |
66 |
|
67 |
Chain POSTROUTING (policy ACCEPT 442 packets, 35796 bytes) |
68 |
pkts bytes target prot opt in out source |
69 |
destination 6155 337K MASQUERADE all -- any ppp0 |
70 |
anywhere anywhere |
71 |
|
72 |
Chain OUTPUT (policy ACCEPT 23518 packets, 1366K bytes) |
73 |
pkts bytes target prot opt in out source |
74 |
destination |
75 |
----------------------------------------------------------- |
76 |
=================================================================== |
77 |
-- |
78 |
gentoo-user@g.o mailing list |