| 1 |
Friends, |
| 2 |
|
| 3 |
I've set up routers several times with gentoo systems and |
| 4 |
iptables. The second-to-last system I set up works over DSL on the |
| 5 |
Qwest network. Everything is working as planned ( the same setup as |
| 6 |
the gentoo home router guide), except for one strange problem. |
| 7 |
|
| 8 |
A few websites (www.thepiratebay.org, comcast.net) aren't |
| 9 |
loading up properly from behind the NAT. The router itself can access |
| 10 |
the sites; they can also be accessed through TOR. However, behind the |
| 11 |
firewall, there is no access. |
| 12 |
|
| 13 |
I know you're all going to want to see the firewall rules. |
| 14 |
I've opened them all up to ACCEPT all packets. The only rule is for |
| 15 |
masquerading IPs going out on ppp0, and that's working fine for the |
| 16 |
most part. There are also Fail2Ban tables for SSH, but |
| 17 |
these tables appear to be working fine. Full iptables are listed below. |
| 18 |
|
| 19 |
I tested access through my firewall, and of course it worked |
| 20 |
fine. I am really stumped on this one; not sure if it's a problem with |
| 21 |
the way thepiratebay.org website works, the firewall, being the first |
| 22 |
I set up over DSL, or some other problem. Somebody suggested MTU |
| 23 |
problems; we tried turning the MTU on the ethernet interface bound to |
| 24 |
the ppp0 device from 1500 to 1492, but no luck came of it. |
| 25 |
|
| 26 |
any suggestions would be greatly appreciated. |
| 27 |
|
| 28 |
sincerely, |
| 29 |
|
| 30 |
dan farrell |
| 31 |
|
| 32 |
================================================================== |
| 33 |
IPTABLES |
| 34 |
--------------------------------------------------------------- |
| 35 |
hermes ~ # iptables -L -v |
| 36 |
Chain INPUT (policy ACCEPT 91953 packets, 23M bytes) |
| 37 |
pkts bytes target prot opt in out source |
| 38 |
destination |
| 39 |
84 9704 fail2ban-SSH tcp -- any any anywhere |
| 40 |
anywhere tcp dpt:ssh |
| 41 |
|
| 42 |
Chain FORWARD (policy ACCEPT 649K packets, 553M bytes) |
| 43 |
pkts bytes target prot opt in out source |
| 44 |
destination |
| 45 |
2729 129K TCPMSS tcp -- any any anywhere |
| 46 |
anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU |
| 47 |
|
| 48 |
Chain OUTPUT (policy ACCEPT 459K packets, 64M bytes) |
| 49 |
pkts bytes target prot opt in out source |
| 50 |
destination |
| 51 |
|
| 52 |
Chain fail2ban-SSH (1 references) |
| 53 |
pkts bytes target prot opt in out source |
| 54 |
destination |
| 55 |
20 3084 DROP all -- any any |
| 56 |
60-244-101-40.vdslpro.static.apol .com.tw anywhere |
| 57 |
64 6620 RETURN all -- any any anywhere |
| 58 |
anywhere |
| 59 |
----------------------------------------------------------- |
| 60 |
NAT table |
| 61 |
----------------------------------------------------------- |
| 62 |
hermes ~ # iptables -t nat -L -v |
| 63 |
Chain PREROUTING (policy ACCEPT 72794 packets, 7040K bytes) |
| 64 |
pkts bytes target prot opt in out source |
| 65 |
destination |
| 66 |
|
| 67 |
Chain POSTROUTING (policy ACCEPT 442 packets, 35796 bytes) |
| 68 |
pkts bytes target prot opt in out source |
| 69 |
destination 6155 337K MASQUERADE all -- any ppp0 |
| 70 |
anywhere anywhere |
| 71 |
|
| 72 |
Chain OUTPUT (policy ACCEPT 23518 packets, 1366K bytes) |
| 73 |
pkts bytes target prot opt in out source |
| 74 |
destination |
| 75 |
----------------------------------------------------------- |
| 76 |
=================================================================== |
| 77 |
-- |
| 78 |
gentoo-user@g.o mailing list |
Archives