Find the answer to your Linux question:
Results 1 to 5 of 5
Hi All! I have linux 9.0 mdk machine running as gateway for my network. There are 2 interfaces eth0 - connected to the internet eth1 - to the ethernet There ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2004
    Location
    Russian Federation, Kaliningrad
    Posts
    6

    iptables and hostname resolving


    Hi All!

    I have linux 9.0 mdk machine running as gateway for my network.
    There are 2 interfaces
    eth0 - connected to the internet
    eth1 - to the ethernet

    There is no DNS server on my machine.

    I have configured iptables on my server to filter FORWARD packets going to/out from my local network.

    Example lines:

    :FORWARD DROP [1:1500]
    -A FORWARD -i eth0 -p tcp -j tcp_packets_forward_in
    -A FORWARD -i eth1 -p tcp -j tcp_packets_forward_out
    -A FORWARD -i eth0 -p udp -j udp_packets_forward_in
    -A FORWARD -i eth1 -p udp -j udp_packets_forward_out
    #-A FORWARD -i eth1 -j ACCEPT

    and:

    -A tcp_packets_forward_in -p tcp -m tcp --sport 53 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 53 -j allowed
    -A udp_packets_forward_in -p udp -m udp --sport 53 -j ACCEPT
    -A udp_packets_forward_out -p udp -m udp --dport 53 -j ACCEPT

    The problem is that sometimes (ones a day for ex.) browsers on computers in local network begin show up "Cannot display page" error message almost for all websites. But ''ping hostname" works well.

    And when I comment out line shown as commented in the above
    example - all start working! All websites are loading and so on. And if after that I comment that line again - all will continue working...

    May be someone have had similiar problem?
    Thanks

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Is that really all your rules? In that case, I can't see how you can browse at all from the clients, since you're not allowing port 80. Would you mind explaining that?

  3. #3
    Just Joined!
    Join Date
    Jan 2004
    Location
    Russian Federation, Kaliningrad
    Posts
    6
    I placed here only rules corresponding to DNS ports as I was thinking the problem is connected to dns packets going to external DNS servers.

    Here are all rules for FORWARD chain

    -A FORWARD -p tcp -j bad_tcp_packets
    -A FORWARD -p icmp -j icmp_packets_forward
    -A FORWARD -i eth0 -p tcp -j tcp_packets_forward_in
    -A FORWARD -i eth1 -p tcp -j tcp_packets_forward_out
    -A FORWARD -i eth0 -p udp -j udp_packets_forward_in
    -A FORWARD -i eth1 -p udp -j udp_packets_forward_out
    #-A FORWARD -i eth1 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died:" --log-level 7

    -A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A allowed -p tcp -j DROP

    -A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "New not syn:"
    -A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP

    -A icmp_packets_forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A icmp_packets_forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

    -A tcp_packets_forward_in -p tcp -m tcp --sport 21 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 22 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 25 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 53 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 80:83 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 110 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 119 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 443 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 3128 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 4662 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 5100 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 5190 -j allowed
    -A tcp_packets_forward_in -p tcp -m tcp --sport 8000:8088 -j allowed

    -A tcp_packets_forward_out -p tcp -m tcp --dport 21 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 22 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 25 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 53 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 80:83 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 110 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 119 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 443 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 3128 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 4662 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 5100 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 5190 -j allowed
    -A tcp_packets_forward_out -p tcp -m tcp --dport 8000:8088 -j allowed

    -A udp_packets_forward_in -p udp -m udp --sport 53 -j ACCEPT
    -A udp_packets_forward_in -p udp -m udp --sport 5028 -j ACCEPT

    -A udp_packets_forward_out -p udp -m udp --dport 53 -j ACCEPT
    -A udp_packets_forward_out -p udp -m udp --dport 3241 -j ACCEPT
    -A udp_packets_forward_out -p udp -m udp --dport 5028 -j ACCEPT

  4. #4
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    The main problem is that the "Cannot display page" error in MSIE doesn't actually say anything. It gives it for at least three conditions, two of which are when it can't look up the domain name and when it can't connect to the server. The third I don't remember, and I think there are more conditions that cause that error message as well. Thus, I think you should try to find out what exactly goes wrong.

  5. #5
    Just Joined!
    Join Date
    Jan 2004
    Location
    Russian Federation, Kaliningrad
    Posts
    6
    Your reply tend me on things about different ports
    for different web servers are listening.

    For example. One of my problems was that when user typed www.yahoo.com in his browser - cannot disaply page error rised. But command "ping yahoo.com" worked very well.

    My opinion is that I should enabled more ports connected to the 80th port which web server is listening...

    I hope this would help and will solve the problem.

    Any way thanks for advises

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •