Stange IPTable probleme

Hi.

I already posted this message but I have another info :
I'm able to do ssh from the inside machine whithout problem !
Also, I added logs to iptables and recevied this :
Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
DST=195.42.251.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=7962 DF
PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
DST=195.42.251.40 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=7963 DF
PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
DST=195.42.251.40 LEN=430 TOS=0x00 PREC=0x00 TTL=63 ID=7964 DF
PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
DST=195.42.251.40 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=7965 DF
PROTO=TCP SPT=32785 DPT=80 WINDOW=7461 RES=0x00 ACK URGP=0

Thanks again.

ORIGINAL MESSAGE : *********************

Hi all.

I use iptables for 2 years an I thought I was able to resolv any
problem but I can't understand this one.

I use a Debian as a gateway for another machine at home.
Kernel is 2.6.7.
eth0 is inside my network.
ppp0 is my internet connection.

The gateway machine have absolutly no problem : Eveything is fine.
The other machine CAN ONLY ACCESS GOOGLE !!!!!
No other site is working !

I used tcpflow to see what happend when my internal machine try to
access internet : I can see the post, but no reply.
More : the question is asked 3 times but it is only sent once by the
machine.
I tried by hand :

telnet 10.0.0.1
Trying 195.42.251.40...
Connected to www.fnac.com.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.yahoo.com

And I see, on the tcpflow :

010.000.020.099.32782-216.109.118.074.00080: GET / HTTP/1.0
010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
216.109.118.074.00080-010.000.020.099.32782: b>Shop</b></font></td><td
colspan=2><font face=a

216.109.118.74 is really yahoo :
;; ANSWER SECTION:
74.118.109.216.in-addr.arpa. 924 IN PTR p11.www.dcn.yahoo.com.


More infos :
ip forward is activated in /etc/network/options.
rules are :

*nat
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT



I really don't understand what happen.
Can any body help or will I become crazy ?

Thenks in advance for any help.

Mike

Mike Baroukh wrote:
> Hi.
>
> I already posted this message but I have another info :
> I'm able to do ssh from the inside machine whithout problem !
> Also, I added logs to iptables and recevied this :
> Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
> DST=195.42.251.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=7962 DF
> PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
> DST=195.42.251.40 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=7963 DF
> PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0
> Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
> DST=195.42.251.40 LEN=430 TOS=0x00 PREC=0x00 TTL=63 ID=7964 DF
> PROTO=TCP SPT=32785 DPT=80 WINDOW=5840 RES=0x00 ACK PSH URGP=0
> Oct 24 02:13:53 bozo kernel: FORWARD: IN=eth0 OUT=ppp0 SRC=10.0.20.99
> DST=195.42.251.40 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=7965 DF
> PROTO=TCP SPT=32785 DPT=80 WINDOW=7461 RES=0x00 ACK URGP=0
>
> Thanks again.
>
> ORIGINAL MESSAGE : *********************
>
> Hi all.
>
> I use iptables for 2 years an I thought I was able to resolv any
> problem but I can't understand this one.
>
> I use a Debian as a gateway for another machine at home.
> Kernel is 2.6.7.
> eth0 is inside my network.
> ppp0 is my internet connection.
>
> The gateway machine have absolutly no problem : Eveything is fine.
> The other machine CAN ONLY ACCESS GOOGLE !!!!!
> No other site is working !
>
> I used tcpflow to see what happend when my internal machine try to
> access internet : I can see the post, but no reply.
> More : the question is asked 3 times but it is only sent once by the
> machine.
> I tried by hand :
>
> telnet 10.0.0.1
> Trying 195.42.251.40...
> Connected to www.fnac.com.
> Escape character is '^]'.
> GET / HTTP/1.0
> Host: www.yahoo.com
>
> And I see, on the tcpflow :
>
> 010.000.020.099.32782-216.109.118.074.00080: GET / HTTP/1.0
> 010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
> 010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
> 010.000.020.099.32782-216.109.118.074.00080: Host: www.yahoo.com
> 216.109.118.074.00080-010.000.020.099.32782: b>Shop</b></font></td><td
> colspan=2><font face=a
>
> 216.109.118.74 is really yahoo :
> ;; ANSWER SECTION:
> 74.118.109.216.in-addr.arpa. 924 IN PTR p11.www.dcn.yahoo.com.
>
>
> More infos :
> ip forward is activated in /etc/network/options.
> rules are :
>
> *nat
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> *filter
> -A INPUT -i eth0 -j ACCEPT
> -A OUTPUT -o eth0 -j ACCEPT
> -A FORWARD -i eth0 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -o ppp0 -j ACCEPT
> -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
>
>
> I really don't understand what happen.
> Can any body help or will I become crazy ?
>
> Thenks in advance for any help.
>
> Mike

You could start by verifying the iptables setup with:

iptables -nvL

and post the results. The list above is not complete.
No rule lists logging, yet you have packet logs.

Tauno Voipio
tauno voipio (at) iki fi

> You could start by verifying the iptables setup with:

ok.

iptables -nvl :

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2905K 148M ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0
21M 1639M ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
16M 13G ACCEPT all -- ppp0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
148 7484 ACCEPT tcp -- ppp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- ppp0 * xxx
0.0.0.0/0 tcp dpt:8080
592 35448 ACCEPT tcp -- ppp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
1 60 ACCEPT tcp -- ppp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
89549 4303K DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:135:139
924 77261 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:135:139
192 9468 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:4662:4672
39 2225 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:4662:4672
239K 12M DROP all -- * * 0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
13260 2939K ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0
12268 6358K ACCEPT all -- ppp0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
5323K 7721M ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
21M 1639M ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
15M 5836M ACCEPT all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0


I can't see in it nat rules.
my iptable script is

# IP MASQUERADING
*nat
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Le Firewall
*filter
# ACCEPTER tout ce qui est local
-A INPUT -i eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# ACCEPTER tout le forward dans le sens interne -> web
-A FORWARD -i eth0 -j ACCEPT
# ACCEPTER tout le forward dans le sens web -> interne s'il ne s'agit
pas d'une nouvelle connexion
-A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# La machine locale à le droit de se connecter au web
-A OUTPUT -o ppp0 -j ACCEPT
-A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ACCEPTER les connexions au serveur web local
-A INPUT -i ppp0 -p tcp -m tcp --dport http -j ACCEPT
# Accepter l'utilisateion du proxy depuis chez xxx
-A INPUT -i ppp0 -s xxx -p tcp -m tcp --dport 8080 -j ACCEPT
#ACCEPTER les connexions ssh
-A INPUT -i ppp0 -p tcp -m tcp --dport ssh -j ACCEPT
#ACCEPTER les connexions imaps
-A INPUT -i ppp0 -p tcp -m tcp --dport 993 -j ACCEPT
# REFUSER tout le reste. Mais logger avant.
-A INPUT -p tcp -m tcp --dport 135:139 -j DROP
-A INPUT -p udp -m udp --dport 135:139 -j DROP
-A INPUT -p tcp -m tcp --dport 4662:4672 -j DROP
-A INPUT -p udp -m udp --dport 4662:4672 -j DROP
-A INPUT -j LOG --log-prefix "REJECT INPUT: "
-A OUTPUT -j LOG --log-prefix "REJECT OUTPUT: "
-A FORWARD -j LOG --log-prefix "REJECT FORWARD: "
-A INPUT -j DROP
-A OUTPUT -j DROP
-A FORWARD -j DROP
COMMIT


Thx

Tauno Voipio <(E-Mail Removed)> wrote in message news:<t2Qgd.215$(E-Mail Removed)>...
> You could start by verifying the iptables setup with:
>
> iptables -nvL
>
> and post the results. The list above is not complete.
> No rule lists logging, yet you have packet logs.
>
> Tauno Voipio
> tauno voipio (at) iki fi