From: stnick@aquinascafe.org
Date: Fri Jun 02 2000 - 13:12:27 PDT
PmFirewallers-
Ok, here is a wierd one. I don't think it is related to pmfirewall per
se, but might be related to ipchains/ipmasq in general, so thought you
experts might have an idea about it.... The general problem is that I
can't get some machines to access certain internet web pages- they seem
to be ones that use 128 bit encryption and/or https (ie. port 443).
I have a box working as a internet DSL line masquerade server for a
local subnet and several remote subnets networked via routers. I don't
administrate the routers or have any control over them, so let's assume
for a moment that they are not the problem. So, here is the config....
--209. 142.xxx.xxx
[Internet]----DSL-Line/Modem----/ Linux Masq Server ---Hub------local
subnet
192.168.140.200---/ | 192.168.140.x
|
|
router
192.168.140.254
/ | \
/ | \
/ | \
remote remote remote
192.168.141.x 192.168.142.x 192.168.143.x
Okay, so to get the packets flowing amongst the subnets properly from
the linux masq server I do:
route add -net 192.168.140.0 netmask 255.255.255.0 gw 192.169.140.254
route add -net 192.168.141.0 netmask 255.255.255.0 gw 192.169.140.254
route add -net 192.168.142.0 netmask 255.255.255.0 gw 192.169.140.254
route add -net 192.168.143.0 netmask 255.255.255.0 gw 192.169.140.254
And to get masq'ing to work I do (after loading all available masq
modules, of course):
/sbin/ipchains -A forward -j MASQ \
-s 192.168.140.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -j MASQ \
-s 192.168.141.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -j MASQ \
-s 192.168.142.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -j MASQ \
-s 192.168.143.0/24 -d 0.0.0.0/0
pmfirewall also gets fired up, but it is not the problem because I have
tested it without pmfirewall running and still get the problem.
Specifically, the problem is this: any machine on the masq server's
local net (192.168.140.x) can access this page (for instance):
https://bsdnet.officedepot.com , but no machine on any remote subnet
(eg. 192.168.141.x) can access it. When the remote subnets try to
access it, the dns lookup is successful, the contact packet is sent, and
then nothing, the web browser hangs and hangs and never gets a return
packet from the website. The remote subnets can access "normal" web
pages, and other services (AIM, for instance) without any problem.
Ideas?
-Patrick
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:35:02 PDT