Problemi z dostopanjem do nekaterih strani @ Slo-Tech

Forum » Omrežja in internet »
Problemi z dostopanjem do nekaterih strani

Problemi z dostopanjem do nekaterih strani

darh :: 16. feb 2005, 20:55

Imam probleme z dostopanjem do nekaterih strani, npr slashdot.org, edavki.durs.si iz mašine za firewallom. FW konfiguracije je identična FW konfiguraciji na nekem drugem FW sistemu kjer teh problemov nisem imel nikoli.
Iz same FW kište dostopam do zgoraj omenjenih strani BP.

Ko browser pošlje request na slashdot.org "tcpdump -i ppp0 port 80" pove tole:


 20:46:36.274771 IP XXX-XX-XXX-XX.dsl.siol.net.4870 > slashdot.org.www: S 3396604571:3396604571(0) win 64240 <mss 1460,nop,nop,sackOK>
 20:46:36.476686 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.4870: S 1602985113:1602985113(0) ack 3396604572 win 5840 <mss 1460,nop,nop,sackOK>
 20:46:36.476905 IP XXX-XX-XXX-XX.dsl.siol.net.4870 > slashdot.org.www: . ack 1 win 64240
 20:46:36.477311 IP XXX-XX-XXX-XX.dsl.siol.net.4870 > slashdot.org.www: P 1:399(398) ack 1 win 64240
 20:46:36.685373 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.4870: . ack 399 win 6432

Ko z iz browserja na FW kišti zahtevam stran (in jo tudi dobim) vidim tole:


 20:52:37.821216 IP XXX-XX-XXX-XX.dsl.siol.net.33134 > star.slashdot.org.www: S 292854160:292854160(0) win 5808 <mss 1452,sackOK,timestamp 225452924 0,nop,wscale 0>
 20:52:38.025825 IP star.slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33134: S 537017208:537017208(0) ack 292854161 win 5792 <mss 1460,sackOK,timestamp 1956896748 225452924,nop,wscale 0>
 20:52:38.025919 IP XXX-XX-XXX-XX.dsl.siol.net.33134 > star.slashdot.org.www: . ack 1 win 5808 <nop,nop,timestamp 225452944 1956896748>
 20:52:38.031123 IP XXX-XX-XXX-XX.dsl.siol.net.33134 > star.slashdot.org.www: P 1:326(325) ack 1 win 5808 <nop,nop,timestamp 225452945 1956896748>
 20:52:38.256139 IP star.slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33134: . ack 326 win 6432 <nop,nop,timestamp 1956896769 225452945>
 20:52:38.258148 IP star.slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33134: P 1:530(529) ack 326 win 6432 <nop,nop,timestamp 1956896769 225452945>
 20:52:38.258260 IP XXX-XX-XXX-XX.dsl.siol.net.33134 > star.slashdot.org.www: . ack 530 win 6432 <nop,nop,timestamp 225452967 1956896769>
 20:52:38.258178 IP star.slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33134: F 530:530(0) ack 326 win 6432 <nop,nop,timestamp 1956896769 225452945>
 20:52:38.281120 IP XXX-XX-XXX-XX.dsl.siol.net.33134 > star.slashdot.org.www: F 326:326(0) ack 531 win 6432 <nop,nop,timestamp 225452970 1956896769>
 20:52:38.494450 IP star.slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33134: . ack 327 win 6432 <nop,nop,timestamp 1956896794 225452970>
 20:52:40.321177 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: S 300738823:300738823(0) win 5808 <mss 1452,sackOK,timestamp 225453174 0,nop,wscale 0>
 20:52:40.522957 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: S 149777090:149777090(0) ack 300738824 win 5792 <mss 1460,sackOK,timestamp 1947694796 225453174,nop,wscale 0>
 20:52:40.523052 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 1 win 5808 <nop,nop,timestamp 225453194 1947694796>
 20:52:40.531102 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: P 1:322(321) ack 1 win 5808 <nop,nop,timestamp 225453195 1947694796>
 20:52:40.735845 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . ack 322 win 6432 <nop,nop,timestamp 1947694818 225453195>
 20:52:40.824233 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 1:1441(1440) ack 322 win 6432 <nop,nop,timestamp 1947694825 225453195>
 20:52:40.824310 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 1441 win 8640 <nop,nop,timestamp 225453224 1947694825>
 20:52:40.830042 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 1441:2881(1440) ack 322 win 6432 <nop,nop,timestamp 1947694825 225453195>
 20:52:40.830163 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 2881 win 11520 <nop,nop,timestamp 225453224 1947694825>
 20:52:41.063872 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 2881:4321(1440) ack 322 win 6432 <nop,nop,timestamp 1947694849 225453224>
 20:52:41.063946 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 4321 win 14400 <nop,nop,timestamp 225453248 1947694849>
 20:52:41.069774 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 4321:5761(1440) ack 322 win 6432 <nop,nop,timestamp 1947694849 225453224>
 20:52:41.069859 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 5761 win 17280 <nop,nop,timestamp 225453248 1947694849>
 20:52:41.075955 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: P 5761:7201(1440) ack 322 win 6432 <nop,nop,timestamp 1947694849 225453224>
 20:52:41.076037 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 7201 win 20160 <nop,nop,timestamp 225453249 1947694849>
 20:52:41.081834 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 7201:8641(1440) ack 322 win 6432 <nop,nop,timestamp 1947694849 225453224>
 20:52:41.082073 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 8641 win 23040 <nop,nop,timestamp 225453250 1947694849>
 20:52:41.279460 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . 8641:10081(1440) ack 322 win 6432 <nop,nop,timestamp 1947694870 225453248>
 20:52:41.279534 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 10081 win 25920 <nop,nop,timestamp 225453269 1947694870>
 20:52:41.285366 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: P 10081:11521(1440) ack 322 win 6432 <nop,nop,timestamp 1947694870 225453248>
 20:52:41.285452 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: . ack 11521 win 28800 <nop,nop,timestamp 225453270 1947694870>
 20:52:41.290655 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: FP 11521:12830(1309) ack 322 win 6432 <nop,nop,timestamp 1947694870 225453248>
 20:52:41.301106 IP XXX-XX-XXX-XX.dsl.siol.net.33135 > slashdot.org.www: F 322:322(0) ack 12831 win 31680 <nop,nop,timestamp 225453272 1947694870>
 20:52:41.503091 IP slashdot.org.www > XXX-XX-XXX-XX.dsl.siol.net.33135: . ack 323 win 6432 <nop,nop,timestamp 1947694894 225453272>

iptables -L izpljuni tole:


 Chain INPUT (policy DROP)
 target prot opt source destination
 ACCEPT all -- anywhere anywhere
 bad_packets all -- anywhere anywhere
 DROP all -- anywhere ALL-SYSTEMS.MCAST.NET
 ACCEPT all -- 10.0.0.0/24 anywhere
 ACCEPT all -- anywhere 10.0.0.255
 ACCEPT all -- 10.0.0.0/24 anywhere
 ACCEPT all -- anywhere 10.0.0.255
 ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
 ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
 tcp_inbound tcp -- anywhere anywhere
 udp_inbound udp -- anywhere anywhere
 icmp_packets icmp -- anywhere anywhere
 DROP all -- anywhere 255.255.255.255
 LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `INPUT packet died: '
 
 Chain FORWARD (policy DROP)
 target prot opt source destination
 bad_packets all -- anywhere anywhere
 tcp_outbound tcp -- anywhere anywhere
 tcp_outbound tcp -- anywhere anywhere
 udp_outbound udp -- anywhere anywhere
 udp_outbound udp -- anywhere anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
 ACCEPT tcp -- anywhere 10.0.0.10 tcp dpt:4662
 ACCEPT udp -- anywhere 10.0.0.10 udp dpt:4672
 ACCEPT tcp -- anywhere 10.0.0.10 tcp dpt:4661
 ACCEPT udp -- anywhere 10.0.0.10 udp dpt:4665
 ACCEPT tcp -- anywhere 10.0.0.10 tcp dpt:27960
 LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '
 
 Chain OUTPUT (policy DROP)
 target prot opt source destination
 DROP icmp -- anywhere anywhere state INVALID
 ACCEPT all -- localhost.localdomain anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT all -- 10.0.0.1 anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT all -- 10.0.0.2 anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT all -- anywhere anywhere
 LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '
 
 Chain bad_packets (2 references)
 target prot opt source destination
 DROP all -- anywhere anywhere state INVALID
 bad_tcp_packets tcp -- anywhere anywhere
 RETURN all -- anywhere anywhere
 
 Chain bad_tcp_packets (1 references)
 target prot opt source destination
 RETURN tcp -- anywhere anywhere
 RETURN tcp -- anywhere anywhere
 DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
 RETURN tcp -- anywhere anywhere
 
 Chain icmp_packets (1 references)
 target prot opt source destination
 DROP icmp -f anywhere anywhere
 LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `Ping detected: '
 ACCEPT icmp -- anywhere anywhere icmp echo-request
 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
 RETURN icmp -- anywhere anywhere
 
 Chain tcp_inbound (1 references)
 target prot opt source destination
 ACCEPT tcp -- anywhere anywhere tcp dpt:auth
 ACCEPT tcp -- anywhere anywhere tcp dpts:60000:64000
 ACCEPT tcp -- 10.0.0.0/24 anywhere tcp dpt:ssh
 RETURN tcp -- anywhere anywhere
 
 Chain tcp_outbound (2 references)
 target prot opt source destination
 ACCEPT tcp -- anywhere anywhere
 
 Chain udp_inbound (1 references)
 target prot opt source destination
 DROP udp -- anywhere anywhere udp dpt:netbios-ns
 DROP udp -- anywhere anywhere udp dpt:netbios-dgm
 ACCEPT udp -- anywhere anywhere udp dpt:113
 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
 RETURN udp -- anywhere anywhere
 
 Chain udp_outbound (2 references)
 target prot opt source destination
 ACCEPT udp -- anywhere anywhere

Excuses are useless! Results are priceless!

64202 :: 16. feb 2005, 21:25

Spilaj se z 'iptables-save -c', ki ti izpise vsa pravila + hit-count za vsako pravilo.

Gandalfar :: 16. feb 2005, 21:51

xbite: mogoce MTU previsok?

darh :: 16. feb 2005, 21:55

ifconfig pravi da ima ppp0 mtu 1492.

Excuses are useless! Results are priceless!

Zgodovina sprememb…

spremenil: darh (16. feb 2005 ob 21:55)

darh :: 23. feb 2005, 22:08

problem rešen - http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html

Excuses are useless! Results are priceless!

Vredno ogleda ...

	Tema	Sporočila	Ogledi	Zadnje sporočilo
	Tema	Sporočila	Ogledi	Zadnje sporočilo
»	Blokiranje interneta specifičnemu uporabniku? poweroff Oddelek: Omrežja in internet	8	1291 (935)	AndrejO 27. mar 2015 15:17:38
»	ProtFtp Passive mode in iptables jabka Oddelek: Programska oprema	25	2256 (2078)	SasoS 30. jan 2009 19:40:18
»	iptables problem z SSH sverde21 Oddelek: Omrežja in internet	12	1922 (1776)	sverde21 6. jul 2006 21:28:05
»	iptables + forward lithium Oddelek: Operacijski sistemi	33	2334 (1909)	tx-z 20. sep 2004 08:52:13
»	Debian blokira IP... rok86 Oddelek: Operacijski sistemi	26	1118 (904)	BigWhale 13. apr 2004 20:52:20

Več podobnih tem

Zadnje novice

Zadnji članki

Išči:

Forum » Omrežja in internet »
Problemi z dostopanjem do nekaterih strani

Problemi z dostopanjem do nekaterih strani