Unable to access *one* web site on a woody firewall

Thu, 08 Aug 2002 11:14:31 -0500 

hello everyone
First of all, excuse me for my *bad* english.

I've just installed the stable Debian distribution "Woody" and since
that, I can't access to the http://playstation2-linux.con web site from
my firewall. 

Here the details:
I have several computers, one stand for a firewall and
others for surf the web (and others things).  I use a phone line to
connect. The firewall have a proxy cache manager (squid) for all local
computers, and himself if necessary. I use Debian programs, and a
2.4.18-debian as kernel in both computers.  here come the script I use
for the FW:

#drop rules
iptables -N log-and-drop
iptables -A log-and-drop -j LOG --log-prefix "drop " --log-level info
iptables -A log-and-drop -j DROP

#input rules
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j log-and-drop
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
#make the openproject irc server connexion faster
iptables -A INPUT -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -j log-and-drop

#output
iptables -P OUTPUT ACCEPT

#forward
iptables -P FORWARD ACCEPT

#postrouting
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 0.0.0.0/0 -j
MASQUERADE

Since it's my LAN, I want to do what I want, but I don't want external
users can access my computer.

Now, if I connect a random web site, through the proxy cache, it works.
If I try to connect in the playstation2-linux.com web site, I simply got
a time out error.  At first, I thought it was Squid which are weird and
I tryed without proxy cache: it works. Huh?

I really don't understand why Squid get a time out error, so I tryed to
access through a direct connexion, not a maquerading one.  I did a
"telnet playstation2-linux.com 80" on the FW and simply get a time out.
This site can be accessed in https, so I tryed it too: same result.

Access through MASQ: 80, ok; 443, ok.
Direct access: 80, time out; 443, time out.
In the two cases, it's the same phone line connexion.

I saw nothing related to this web site in FW log.  I removed the FW
rules and try one more time: same results.

All thing worked smooth with a Potato version.

I don't remember if I've done a special configuration on the Potato
version, which I haven't do in Woody.

Thanks in advance for any clue.

-- 
Guillaume "LoneWolf" Estival
Debian GNU/Linux powered
/*Use free software !*/
http://dspnet.claranet.fr/~lonewolf/

Reply via email to