"Gregory S. Read" wrote:
>
> I'm running Red Hat 5.1 with 2.0.35 kernel.
>
> I have IP masquerading working successfully for most things. Regular TCP
> things seem to work fine. Pinging sites works fine. Most HTTP sites work
> fine too.
>
> However, some HTTP sites are just impossible. A few sites that I can think
> of off hand that DON'T work are...
Some web sites keep stateful information about brower connections, but
problems can creep in due to NAT/Masquerading/Proxy implementations, as
well. I have noticed occasional weirdness with both Win95/98 and WinNT
IP stacks. Try putting two NICs in a Win98 box sometime and see what
happens. Sites that use userid/password to authenticate "pay for
service access" are the most likely to keep stateful information. My
connection to the internet is behind masqueraded linux box taking a
dynamic IP address from a cable modem network using private IP address
space connected to the internet via a firewall using it's own NAT
implementation. I don't have any problem with aol or microsoft, but
then again, I have cookies, java (tools of stateful web connection),
proxies and caching turned off. Additionally, I am probably the only
person in the cable modem network who is surfing these non-Japanese web
sites. I have personally transitioned internet cafe's who were using
WinNT with a Proxy solution that would crap out at any web page keeping
any type of stateful information (rocket mail, hot mail, etc...). They
got real public IP addresses and full DNS mapping to fix their problems.
> http://www.aol.com
> http://www.microsoft.com
>
> My guess is they have anti-linux filters. :-)
You can use netstat -M (among other things) to check the state of your
masqueraded connections. Somehow, I don't think microsoft/aol are
worried about linux based routing infrastructure as much as they would
like to see IE running on your windows desktop instead of Netscape or
whatever.
> They work just fine when accessed from the gateway Linux machine running IP
> Masquerade.
>
> These are the only sites I've found to be a problem. Most other HTTP
> queries have worked great over the routing. Any ideas?
Try dumbing down the browser end... no cookies, no java, no java script,
no caching, no proxies, no fun; dump your disk and memory caches,
restart everything and wait an hour or so before surfing again. Don't
"login" to anything web based. Make sure that your public IP address
for the external interface on the linux box reverse map (some ISPs don't
reverse map their dial-up IPs either out of paranoia or ignorance).
Dump identd on the linux box. Also, if you're using IE on the
masqueraded boxes, don't. God Knows what type of stateful interfaces
Uncle Bill's monkeys have coded into that monster (we've already seen so
many "sorry we were looking up your dress" type of patches come out of
Redmond that it should be obvious that unless someone find problems and
makes them blatently public, Microsoft is going to do NOTHING to inhibit
their access to your computer and EVERYTHING to control your access to
the internet; if you like being a lap dog, run IE). Netscape is not to
be trusted either, but they have a better track record and they have
taken the high, open source road (god damned if mozilla doesn't have
some rough edges, though).
Some places like the New York Times web site just aren't going to let
you in unless you have cookies turned on (for sites that allow you to
use a userid/passwd combination obtained with cookies, but not requiring
continuous cookie availability, use the "cypherpunk" userid/password).
Some places insist on having Java and there even some perverted sites
that required your browser be IE. Same goes for certain parts of
Microsoft's web sites. For these sites, I typically turn on cookies
(and other required features) briefly and then turn them back off. For
this same reason I also have IE installed on one of my desk tops (for
the really ignorant sites). Also, I believe that making cookie
information consistent across all the masqueraded clients is not
possible and/or would not solve the problem. It would be really nice if
Linux IP masquerading had some sort of stateful inspection that allowed
the administrator to shunt off all cookie request/responses to /dev/null
for all the masqueraded clients. Of course, the implications of doing
that kinda' makes my head hurt just thinking about it. Also, that type
of stateful inspection, in my estimation, would be orders of magnitude
more difficult, slow translation/routing down and is well behind the
point of deminishing returns power curve. I guess it all depends on how
many clients you are masquerading.
Of course random cache diving is a possible solution for the die hard,
"I'll never conform to Microsoft's demands", linux fanatic, hacker
types. You might want to look into squid caching at your linux box
yourself (I'm not familiar with the gory details about how squid handles
cookies and other such stateful things. Besides you can find ALL sorts
of interesting things in the various squid/internet web caching systems
out there. It's harder to get at, harder to use and often doesn't
contain all the components of a web site that you may required, but, hey
convenience isn't necessarily for everyone.
> Gregory S. Read
> [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
