Re: [Solved] iptables firewall and web sites not loading
Le 10/12/2019 à 20:13, nektarios a écrit : Pascal Hambourg wrote: Maybe a "MTU black hole" issue with PPPoE. Workarounds : - lower the MTU on the client side to 1492 - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router (...) The tip you gave me really did the job! I found this page in tldp.org describing the mtu issue http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I simply ran the iptables command ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and it was fixed! Please note that - It's a hack. It does not fix the actual issue (inbound packets bigger than the PMTU are silently dropped). - It works only for TCP. - This rule works only for IPv4. If you have IPv6 connectivity, you must add a similar ip6tables rule. - It does not work inside VPNs and tunnels which hide the actual PMTU.
[Solved] iptables firewall and web sites not loading
On Tue, 10 Dec 2019 09:26:46 + Nektarios Katakis wrote: > On Tue, 10 Dec 2019 07:22:05 +0100 > Pascal Hambourg wrote: > > > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > > > I am running an iptables firewall on an openwrt router I ve got. > > > Which acts as Firewall/gateway and performs NATing for my internal > > > network - debian PCs and android phones. > > > > > > All good but specific web sites are not loading for the machines > > > that are sitting behind the home router. > > > > > > When attempting on the browser (firefox but tried different ones) > > > the browser stays at `Performing a TLS handshake to > > > bitbucket.org`. wget has similar results: > > > ``` > > > wget https://bitbucket.org > > > --2019-12-09 22:07:32-- https://bitbucket.org/ > > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, > > > 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org > > > (bitbucket.org)|18.205.93.0|:443... connected. > > > ``` > > > When doing a tcpdump on the router side I can see some initial TCP > > > session establishment and then nothing: > > (...) > > > Of course doing a wget from the router itself works fine as it > > > also works fine on my desktop if I do dynamic port-forwarding > > > with eg. `ssh -D 1050 router` (and configure of course firefox to > > > use it). > > > > Maybe a "MTU black hole" issue with PPPoE. > > Workarounds : > > - lower the MTU on the client side to 1492 > > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router > > > > Interesting. I m not a network engineer and actually didnt think of > that. I ll give it a shot and update. > > Thanks. > The tip you gave me really did the job! I found this page in tldp.org describing the mtu issue http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I simply ran the iptables command ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and it was fixed! Thanks again! --- Nektarios Katakis
Re: iptables firewall and web sites not loading
On Tue, 10 Dec 2019 07:22:05 +0100 Pascal Hambourg wrote: > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > I am running an iptables firewall on an openwrt router I ve got. > > Which acts as Firewall/gateway and performs NATing for my internal > > network - debian PCs and android phones. > > > > All good but specific web sites are not loading for the machines > > that are sitting behind the home router. > > > > When attempting on the browser (firefox but tried different ones) > > the browser stays at `Performing a TLS handshake to bitbucket.org`. > > wget has similar results: > > ``` > > wget https://bitbucket.org > > --2019-12-09 22:07:32-- https://bitbucket.org/ > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, > > 18.205.93.2, ... Connecting to bitbucket.org > > (bitbucket.org)|18.205.93.0|:443... connected. > > ``` > > When doing a tcpdump on the router side I can see some initial TCP > > session establishment and then nothing: > (...) > > Of course doing a wget from the router itself works fine as it also > > works fine on my desktop if I do dynamic port-forwarding with eg. > > `ssh -D 1050 router` (and configure of course firefox to use it). > > Maybe a "MTU black hole" issue with PPPoE. > Workarounds : > - lower the MTU on the client side to 1492 > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router > Interesting. I m not a network engineer and actually didnt think of that. I ll give it a shot and update. Thanks. -- Nektarios Katakis
Re: iptables firewall and web sites not loading
Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : I am running an iptables firewall on an openwrt router I ve got. Which acts as Firewall/gateway and performs NATing for my internal network - debian PCs and android phones. All good but specific web sites are not loading for the machines that are sitting behind the home router. When attempting on the browser (firefox but tried different ones) the browser stays at `Performing a TLS handshake to bitbucket.org`. wget has similar results: ``` wget https://bitbucket.org --2019-12-09 22:07:32-- https://bitbucket.org/ Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org (bitbucket.org)|18.205.93.0|:443... connected. ``` When doing a tcpdump on the router side I can see some initial TCP session establishment and then nothing: (...) Of course doing a wget from the router itself works fine as it also works fine on my desktop if I do dynamic port-forwarding with eg. `ssh -D 1050 router` (and configure of course firefox to use it). Maybe a "MTU black hole" issue with PPPoE. Workarounds : - lower the MTU on the client side to 1492 - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router
Re: iptables firewall and web sites not loading
On 12/10/2019 12:01 AM, Nektarios Katakis wrote: > Hello, > > I am running an iptables firewall on an openwrt router I ve got. Which > acts as Firewall/gateway and performs NATing for my internal network - > debian PCs and android phones. > > All good but specific web sites are not loading for the machines that > are sitting behind the home router. > > When attempting on the browser (firefox but tried different ones) the > browser stays at `Performing a TLS handshake to bitbucket.org`. wget has > similar results: > ``` > wget https://bitbucket.org > --2019-12-09 22:07:32-- https://bitbucket.org/ > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, > 18.205.93.2, ... Connecting to bitbucket.org > (bitbucket.org)|18.205.93.0|:443... connected. > ``` > When doing a tcpdump on the router side I can see some initial TCP > session establishment and then nothing: > ``` > tcpdump -vvvi br-lan port 443 | grep bitbucket.org > tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size > 262144 bytes > 192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3 > (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val > 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 > > 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq > 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val > 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 > > bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win > 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0 > 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5 > (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684 > ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440: > Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options > [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 > > 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668, > ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], > length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum > 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val > 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ``` > > Of course doing a wget from the router itself works fine as it also > works fine on my desktop if I do dynamic port-forwarding with eg. `ssh > -D 1050 router` (and configure of course firefox to use it). > > I m not sure what might be wrong here tbh. Of course other (most) sites > work fine without dynamic forwarding or anything. > > I am attaching the output of `iptables --list-rules` for whoever is > patient enough to read. > > Any help would be appreciated. > Are you still seeing the error if you do: $ /etc/init.d/firewall stop WARNING: You will not have any firewall protection if you do that Is the issue still manifesting itself if the configuration is reset to factory default? This is a Debian mailing list, you might be better off on the OpenWrt forum. -- John Doe
iptables firewall and web sites not loading
Hello, I am running an iptables firewall on an openwrt router I ve got. Which acts as Firewall/gateway and performs NATing for my internal network - debian PCs and android phones. All good but specific web sites are not loading for the machines that are sitting behind the home router. When attempting on the browser (firefox but tried different ones) the browser stays at `Performing a TLS handshake to bitbucket.org`. wget has similar results: ``` wget https://bitbucket.org --2019-12-09 22:07:32-- https://bitbucket.org/ Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org (bitbucket.org)|18.205.93.0|:443... connected. ``` When doing a tcpdump on the router side I can see some initial TCP session establishment and then nothing: ``` tcpdump -vvvi br-lan port 443 | grep bitbucket.org tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes 192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3 (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 > 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5 (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684 ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440: Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 > 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668, ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ``` Of course doing a wget from the router itself works fine as it also works fine on my desktop if I do dynamic port-forwarding with eg. `ssh -D 1050 router` (and configure of course firefox to use it). I m not sure what might be wrong here tbh. Of course other (most) sites work fine without dynamic forwarding or anything. I am attaching the output of `iptables --list-rules` for whoever is patient enough to read. Any help would be appreciated. -- Regards, Nektarios Katakis -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N forwarding_dmz_rule -N forwarding_lan_rule -N forwarding_rule -N forwarding_wan_rule -N input_dmz_rule -N input_lan_rule -N input_rule -N input_wan_rule -N output_dmz_rule -N output_lan_rule -N output_rule -N output_wan_rule -N reject -N syn_flood -N zone_dmz_dest_ACCEPT -N zone_dmz_forward -N zone_dmz_input -N zone_dmz_output -N zone_dmz_src_ACCEPT -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_dest_REJECT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_REJECT -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input -A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output -A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_dmz_dest_ACCEPT -o