| View previous topic :: View next topic |
| Author |
Message |
Sprotte
Apprentice
Joined: 18 Oct 2004
Posts: 217
Location: Kiel, Germany
|
 Posted: Mon May 26, 2008 12:41 am Post subject: Cannot open msn.com, hotmail etc from behind NAT |
 |
|
Our next little Microsoft-related problem. My sister uses hotmail/MSN for her email.
Surprisingly, I can not open that site in Opera nor Elinks from my NATed laptop on the LAN. Non-microsoft websites work...
I can however open msn.com in Elinks when ssh'd into my router! *weird*
Here's my Iptables script:
| Quote: |
#!/bin/bash
IPTABLES='/sbin/iptables'
#set interface values
EXTIF='ppp0'
INTIF='eth0'
INTIF_W='wlan0'
#enable IP forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
#enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#forward LAN traffic from $INTIF to $EXTIF
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#same for wlan
#$IPTABLES -A FORWARD -i $INTIF_W -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
Now even when commenting out the last two lines, or even disabling all but the masquerading, I cannot access msn.com from the LAN while it's possible from the router. Of course I reran the script and checked with iptables -L. I also tried additional /etc/init.d/iptables restarts.
I tried removing the Elinks config so it starts fresh, but no cigar. Elinks and Opera are compiled with Javascript support (in fact the laptop's elinks is probably the same binary as the router's.)
I cannot ping msn.com from any of the machines.
What's going on here? Witchcraft? |
|
| Back to top |
|
 |
Wormo
Retired Dev
Joined: 29 Nov 2004
Posts: 526
Location: SB County California
|
| Posted: Mon May 26, 2008 1:55 am Post subject: |
|
|
Very weird all right. This is a job for... tcpdump!
Or wireshark.
Or a combination of both (capture packets using 'tcpdump -s0 -w dumpfile' on the router and view them in wireshark on a desktop).
Either way, you should take a capture of network traffic when the client goes to a normal website and another capture when the client attempts to connect to a mis-behaving site. Comparing the two should reveal what's going wrong. |
|
| Back to top |
|
|
SeaTiger
l33t
Joined: 22 Nov 2007
Posts: 603
Location: Toronto, Ontario, Canada
|
| Posted: Mon May 26, 2008 3:28 am Post subject: |
|
|
| msn.com or www.msn.com do not response to ping. That is not a very common practice but more and more site is doing that. It is just a easy configuration switch in almost any router nowadays to disable ping response. |
|
| Back to top |
|
|
Sprotte
Apprentice
Joined: 18 Oct 2004
Posts: 217
Location: Kiel, Germany
|
| Posted: Mon May 26, 2008 4:17 pm Post subject: |
|
|
Well OK, I did the captures.
Client accessing www.gentoo.org:
| Quote: | pathfinder ~ # tcpdump -r dumpfile.gentoo|grep http
reading from file dumpfile.gentoo, link-type EN10MB (Ethernet)
01:01:12.044272 IP 192.168.0.3.37461 > wren.gentoo.org.http: S 4009403357:4009403357(0) win 5840 <mss 1460,sackOK,timestamp 2333840595 0,nop,wscale 2>
01:01:12.272603 IP wren.gentoo.org.http > 192.168.0.3.37461: S 2614428081:2614428081(0) ack 4009403358 win 5792 <mss 1460,sackOK,timestamp 4159809719 2333840595,nop,wscale 0>
01:01:12.273004 IP 192.168.0.3.37461 > wren.gentoo.org.http: . ack 1 win 1460 <nop,nop,timestamp 2333840824 4159809719>
01:01:12.768639 IP 192.168.0.3.37461 > wren.gentoo.org.http: P 1:556(555) ack 1 win 1460 <nop,nop,timestamp 2333841319 4159809719>
01:01:13.006681 IP wren.gentoo.org.http > 192.168.0.3.37461: . ack 556 win 6660 <nop,nop,timestamp 4159809792 2333841319>
01:01:14.017562 IP wren.gentoo.org.http > 192.168.0.3.37461: P 1:206(205) ack 556 win 6660 <nop,nop,timestamp 4159809893 2333841319>
01:01:14.017859 IP 192.168.0.3.37461 > wren.gentoo.org.http: . ack 206 win 1728 <nop,nop,timestamp 2333842568 4159809893>
01:01:14.410536 IP 192.168.0.3.37461 > wren.gentoo.org.http: F 556:556(0) ack 206 win 1728 <nop,nop,timestamp 2333842961 4159809893>
01:01:14.636201 IP wren.gentoo.org.http > 192.168.0.3.37461: F 206:206(0) ack 557 win 6660 <nop,nop,timestamp 4159809956 2333842961>
01:01:14.636511 IP 192.168.0.3.37461 > wren.gentoo.org.http: . ack 207 win 1728 <nop,nop,timestamp 2333843187 4159809956> |
Client accessing www.msn.com:
| Quote: | pathfinder ~ # tcpdump -r dumpfile|grep http
reading from file dumpfile, link-type EN10MB (Ethernet)
00:58:11.980703 IP 192.168.0.3.59580 > 207.68.173.76.http: S 1179314404:1179314404(0) win 5840 <mss 1460,sackOK,timestamp 2333660577 0,nop,wscale 2>
00:58:12.184289 IP 207.68.173.76.http > 192.168.0.3.59580: S 3906120748:3906120748(0) ack 1179314405 win 8190 <mss 1460>
00:58:12.184648 IP 192.168.0.3.59580 > 207.68.173.76.http: . ack 1 win 5840
00:58:12.752905 IP 192.168.0.3.59580 > 207.68.173.76.http: P 1:487(486) ack 1 win 5840
00:58:13.046522 IP 207.68.173.76.http > 192.168.0.3.59580: P 1461:2921(1460) ack 487 win 8190
00:58:13.046873 IP 192.168.0.3.59580 > 207.68.173.76.http: . ack 1 win 5840
00:58:13.048464 IP 207.68.173.76.http > 192.168.0.3.59580: P 2921:4381(1460) ack 487 win 8190
00:58:13.048730 IP 192.168.0.3.59580 > 207.68.173.76.http: . ack 1 win 5840
00:58:13.050728 IP 207.68.173.76.http > 192.168.0.3.59580: P 4381:5841(1460) ack 487 win 8190
00:58:13.051007 IP 192.168.0.3.59580 > 207.68.173.76.http: . ack 1 win 5840
00:59:14.594717 IP 192.168.0.3.59580 > 207.68.173.76.http: F 487:487(0) ack 1 win 5840
00:59:15.006169 IP 207.68.173.76.http > 192.168.0.3.59580: . ack 488 win 8189 |
clicked Stop at that point, since it hung as usual. I used the tcpdump command from above. The browser is Opera 9.25.
Edit: Internet Explorer from my sister's laptop on the LAN shows the same behaviour. Only the M$ sites refuse to display. MSN Messenger *works* from her PC. So it's probably a router/iptables problem.
Edit 2: Client trying to access www.msn.com with elinks:
| Quote: | pathfinder ~ # tcpdump -r dumpfile.msn.elinks|grep http
reading from file dumpfile.msn.elinks, link-type EN10MB (Ethernet)
04:09:51.053679 IP 192.168.0.3.37066 > 207.68.173.76.http: S 1055331866:1055331866(0) win 5840 <mss 1460,sackOK,timestamp 2345156680 0,nop,wscale 2>
04:09:51.259458 IP 207.68.173.76.http > 192.168.0.3.37066: S 2145141664:2145141664(0) ack 1055331867 win 8190 <mss 1460>
04:09:51.259801 IP 192.168.0.3.37066 > 207.68.173.76.http: . ack 1 win 5840
04:09:51.262759 IP 192.168.0.3.37066 > 207.68.173.76.http: P 1:194(193) ack 1 win 5840
04:09:51.543095 IP 207.68.173.76.http > 192.168.0.3.37066: . ack 194 win 64305
04:09:51.554164 IP 207.68.173.76.http > 192.168.0.3.37066: P 1461:2921(1460) ack 194 win 64305
04:09:51.554396 IP 192.168.0.3.37066 > 207.68.173.76.http: . ack 1 win 5840
04:09:51.556342 IP 207.68.173.76.http > 192.168.0.3.37066: P 2921:4381(1460) ack 194 win 64305
04:09:51.556564 IP 192.168.0.3.37066 > 207.68.173.76.http: . ack 1 win 5840
04:09:51.558668 IP 207.68.173.76.http > 192.168.0.3.37066: P 4381:5841(1460) ack 194 win 64305
04:09:51.558873 IP 192.168.0.3.37066 > 207.68.173.76.http: . ack 1 win 5840
04:11:32.745613 IP 192.168.0.3.37066 > 207.68.173.76.http: F 194:194(0) ack 1 win 5840
04:11:33.157812 IP 207.68.173.76.http > 192.168.0.3.37066: . ack 195 win 8189 |
Different error codes, but apparently similar problem.
Can someone help me interpret those readings? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
