# Unable to connect to any website but able to ping

## babaganosh

HI,

I currently have a gentoo server running shorewall as a firewall for my home network and I have strange problem I can ping external website by either name or ip from any workstation within the network. 

I can remote into the network from an external site

however I am unable to use any browser on any computer it just hangs on loading and sometimes I get the generic DNS error.  

Here are my configs for shorewall and net as I suspect that is where the problem is. Any help would be muchly appreciated 

Thanks 

Shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS

loc     eth1            detect          tcpflags,routefilter,routeback

net     eth0            detect          tcpflags,blacklist,norfc1918,routefilter

vpn     tap1            detect          tcpflags,routeback

#

Shorewall/masq

#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/

#                                                                                       GROUP

eth0    eth1

shorewall/policy

#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:BURST

#                               LEVEL   BURST           MASK

loc     net     ACCEPT

net     all     DROP            info

fw      net     ACCEPT

fw      loc     ACCEPT

fw      vpn     ACCEPT

vpn     fw      ACCEPT

loc     vpn     ACCEPT

vpn     loc     ACCEPT

# the Following must always apear last!!!

all    all     REJECT          info

shorewall/zones

#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

loc     ipv4

net     ipv4

vpn     ipv4

shorewall/rules

$

#ACTION         SOURCE                  DEST                    PROTO           DEST    SOURCE          ORIGINAL        RATE $

#                                                                               PORT    PORT(S)         DEST            LIMIT$

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

## office traffic

ACCEPT          net:xx.xxx.xx.xxx    fw                      all

##All local traffic

##ACCEPT                loc                     fw              all

## Teamspeak Windows

DNAT            net                     loc:192.168.0.2         tcp             9987

DNAT            net                     loc:192.168.0.2         udp             9987

## Teamspeak gentoo

#DNAT            net                     loc:192.168.1.10        udp             9988

#DNAT            net                     loc:192.168.1.10        tcp             9988

## Killingfloor

DNAT            net                     loc:192.168.0.100       udp             7707

DNAT            net                     loc:192.168.0.100       udp             7708

DNAT            net                     loc:192.168.0.100       udp             7717

DNAT            net                     loc:192.168.0.100       tcp             28852

DNAT            net                     loc:192.168.0.100       udp             28852

DNAT            net                     loc:192.168.0.100       tcp             8075

DNAT            net                     loc:192.168.0.100       tcp             20560

DNAT            net                     loc:192.168.0.100       udp             20560

## Torrents

DNAT            net                     loc:192.168.0.100       tcp             27363

/etc/conf.d/net

dns_domain_lo="tyria"

## Eth0 Onboard external shaw

config_eth0=( "dhcp" )

depend_eth0 () {

        before openvpn

}

## Eth1 dlink pci card internal network

config_eth1=( "192.168.0.1  netmask 255.255.255.0 broadcast 192.168.0.255" )

#tap 1 OPEN VPN

#tuntap_tap1="tap"

#config_tap1=( "null" )

#depend_tap1

----------

## Hu

Please post the output of iptables-save -c ; curl -o /dev/null http://www.google.com/ ; curl -o /dev/null https://www.google.com/.

[Edit: fixed curl https command line.]Last edited by Hu on Sun Nov 27, 2011 5:33 am; edited 1 time in total

----------

## babaganosh

# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011

*raw

:PREROUTING ACCEPT [228:32266]

:OUTPUT ACCEPT [292:37746]

COMMIT

# Completed on Fri Nov 25 15:04:50 2011

# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011

*nat

:PREROUTING ACCEPT [58:11999]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [6:407]

:POSTROUTING ACCEPT [6:407]

:dnat - [0:0]

:eth0_masq - [0:0]

:net_dnat - [0:0]

[58:11999] -A PREROUTING -j dnat

[11:687] -A POSTROUTING -o eth0 -j eth0_masq

[26:8482] -A dnat -i eth0 -j net_dnat

[5:280] -A eth0_masq -s 192.168.0.0/24 -j MASQUERADE

[0:0] -A net_dnat -p tcp -m tcp --dport 9987 -j DNAT --to-destination 192.168.0.2

[0:0] -A net_dnat -p udp -m udp --dport 9987 -j DNAT --to-destination 192.168.0.2

[0:0] -A net_dnat -p udp -m udp --dport 9988 -j DNAT --to-destination 192.168.1.10

[0:0] -A net_dnat -p tcp -m tcp --dport 9988 -j DNAT --to-destination 192.168.1.10

[0:0] -A net_dnat -p udp -m udp --dport 7707 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p udp -m udp --dport 7708 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p udp -m udp --dport 7717 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p tcp -m tcp --dport 28852 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p udp -m udp --dport 28852 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p tcp -m tcp --dport 8075 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p tcp -m tcp --dport 20560 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p udp -m udp --dport 20560 -j DNAT --to-destination 192.168.0.100

[0:0] -A net_dnat -p tcp -m tcp --dport 27363 -j DNAT --to-destination 192.168.0.100

COMMIT

# Completed on Fri Nov 25 15:04:50 2011

# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011

*mangle

:PREROUTING ACCEPT [237:32626]

:INPUT ACCEPT [172:18101]

:FORWARD ACCEPT [63:12816]

:OUTPUT ACCEPT [318:41706]

:POSTROUTING ACCEPT [381:54522]

:tcfor - [0:0]

:tcin - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

[237:32626] -A PREROUTING -j tcpre

[172:18101] -A INPUT -j tcin

[63:12816] -A FORWARD -j MARK --set-xmark 0x0/0xff

[63:12816] -A FORWARD -j tcfor

[318:41706] -A OUTPUT -j tcout

[381:54522] -A POSTROUTING -j tcpost

COMMIT

# Completed on Fri Nov 25 15:04:50 2011

# Generated by iptables-save v1.4.12.1 on Fri Nov 25 15:04:50 2011

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Broadcast - [0:0]

:Drop - [0:0]

:Invalid - [0:0]

:NotSyn - [0:0]

:Reject - [0:0]

:blacklst - [0:0]

:dynamic - [0:0]

:fw2loc - [0:0]

:fw2net - [0:0]

:fw2vpn - [0:0]

:loc2fw - [0:0]

:loc2net - [0:0]

:loc2vpn - [0:0]

:loc_frwd - [0:0]

:logdrop - [0:0]

:logflags - [0:0]

:logreject - [0:0]

:net2fw - [0:0]

:net2loc - [0:0]

:net2vpn - [0:0]

:net_frwd - [0:0]

:reject - [0:0]

:shorewall - [0:0]

:tcpflags - [0:0]

:vpn2fw - [0:0]

:vpn2loc - [0:0]

:vpn2net - [0:0]

:vpn_frwd - [0:0]

[53:11719] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic

[138:8017] -A INPUT -i eth1 -j loc2fw

[38:10244] -A INPUT -i eth0 -j net2fw

[0:0] -A INPUT -i tap1 -j vpn2fw

[0:0] -A INPUT -i lo -j ACCEPT

[0:0] -A INPUT -j Reject

[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6

[0:0] -A INPUT -g reject

[35:6348] -A FORWARD -i eth1 -j loc_frwd

[28:6468] -A FORWARD -i eth0 -j net_frwd

[0:0] -A FORWARD -i tap1 -j vpn_frwd

[0:0] -A FORWARD -j Reject

[0:0] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6

[0:0] -A FORWARD -g reject

[315:42228] -A OUTPUT -o eth1 -j fw2loc

[14:1002] -A OUTPUT -o eth0 -j fw2net

[0:0] -A OUTPUT -o tap1 -j fw2vpn

[0:0] -A OUTPUT -o lo -j ACCEPT

[0:0] -A OUTPUT -j Reject

[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6

[0:0] -A OUTPUT -g reject

[21:1789] -A Broadcast -d 192.168.0.255/32 -j DROP

[30:9794] -A Broadcast -d 255.255.255.255/32 -j DROP

[0:0] -A Broadcast -d 255.255.255.255/32 -j DROP

[0:0] -A Broadcast -d 224.0.0.0/4 -j DROP

[26:8482] -A Drop

[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject

[26:8482] -A Drop -j Broadcast

[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT

[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT

[0:0] -A Drop -j Invalid

[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP

[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP

[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP

[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP

[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP

[0:0] -A Drop -p tcp -j NotSyn

[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP

[0:0] -A Invalid -m conntrack --ctstate INVALID -j DROP

[0:0] -A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

[27:3237] -A Reject

[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject

[27:3237] -A Reject -j Broadcast

[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT

[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT

[2:136] -A Reject -j Invalid

[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j reject

[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject

[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j reject

[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j reject

[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP

[0:0] -A Reject -p tcp -j NotSyn

[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP

[315:42228] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A fw2loc -j ACCEPT

[7:535] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[7:467] -A fw2net -j ACCEPT

[0:0] -A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A fw2vpn -j ACCEPT

[27:3237] -A loc2fw -m conntrack --ctstate INVALID,NEW -j dynamic

[111:4780] -A loc2fw -p tcp -j tcpflags

[111:4780] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT

[27:3237] -A loc2fw -j Reject

[2:136] -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6

[2:136] -A loc2fw -g reject

[28:5956] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[7:392] -A loc2net -j ACCEPT

[0:0] -A loc2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A loc2vpn -j ACCEPT

[7:392] -A loc_frwd -m conntrack --ctstate INVALID,NEW -j dynamic

[33:6204] -A loc_frwd -p tcp -j tcpflags

[0:0] -A loc_frwd -o eth1 -j ACCEPT

[35:6348] -A loc_frwd -o eth0 -j loc2net

[0:0] -A loc_frwd -o tap1 -j loc2vpn

[0:0] -A logdrop -j DROP

[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options

[0:0] -A logflags -j DROP

[0:0] -A logreject -j reject

[26:8482] -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic

[26:8482] -A net2fw -m conntrack --ctstate INVALID,NEW -j blacklst

[5:895] -A net2fw -p tcp -j tcpflags

[12:1762] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A net2fw -s 68.179.52.192/27 -j ACCEPT

[0:0] -A net2fw -p udp -m udp --dport 4880 -j ACCEPT

[26:8482] -A net2fw -j Drop

[0:0] -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6

[0:0] -A net2fw -j DROP

[28:6468] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A net2loc -d 192.168.0.2/32 -p tcp -m tcp --dport 9987 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.2/32 -p udp -m udp --dport 9987 -j ACCEPT

[0:0] -A net2loc -d 192.168.1.10/32 -p udp -m udp --dport 9988 -j ACCEPT

[0:0] -A net2loc -d 192.168.1.10/32 -p tcp -m tcp --dport 9988 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7707 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7708 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 7717 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 28852 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 28852 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 8075 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 20560 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p udp -m udp --dport 20560 -j ACCEPT

[0:0] -A net2loc -d 192.168.0.100/32 -p tcp -m tcp --dport 27363 -j ACCEPT

[0:0] -A net2loc -j Drop

[0:0] -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6

[0:0] -A net2loc -j DROP

[0:0] -A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A net2vpn -j Drop

[0:0] -A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:DROP:" --log-level 6

[0:0] -A net2vpn -j DROP

[0:0] -A net_frwd -m conntrack --ctstate INVALID,NEW -j dynamic

[0:0] -A net_frwd -m conntrack --ctstate INVALID,NEW -j blacklst

[25:4740] -A net_frwd -p tcp -j tcpflags

[28:6468] -A net_frwd -o eth1 -j net2loc

[0:0] -A net_frwd -o tap1 -j net2vpn

[0:0] -A reject -d 192.168.0.255/32 -j DROP

[0:0] -A reject -d 255.255.255.255/32 -j DROP

[0:0] -A reject -d 255.255.255.255/32 -j DROP

[0:0] -A reject -s 224.0.0.0/4 -j DROP

[0:0] -A reject -p igmp -j DROP

[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset

[2:136] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable

[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable

[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags

[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags

[0:0] -A vpn2fw -m conntrack --ctstate INVALID,NEW -j dynamic

[0:0] -A vpn2fw -p tcp -j tcpflags

[0:0] -A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A vpn2fw -j ACCEPT

[0:0] -A vpn2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A vpn2loc -j ACCEPT

[0:0] -A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A vpn2net -j Reject

[0:0] -A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6

[0:0] -A vpn2net -g reject

[0:0] -A vpn_frwd -m conntrack --ctstate INVALID,NEW -j dynamic

[0:0] -A vpn_frwd -p tcp -j tcpflags

[0:0] -A vpn_frwd -o eth1 -j vpn2loc

[0:0] -A vpn_frwd -o eth0 -j vpn2net

[0:0] -A vpn_frwd -o tap1 -j ACCEPT

COMMIT

# Completed on Fri Nov 25 15:04:50 2011

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   218  100   218    0     0   2860      0 --:--:-- --:--:-- --:--:--  5736

curl: no URL specified!

curl: try 'curl --help' for more information

----------

## Hu

 *babaganosh wrote:*   

> # Completed on Fri Nov 25 15:04:50 2011
> 
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
> 
>                                  Dload  Upload   Total   Spent    Left  Speed
> ...

 HTTP seems to work fine.  It looks like you mishandled the second curl invocation, but seeing one was enough for this.  Are you sure that your browsers are configured correctly?

----------

## babaganosh

Every browser is set to automatic for network settings

I have also set up a small test network with 1 workstation and a dlink router for dhcp and recompiled with legacy dns support enabled and the problem persists

----------

## Hu

Given that HTTP does work from the gateway and that you get a generic error page in the browser itself, this seems like a browser configuration problem, not a shorewall problem.  Which browser are you using on the gateway?  What is providing the "automatic" settings?

----------

## babaganosh

I have gone back to what I had last week. Except instead of using the cable modems built in firewall I have a dlink in its place. 

That is Internet comes in from cable modem. Cable modem  is connected to Dlink router with dhcp on a different subnet

Eth0 on Gentoo box picks up dhcp address and I set the DMZ on the DLink to go to that IP

Everything else remains the same on the network and it all works.

Last week I  had my ISP flash the modem to remove the firewall portion and it just acts as a basic cable modem so that I could get my DDclient working.   I may just live without it

----------

