# [SOLVED] IPTABLES Issue, cannot access https servers

## puddpunk

Hi guys,

I'm having a problem with this IPTables script. For some reason I can't access any https sites  :Sad:  Which means my banking, my uni, and a few other sites as well. Any IPTABLES guru's want to take a look at it for me?

Thanks,

Chris  :Smile: 

```
# iptables -vL

Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere

   27  2028 ACCEPT     all  --  eth1   any     anywhere             anywhere

    0     0 ACCEPT     all  --  ppp0   any     anywhere             anywhere           state RELATED,ESTABLISHED

    0     0 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpt:auth reject-with icmp-port-unreachable

    2   108 ACCEPT     all  --  eth0   any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  ppp0   eth1    anywhere             90.0.0.0/24        state RELATED,ESTABLISHED

    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 18 packets, 1604 bytes)

 pkts bytes target     prot opt in     out     source               destination

```

```
# sed 's:#.*$::g' /etc/firewall | grep -v $'^[ \t]*$'

        EXT_IF=ppp0

        INT_IF=eth1

        INT_NET=90.0.0.0/24

        ANY=0.0.0.0/0

        IPTABLES=/sbin/iptables

        MODPROBE=/sbin/modprobe

        echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

        echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

        echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

        echo "1" > /proc/sys/net/ipv4/ip_dynaddr

        echo "1" > /proc/sys/net/ipv4/ip_forward

        $IPTABLES -F INPUT

        $IPTABLES -F OUTPUT

        $IPTABLES -F FORWARD

        $IPTABLES -t nat -F

        $IPTABLES -t mangle -F

        $IPTABLES -P INPUT DROP

        $IPTABLES -P FORWARD DROP

        $IPTABLES -P OUTPUT ACCEPT

        $IPTABLES -A INPUT -i lo -j ACCEPT

        $IPTABLES -A INPUT -i $INT_IF -j ACCEPT

        $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

        $IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20

        $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

        $IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

        $IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

        $IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

        $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

        $IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

        $IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

        $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT

        $IPTABLES -A INPUT -i eth0 -d $ANY -j ACCEPT
```

Last edited by puddpunk on Wed Aug 13, 2003 11:36 am; edited 1 time in total

----------

## puddpunk

Right, I've hacked my IPTables script up a bit, but still, no dice. I've tried implimenting the connection tracking etc... but still it won't work.

I think it was working a little while ago, then I went and changed things. Story of my life. I've put a logging target at the end of the input chain so that anything that comes through is logged, but I dont see anything except a bit of ICMP traffic going through.

Anybody have any insight on this? Even ideas??

----------

## puddpunk

Well, here is my updated firewall scripts if anybody happens to be surfing through...

```
server etc # sed 's:#.*$::g' /etc/firewall | grep -v $'^[ \t]*$'

        NET_IF=ppp0

        LOC_IF=eth1

        HOME_NET=90.0.0.0/24

        ANY=0.0.0.0/0

        IPTABLES=/sbin/iptables

        MODPROBE=/sbin/modprobe

        echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

        echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

        echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

        echo "1" > /proc/sys/net/ipv4/ip_dynaddr

        echo "1" > /proc/sys/net/ipv4/ip_forward

        echo "1" > /proc/sys/net/ipv4/tcp_syncookies

        $IPTABLES -F INPUT

        $IPTABLES -F OUTPUT

        $IPTABLES -F FORWARD

        $IPTABLES -t nat -F

        $IPTABLES -t mangle -F

        $IPTABLES -P INPUT DROP

        $IPTABLES -P FORWARD DROP

        $IPTABLES -P OUTPUT ACCEPT

        $IPTABLES -A INPUT -i lo -j ACCEPT

        $IPTABLES -A INPUT -i $LOC_IF -j ACCEPT

        $IPTABLES -A INPUT -i eth0 -j ACCEPT

        $IPTABLES -A INPUT -i $NET_IF -p all -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT

        $IPTABLES -A INPUT -i $NET_IF -s 90.0.0.0/24 -j DROP

        $IPTABLES -A INPUT -i $NET_IF -s 10.0.0.0/8 -j DROP

        $IPTABLES -A INPUT -i $NET_IF -s 192.168.0.0/16 -j DROP

        $IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP

        $IPTABLES -A INPUT -p igmp -j DROP

        $IPTABLES -A INPUT -p tcp --dport 80 -j DROP

        $IPTABLES -A INPUT -p tcp --dport 443 -j DROP

        $IPTABLES -A INPUT -j LOG --log-prefix "|iptables -- "

        $IPTABLES -A FORWARD -i $NET_IF -o $LOC_IF -s $ANY -d $HOME_NET -p all \

                -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -A FORWARD -i $LOC_IF -d $ANY -j ACCEPT

        $IPTABLES -A POSTROUTING -t nat -o $NET_IF -j MASQUERADE

        $IPTABLES -t nat -A PREROUTING -i $LOC_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
```

```
server etc # iptables -vL

Chain INPUT (policy DROP 1814 packets, 109K bytes)

 pkts bytes target     prot opt in     out     source               destination

  413 36109 ACCEPT     all  --  lo     any     anywhere             anywhere

 1438  166K ACCEPT     all  --  eth1   any     anywhere             anywhere

 2656  685K ACCEPT     all  --  eth0   any     anywhere             anywhere

  738  471K ACCEPT     all  --  ppp0   any     anywhere             anywhere           ctstate RELATED,ESTABLISHED

    0     0 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpt:auth reject-with icmp-port-unreachable

    0     0 DROP       all  --  ppp0   any     90.0.0.0/24          anywhere

    0     0 DROP       all  --  ppp0   any     10.0.0.0/8           anywhere

    0     0 DROP       all  --  ppp0   any     192.168.0.0/16       anywhere

    0     0 DROP       all  --  any    any     anywhere             loopback/8

    0     0 DROP       igmp --  any    any     anywhere             anywhere

    2   120 DROP       tcp  --  any    any     anywhere             anywhere           tcp dpt:www

    0     0 DROP       tcp  --  any    any     anywhere             anywhere           tcp dpt:https

 1814  109K LOG        all  --  any    any     anywhere             anywhere           LOG level warning prefix `|iptables -- '

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

   17  5259 ACCEPT     all  --  ppp0   eth1    anywhere             90.0.0.0/24        ctstate RELATED,ESTABLISHED

   23  1667 ACCEPT     all  --  eth1   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 4258 packets, 812K bytes)

 pkts bytes target     prot opt in     out     source               destination

```

A funny complication here, I went to the netfilter bugzilla to see if anybody else had a problem like mine, but it turns out that you can only access the bugzilla with https  :Sad: 

----------

## Janne Pikkarainen

I am no way an iptables guru, but here goes nothing: if you have your own Squid setup and tunneling all the http traffic via it (and maybe preventing http traffic without it?), maybe you should add a line like this:

---

$IPTABLES -t nat -A PREROUTING -i $LOC_IF -p tcp --dport 443 -j REDIRECT --to-port 3128

---

And make sure that Squid is aware of how to handle https.

----------

## Chris W

Please clarify:

eth1 is internal interface that has a bound IP address of 90.X.X.X.

eth0 is an ethernet interface that has no bound IP address and supports only the PPPOE connection.

ppp0 is your PPPOE connection with an ISP assigned address.

The problem is accessing SSL secured sites from a machine [i]inside[/] the firewall and not from the firewall machine itself.

My first observation is that you are using an IANA reserved IP block  (90.0.0.x) rather than an officially sanctioned private address block.  See RFC 1918: Address Allocation for Private Internets, which has this to say: *Quote:*   

> 
> 
>    The Internet Assigned Numbers Authority (IANA) has reserved the
> 
>    following three blocks of the IP address space for private internets:
> ...

   Of course, if you represent the IANA them you can ignore this issue.  It may be, however, that after changing the destination address on inbound packets to 90.0.0.x (deNATing them) it decides that the best route for these is to the real 90.0.0.x on the big, bad, internet.  This may, however affect things other than SSL.

 *Quote:*   

> $IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP 

  may be detrimental to some services that assume the loopback interface works.

The KISS principle seems to be lost on your tables.  Can you explain in English what you wish to achieve with this box?  Apart from squid acting as a transparent proxy are there other servers on the box?  

Have a good read of the Gentoo Linux Security Guide in the firewall section.  The example script there is quite a reasonable guide.

----------

## puddpunk

 *Janne Pikkarainen wrote:*   

> I am no way an iptables guru, but here goes nothing: if you have your own Squid setup and tunneling all the http traffic via it (and maybe preventing http traffic without it?), maybe you should add a line like this:
> 
> ---
> 
> $IPTABLES -t nat -A PREROUTING -i $LOC_IF -p tcp --dport 443 -j REDIRECT --to-port 3128
> ...

 

Hi Janne, thanks for the reply. I previously attempted adding that rule to squid, but it didn't help. I didn't change anything in the squid config though, so I will perhaps look into that.

 *Chris W wrote:*   

> Please clarify: 
> 
> eth1 is internal interface that has a bound IP address of 90.X.X.X. 
> 
> eth0 is an ethernet interface that has no bound IP address and supports only the PPPOE connection. 
> ...

 

Thanks for your reply Chris  :Smile: 

eth1 has an address of 90.0.0.1

eth0 is assigned an address of 192.168.1.1 and is used to create a PPTP tunnel with my modem. The modem is 192.168.1.254, and these two are the only devices on the 192.168.1.0/24 network.

ppp0 is the PPTP connection to the modem that traverses the 192.168.1.0/24 network. ppp0 has my external internet address.

I can access SSL sites from my webserver (though using lynx through ssh aint pretty  :Smile: ), but not from any of my machines on the LAN.

 *Chris W wrote:*   

> My first observation is that you are using an IANA reserved IP block (90.0.0.x) rather than an officially sanctioned private address block.

 

Yup. This is because the half-assed windows proxy/firewall we had in place before told us that was the way to set up the network (it was back when I didn't have any say in what happened in the network) and dad blindingly followed. The addresses could be changed, but is not preferable. SSL sites worked under WinProxy, they also worked under Shorewall and the other small script that I have based my custom one on. After I finish this post, I will load up my previous firewall and see if that repairs things.

 *Chris W wrote:*   

> Of course, if you represent the IANA them you can ignore this issue. It may be, however, that after changing the destination address on inbound packets to 90.0.0.x (deNATing them) it decides that the best route for these is to the real 90.0.0.x on the big, bad, internet. This may, however affect things other than SSL. 

 

Well, I don't represent the IANA, so I guess I better change them anyway. I just didn't think that was the problem. :\ There are no issues like this on any of my other protocols.

 *Chris W wrote:*   

>  *Quote:*   $IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP  may be detrimental to some services that assume the loopback interface works.

 

Yeah, that was a typo. That line should have been 

```
$IPTABLES -A INPUT -i ppp0 -d 127.0.0.0/8 -j DROP
```

 As it's a fair assumption I shouldn't be recieving traffic from localhost, on my external interface. I've heard about techniques similar to this being used in attacks. Better safe than sorry.

 *Chris W wrote:*   

> The KISS principle seems to be lost on your tables. Can you explain in English what you wish to achieve with this box? Apart from squid acting as a transparent proxy are there other servers on the box?

 

It's actually pretty funny you should say that, as the file is heavily commented (2:1 comment:code  :Smile: ) so that my father can understand it. I just cut the comments so I wasn't posting a huge file with a low signal to noise ratio. I will post the entire file verbatim.

 *Chris W wrote:*   

> Have a good read of the Gentoo Linux Security Guide in the firewall section. The example script there is quite a reasonable guide.

 

Yeah, honestly it was my next stop  :Very Happy:  I swear!

Here is my entire firewall file:

```
server etc # cat /etc/firewall

#!/bin/sh

#####

# Firewall script written for my home network.

# This code may be used under the GPL licence.

#

# Based loosely off the atomic.firewall script.

#

# Chris Smith, 2003

#

##

### CONFIGURATION

##

#

#####

# Env variables

        NET_IF=ppp0

        LOC_IF=eth1

        HOME_NET=90.0.0.0/24

        ANY=0.0.0.0/0

        IPTABLES=/sbin/iptables

        MODPROBE=/sbin/modprobe

#

##

### PREPERATION

##

#

#####

# Lets Go...

#

# This stuff is augmented code from the atomic

# firewall script, since its a good idea and

# I can't think of a better way to do it :)

#####

# Sets kernel variables to sane firewall values.

#

# Disable IP spoofing attacks

# Ignore broadcast pings

# Block source routing

# Kill redirects

# Set acceptable local port range

# Allow dynamic IP addresses

# Enable forwarding (gateway)

# Enables TCP Syncookies (anti-DOS)

        echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

        echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

        echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

        echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

        echo "1" > /proc/sys/net/ipv4/ip_dynaddr

        echo "1" > /proc/sys/net/ipv4/ip_forward

        echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#####

# Prepares IPTables to accept new rules...

#

        # Flush rules on all tables...

        $IPTABLES -F INPUT

        $IPTABLES -F OUTPUT

        $IPTABLES -F FORWARD

        $IPTABLES -t nat -F

        $IPTABLES -t mangle -F

        # Sets default policies for chains.

        $IPTABLES -P INPUT DROP

        $IPTABLES -P FORWARD DROP

        $IPTABLES -P OUTPUT ACCEPT

#

##

### RULE CONFIGURATION

##

#

#####

# INPUT

#

# The input chain. By default, everything is dropped here as

# per the chain policy.

        # Localhost has unlimited access on this machine.

        $IPTABLES -A INPUT -i lo -j ACCEPT

        # Local network also has unlimited access.

        $IPTABLES -A INPUT -i $LOC_IF -j ACCEPT

        # Information needs to come in trough eth0 because thats

        # what my PPTP connection is enabled on. Unlimited Access.

        $IPTABLES -A INPUT -i eth0 -j ACCEPT

        # Use stateful connection tracking to figure out which

        # connections have been established. Uses "conntrack"

        # instead of "state".

        $IPTABLES -A INPUT -i $NET_IF -p all -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        # Uncomment these for external access to servers:

        # SSH:

#       $IPTABLES -A INPUT -i $NET_IF -p tcp --dport 22 -j ACCEPT

        # Web:

#       $IPTABLES -A INPUT -i $NET_IF -p tcp --dport 80 -j ACCEPT

        # Ntop:

#       $IPTABLES -A INPUT -i $NET_IF -p tcp --dport 3000 -j ACCEPT

        # Webmin:

#       $IPTABLES -A INPUT -i $NET_IF -p tcp --dport 10000 -j ACCEPT

        # Use REJECT on the ident port for speedy access to old IRC

        # and FTP servers.

        $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT

        # We shouldn't be seeing traffic from these IP addresses through

        # the external interface, nor should we be seeing traffic addressed

        # to localhost through it. DROP the packets. Prevents IP-spoofing

        # attacks.

        $IPTABLES -A INPUT -i $NET_IF -s 90.0.0.0/24 -j DROP

        $IPTABLES -A INPUT -i $NET_IF -s 10.0.0.0/8 -j DROP

#       $IPTABLES -A INPUT -i $NET_IF -s 172.16.0.0/12 -j DROP

        $IPTABLES -A INPUT -i $NET_IF -s 192.168.0.0/16 -j DROP

#       $IPTABLES -A INPUT -i $NET_IF -s 169.254.0.0/16 -j DROP

        $IPTABLES -A INPUT -i $NET_IF -d 127.0.0.0/8 -j DROP

        # Good idea from atomic.firewall. Drop traffic you don't

        # care about. Logs are big enough.

        $IPTABLES -A INPUT -p igmp -j DROP

        $IPTABLES -A INPUT -p tcp --dport 80 -j DROP

        $IPTABLES -A INPUT -p tcp --dport 443 -j DROP

        # Add a logging entry for everything else.

        $IPTABLES -A INPUT -j LOG --log-prefix "|iptables -- "

#####

# Bandwidth Shaping

#

# I'll add it when IPRoute wants to compile on my server :|

# Needs to be here because its POST/PREROUTING

#####

# FORWARD

#

# The forward chain. Everything is dropped here too, so we

# will have to add specific rules for routing packets etc...

        # Pass on packets that have already had connections

        # related to them. Uses conntrack too.

        $IPTABLES -A FORWARD -i $NET_IF -o $LOC_IF -s $ANY -d $HOME_NET -p all \

                -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        # Let all internal traffic be forwarded

        $IPTABLES -A FORWARD -i $LOC_IF -d $ANY -j ACCEPT

#####

# OUTPUT

#

# Nothing I really care about here. Will add blocks if snort detects

# any trojan traffic etc... So I'll just let it follow policy and anything

# can go out.

#####

# NAT

#

# Stuff to do on traffic to be NAT'd.

        # Masqurade it for now, until I find a better way

        $IPTABLES -A POSTROUTING -t nat -o $NET_IF -j MASQUERADE

        # Any website traffic, push it through squid so it can

        # be cached.

        $IPTABLES -t nat -A PREROUTING -i $LOC_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

# There, That was easy, wasn't it? :)

#EOF
```

Thanks for your reply Chris W and Janne

Cheers,

Chris.

----------

## puddpunk

Just for fun, I set all the policies to accept, and added a few others that I needed, and tried again. I also tried my old firewall and that doesnt work either.

Doesn't work. Im perhaps thinking this IP address could be a problom. I can surf normal websites, but as soon as I try a https site, it goes into the unlimited wait (like the packets are being dropped).

Here is my firewall.basic file:

```
#!/bin/sh

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
```

Actually, It could seriously be my PPTP connection to my ADSL modem. Anybody have some insight/advice/experiance on that?

Thanks,

Chris.

----------

## Hairball

I didn't go over your firewall rules with a fine-tooth comb, but they look ok to me. I'll suggest some troubleshooting things I'd do if I was in your shoes. Since you're using some kind of proxy, have you checked the proxy settings in your web browsers? If you're using mozilla (or netscape I think), look under Edit -> Preferences -> Advanced -> Proxies and see what it says. Maybe you have a proxy set up for SSL (https) connections that's not working right or doesn't exist.

When you try to view a SSL site, do you notice if any of the byte counts in the "iptables -v" printout go up indicating that your traffic went through that rule? If you're the only person on your network at that point, you can probably be relatively sure that you're the one causing those byte counts to go up. If no counts are changing, then your traffic is probably not getting to the host.

If all else fails, try using a sniffer like tcpdump to see where the traffic is going:

```

emerge tcpdump

tcpdump -i <put your internal interface here> tcp dst port 443

```

and see what that shows you when you try to browse to a https page. if you don't see any traffic, the client is *probably* sending it to the wrong place and you can focus some more attention there.

I hope this helps! Good luck!

----------

## Salze

Hi Chris!

I read your email, which is why I'm here. I don't mean to sound rude or so but it's really hard to collect all the pieces of information one needs to understand your problem.

That is especially true for the squid and browser setup. Do you use squid as a transparent proxy? If so, for both http and https?

Did you already add this line to iptables from Janne or not??

 *puddpunk wrote:*   

>  *Janne Pikkarainen wrote:*   I am no way an iptables guru, but here goes nothing: if you have your own Squid setup and tunneling all the http traffic via it (and maybe preventing http traffic without it?), maybe you should add a line like this:
> 
> ---
> 
> $IPTABLES -t nat -A PREROUTING -i $LOC_IF -p tcp --dport 443 -j REDIRECT --to-port 3128
> ...

 

AFAIK one cannot transparently proxy https.

bye

Salze

----------

## puddpunk

Thanks for the replies guys  :Very Happy: 

Salze: Thanks for helping out, Im using squid as a transparent proxy for web HTTP, and HTTPS traffic is _not_ being forwarded through squid.

I had tried it and It didn't work so I turned it off.

Hairball: Thanks for the reply, thanks for that TCPdump trick, i tried using it before but the massive amount of data just confused me. I will try that, thanks.

Anyway, back to the problem, on a hunch, I disabled PPTP on my modem, and set it to be a router instead, and adjusted my linux box to send traffic through eth0 (i.e. ppp0 no longer exists). SSL sites work, it was the solution I was dreading, a PPTP problem  :Sad: 

----------

## Hairball

puddpunk,

Does other types of traffic work on the internet? Can you ssh/telnet/ftp to other hosts on the internet?

Can we see your routing tables with the PPTP turned on as well as the output from ifconfig?

```
route -n

ifconfig -a

```

----------

## puddpunk

 *Hairball wrote:*   

> puddpunk,
> 
> Does other types of traffic work on the internet? Can you ssh/telnet/ftp to other hosts on the internet?
> 
> Can we see your routing tables with the PPTP turned on as well as the output from ifconfig?
> ...

 

Hi Hairball,

Yes, I can use lots of other things (e.g. web, http, sometimes enemy territory) but on some servers enemy territory fails. I have some more information for you here hairball, hope you can help!

When i click on a link in my browser that goes to a https site, this is output in tcpdump:

```
server pptpclient # tcpdump -i ppp0 tcp dst port 443

tcpdump: listening on ppp0

09:53:58.596507 210.54.208.14.33016 > 210.55.168.70.https: S 2971042484:2971042484(0) win 5840 <mss 1460,sackOK,timestamp 442491 0,nop,wscale 0> (DF)

09:53:58.681783 210.54.208.14.33016 > 210.55.168.70.https: . ack 781192472 win 5840 <nop,nop,timestamp 442500 0> (DF)

09:53:58.686905 210.54.208.14.33016 > 210.55.168.70.https: P 0:93(93) ack 1 win 5840 <nop,nop,timestamp 442500 0> (DF)

09:53:58.768427 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 442509 0,nop,nop,sack sack 1 {1399:2268} > (DF)

09:54:06.680474 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 443300 0,nop,nop,sack sack 2 {1399:1411}{1399:2268} > (DF)

09:54:17.698392 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 444402 0,nop,nop,sack sack 2 {1399:1411}{1399:2268} > (DF)

09:54:17.766560 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 444408 0,nop,nop,sack sack 2 {1411:2268}{1399:2268} > (DF)

09:54:29.714538 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 445603 0,nop,nop,sack sack 2 {1399:1411}{1399:2268} > (DF)

09:54:29.799537 210.54.208.14.33016 > 210.55.168.70.https: . ack 1 win 5840 <nop,nop,timestamp 445612 0,nop,nop,sack sack 2 {1411:2268}{1399:2268} > (DF)

195 packets received by filter

0 packets dropped by kernel
```

And here is the other information you requested:

```
server pptpclient # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

210.54.208.254  0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

90.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0

server pptpclient # ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:00:E8:D4:73:4D

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:113938 errors:0 dropped:0 overruns:0 frame:0

          TX packets:164272 errors:0 dropped:0 overruns:0 carrier:0

          collisions:60 txqueuelen:100

          RX bytes:60919854 (58.0 Mb)  TX bytes:15661545 (14.9 Mb)

          Interrupt:11 Base address:0xc000

eth1      Link encap:Ethernet  HWaddr 00:10:5A:85:FB:05

          inet addr:90.0.0.1  Bcast:90.0.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:182298 errors:0 dropped:0 overruns:0 frame:0

          TX packets:128574 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:29718811 (28.3 Mb)  TX bytes:65574787 (62.5 Mb)

          Interrupt:10 Base address:0xc400

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          NOARP  MTU:1476  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:19339 errors:0 dropped:0 overruns:0 frame:0

          TX packets:19339 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:3395579 (3.2 Mb)  TX bytes:3395579 (3.2 Mb)

ppp0      Link encap:Point-to-Point Protocol

          inet addr:210.54.208.14  P-t-P:210.54.208.254  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1000  Metric:1

          RX packets:1380 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1491 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:762195 (744.3 Kb)  TX bytes:165527 (161.6 Kb)

tunl0     Link encap:IPIP Tunnel  HWaddr

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

server pptpclient #
```

Thanks,

Chris.

----------

## puddpunk

Also, if that tcpdump doesnt provide enough info, i ran it with src or dest port 443 so you get both sides of the convo.

210.54.208.14 is my servers IP address and 202.49.143.70 is the name of the remote https server.

```
server pptpclient # tcpdump -i ppp0 tcp src or dst port 443

tcpdump: listening on ppp0

10:14:48.263016 210.54.208.14.33074 > 202.49.143.70.https: S 4291899094:4291899094(0) win 5840 <mss 1460,sackOK,timestamp 567460 0,nop,wscale 0> (DF)

10:14:48.327339 202.49.143.70.https > 210.54.208.14.33074: S 2698670960:2698670960(0) ack 4291899095 win 64860 <mss 1410,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)

10:14:48.327867 210.54.208.14.33074 > 202.49.143.70.https: . ack 1 win 5840 <nop,nop,timestamp 567466 0> (DF)

10:14:48.333693 210.54.208.14.33074 > 202.49.143.70.https: P 1:94(93) ack 1 win 5840 <nop,nop,timestamp 567467 0> (DF)

10:14:48.414729 202.49.143.70.https > 210.54.208.14.33074: P 1399:2092(693) ack 94 win 64767 <nop,nop,timestamp 1404706 567467> (DF)

10:14:48.415849 210.54.208.14.33074 > 202.49.143.70.https: . ack 1 win 5840 <nop,nop,timestamp 567475 0,nop,nop,sack sack 1 {1399:2092} > (DF)

10:14:51.479332 210.55.168.70.https > 210.54.208.14.33073: . 1342720527:1342720539(12) ack 4262681467 win 64767 <nop,nop,timestamp 1406154 566102> (DF)

10:14:51.479858 210.54.208.14.33073 > 210.55.168.70.https: R 4262681467:4262681467(0) win 0 (DF)

10:14:56.344501 202.49.143.70.https > 210.54.208.14.33074: . 1399:1411(12) ack 94 win 64767 <nop,nop,timestamp 1404786 567475> (DF)

10:14:56.344959 210.54.208.14.33074 > 202.49.143.70.https: . ack 1 win 5840 <nop,nop,timestamp 568268 0,nop,nop,sack sack 2 {1399:1411}{1399:2092} > (DF)

10:15:07.252583 210.54.208.14.33074 > 202.49.143.70.https: F 94:94(0) ack 1 win 5840 <nop,nop,timestamp 569359 0,nop,nop,sack sack 1 {1399:2092} > (DF)

10:15:07.316508 202.49.143.70.https > 210.54.208.14.33074: F 2092:2092(0) ack 95 win 64767 <nop,nop,timestamp 1404896 569359> (DF)

10:15:07.317037 210.54.208.14.33074 > 202.49.143.70.https: R 4291899189:4291899189(0) win 0 (DF)

10:15:07.333551 202.49.143.70.https > 210.54.208.14.33074: P 1399:2092(693) ack 95 win 64767 <nop,nop,timestamp 1404896 569359> (DF)

10:15:07.334186 210.54.208.14.33074 > 202.49.143.70.https: R 4291899189:4291899189(0) win 0 (DF)

40 packets received by filter

0 packets dropped by kernel
```

Thanks,

Chris.

----------

## puddpunk

Nobody? Well I guess I'm back to wrestling with my modems NAT again.

Thanks for all the help guys  :Smile: 

Cheers,

Chris.

----------

## puddpunk

Well, I was correct in my assumption earlier about this being a pptp problem.

The MTU and MRU (Maximum Transmissible Unit & Maximum Recievable Unit respectively) were set at 1000 bytes, which was obviously too low for SSL communication. Bumping it up to the default of 1500 set things right.

Thanks for all the help guys  :Smile: 

Cheers,

Chris.

----------

