[solved]iptable dropping packet

jaideep_jdof · 2008-08-12 16:52:01

I have configured iptable according to the wiki. But its causing packet drops. I am having problem with yahoomail(mails not opening). Following is my iptable rules:

# Generated by iptables-save v1.4.0 on Tue Aug 12 21:07:14 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [145:206050]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A interfaces -i lo -j ACCEPT 
-A interfaces -i eth0 -j ACCEPT 
# Common attacks
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-I INPUT -i eth0 -s 127.0.0.0/8 -j DROP

COMMIT
# Completed on Tue Aug 12 21:07:14 2008

Last edited by jaideep_jdof (2008-08-19 15:10:22)

drewlander · 2008-08-13 16:18:57

So I take it if you flush the tables, your yahoo mail opens fine?
Just want to see how you came to the conclusion that iptables is causing you not to be able to open yahoo mail.

Ramses de Norre · 2008-08-13 16:30:36

-I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-I INPUT -i eth0 -s 127.0.0.0/8 -j DROP

Did you just copy-paste the ones above or are you certain that you need those? If not, I'd try removing them. And I think the output of "iptables -vL" is more comprehensive than the rules themselves, it shows which rules have been hit.

Last edited by Ramses de Norre (2008-08-13 16:31:18)

arch0r · 2008-08-13 16:54:11

i can't see any problems in this config concerning your problem or rather the smtp port 25 from which you receive your mails.
how do you check your mails? online via the login on the yahoo page or via a mail client like thunderbird?
is it just yahoo or is it generally impossible to open mails?

jaideep_jdof · 2008-08-14 04:13:59

Ramses de Norre wrote:

-I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
Did you just copy-paste the ones above or are you certain that you need those? If not, I'd try removing them. And I think the output of "iptables -vL" is more comprehensive than the rules themselves, it shows which rules have been hit.

I just copy pasted these lines from the wiki. I access yahoomail from the yahoo page. I don't use thunderbird for yahoo, I use it for gmail and gmx. The thunderbird is working fine.

The exact problem i am facing is that, yahoomail opens ok but when i click on a mail to open it doesn't open, only wait sign is show in status bar of my browser. Same thing happens when i try to submit new post in a forum.

arch0r · 2008-08-14 08:01:50

already tried another browser?

jaideep_jdof · 2008-08-14 11:51:53

I tried it with konqueror, same problem.

arch0r · 2008-08-14 12:28:27

does it work, when you disable iptables?

jaideep_jdof · 2008-08-14 17:35:52

Yes it did work when i disabled iptables.

Sin.citadel · 2008-08-15 13:03:53

since you are using OUTPUT as accept, there shouldnt be any problems, but still, i recommend that u disable iptables, install ethereal or any other analyzer, and open yahoo mail (make sure to log in, check your messages), and check it with ethereal , you can instruct ethereal to only check remote port 80/443 traffic to see if there are some inbound connection from *.yahoo.com that are being blocked by iptables.

did you use the new yahoo web interface or the classic one?

Last edited by Sin.citadel (2008-08-15 13:05:00)

jaideep_jdof · 2008-08-15 14:25:09

I am using the classic one. I have no idea what ethereal is and how to use it.

Sin.citadel · 2008-08-16 03:20:04

u can check which packets are being blocked by using iptables own logs, after you have set your iptables policy, simply use

iptables -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

then log into yahoo again and when you encounter the error again, open file /var/log/iptables.log and sift through it to find why iptables is blocking the packet or post the file here.

also, do you get a HTTP error like a 502,404,connect timeout, or does it simply stop.

arch0r · 2008-08-16 03:28:59

before using the logs, you have to order iptables to write logs

add this to your input chain:
iptables -A INPUT -j LOG -m limit --limit 5/s --log-prefix "INPUT-DROP:"

jaideep_jdof · 2008-08-17 11:37:45

Thanks guys for help i changed the yahoo interface from classic to the new on and the issue was solved.

tigrmesh · 2008-08-19 03:54:05

Please mark this thread as solved. Thanks!

Arch Linux

#1 2008-08-12 16:52:01

[solved]iptable dropping packet

#2 2008-08-13 16:18:57

Re: [solved]iptable dropping packet

#3 2008-08-13 16:30:36

Re: [solved]iptable dropping packet

#4 2008-08-13 16:54:11

Re: [solved]iptable dropping packet

#5 2008-08-14 04:13:59

Re: [solved]iptable dropping packet

#6 2008-08-14 08:01:50

Re: [solved]iptable dropping packet

#7 2008-08-14 11:51:53

Re: [solved]iptable dropping packet

#8 2008-08-14 12:28:27

Re: [solved]iptable dropping packet

#9 2008-08-14 17:35:52

Re: [solved]iptable dropping packet

#10 2008-08-15 13:03:53

Re: [solved]iptable dropping packet

#11 2008-08-15 14:25:09

Re: [solved]iptable dropping packet

#12 2008-08-16 03:20:04

Re: [solved]iptable dropping packet

#13 2008-08-16 03:28:59

Re: [solved]iptable dropping packet

#14 2008-08-17 11:37:45

Re: [solved]iptable dropping packet

#15 2008-08-19 03:54:05

Re: [solved]iptable dropping packet

Board footer