You are not logged in.

#1 2009-10-08 05:51:51

tony5429
Member
Registered: 2006-03-28
Posts: 1,017

Servers are Inaccessible Via Some Wifi

So I've set up two different Arch64 servers in two different locations on a college campus, and I've used the same set of iptables rules for each (it was a set of rules I recorded from reading through the arch wiki). I find that if iptables is running on one of the servers, it will be accessible via ssh and http from any wired or wireless connection off campus, and any wired connection on campus - however, it will be unaccessible by a wireless connection on campus using either ssh or http. I know it's weird... If I use '/etc/rc.d/iptables stop' to stop the service, the problem is resolved. However, I would like to be able to run iptables, and access the servers via wifi on campus. Does anyone have any ideas what is going on? Below is the set of commands I issued (as root) on each server to set up the iptables rules...

nano /etc/conf.d/iptables (set IPTABLES_FORWARD=0)
iptables -N open
iptables -N interfaces
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j interfaces
iptables -A INPUT -j open
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A interfaces -i lo -j ACCEPT
iptables -A interfaces -i eth0 -j ACCEPT
iptables -A open -p tcp --dport 22 -j ACCEPT
iptables -A open -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A open -i foo -p tcp --dport 65000:65005 -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
/etc/rc.d/iptables save

Offline

#2 2009-10-09 13:04:42

tony5429
Member
Registered: 2006-03-28
Posts: 1,017

Re: Servers are Inaccessible Via Some Wifi

Anyone?

Offline

#3 2009-10-09 15:15:10

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: Servers are Inaccessible Via Some Wifi

Can you ping the servers from a wireless connection on campus? The first rule allows ICMP so pings should work (if they are not blocked before they reach your firewall).
Also, these lines look as being possibly blocking wanted traffic:

iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP

Offline

#4 2009-10-09 20:55:14

tony5429
Member
Registered: 2006-03-28
Posts: 1,017

Re: Servers are Inaccessible Via Some Wifi

Thanks for the tip. Just tried pinging from wifi on campus and cannot even ping the servers. So does that mean those three rules you mentioned are not the problem?

Offline

#5 2009-10-09 21:04:25

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: Servers are Inaccessible Via Some Wifi

At least not the only problem, no.
So you can connect to the servers from outside the campus network, which means they are reachable from the internet. But you can't from the internal network... Do you try to connect to them on regular ports? Maybe someone is blocking non-http ports?

Offline

#6 2009-10-11 22:26:10

tony5429
Member
Registered: 2006-03-28
Posts: 1,017

Re: Servers are Inaccessible Via Some Wifi

I think I'm trying to connect over normal ports...One of the servers has a domain name (namely http://norpass.com) and what fails on campus is...

- ping norpass.com
- ssh (username)@norpass.com
- accessing norpass.com on Firefox

If I'm off campus or on the campus' wired network the three things above work perfectly fine...

The issue with the other server (which does not have a domain name but does have its own externally accessible IP address) is exactly the same.

Last edited by tony5429 (2009-10-11 22:28:23)

Offline

Board footer

Powered by FluxBB