Solved

web access fails (only) from my local network

Posted on 2001-08-12
10
258 Views
Last Modified: 2010-03-18
after much ado, I am pleased to have my home network working lately.. an NT workstation, a W2K workstation, and a RH Linux 7.1 server/router connected to DSL.  I have configured ipchains to do the routing which, for the most part, works.

But there is one web site (I expect others, but we haven't run into them yet,) that will not
load on the client machines.  If I switch the
cables and configuration to eliminate the
router (connecting W2K or NT to the DSL modem
directly,) the site comes up fine.  The site is "www.realtor.com"..

Any idea why this site gets stuck behind the router?  (not just their home page, but also direct links..)

Thanks, George
0
Comment
Question by:gljr
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 1

Expert Comment

by:fobzz
ID: 6378684
How is your ipchains setup? Can you give me the hole script?
0
 
LVL 2

Expert Comment

by:ifincham
ID: 6378852
Hi,

The only thing I can guess is because there is re-direction going on from the home page that maybe causes a firefall problem (for example packets back from different address to that sent to) ....

This is the raw HTML of the home page :

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Mon, 13 Aug 2001 07:13:51 GMT Connection: close Location: /default.asp?hm=on Content-Length: 139 Content-Type: text/html Cache-control: private  <head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/default.asp?hm=on">here</a>.</body>

Does it make a difference if clients do :

http://www.realtor.com/default.asp?hm=on

Rgds
0
 

Author Comment

by:gljr
ID: 6383902
fobzz, ifincham, thanks for your posts..

ipchains is set as
Policy=ACCEPT for inpupt/forward/output
forward rule="ipchains -A forward -j MASQ -s 192.168.1.0/24 -i eth1"

it makes no difference if I reference the sub-page.

But since it seems plausible for this to be a firewall
problem, it seems odd to me that despite this "open firewall", I cannot connect via telnet or ftp from either internal or external clients...?

as always, your help is apreciated.

George
0
 

Expert Comment

by:Boring
ID: 6384369
Have you turned on ipforwarding? If there is a 0 in the file /proc/sys/net/ipv4/ip_forward then it will not route anything through it. Type:
echo 1 > /proc/sys/net/ipv4/ip_forward

And see if that sorts it? It's always the one that I forget to do.
0
 

Author Comment

by:gljr
ID: 6384607
Boring,

Thank you for your interest, but it should be clear from the fact that ONLY 1 web site has this problem, that I have enabled IP forwarding (the command you suggested).
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Expert Comment

by:Boring
ID: 6384816
Sorry,
Are you using a proxy server squid or something?
Also could you try going to www.jungle.com and www.btinternet.com. Do these 2 work?
I am working on a similar problem too at the moment, but with iptables not ipchains. What version of the kernel are you on?
0
 

Author Comment

by:gljr
ID: 6384904
Boring,

I have no problem going to either of the sites you mentioned.  And as far as your similar problem, I will be happy to review it, once you have posted a question.  If you don't mind, I'd like to keep this question focussed on the problem at hand.

Thanks, George
0
 
LVL 2

Accepted Solution

by:
ifincham earned 50 total points
ID: 6385577
Hi,

Interesting one this. I'm using ip masquerading but with iptables instead of ipchains and I can connect from a win98 client via RH7.1 masquerading to that site (http://www.realtor.com or http://lib.realtor.com or http://206.131.171.11) without any apparent problems. It uses IIS 5 and javascript but thats really irrelevant if it works by direct connection. Perhaps theres a timeout of some kind.

If you have a 2.4.x kernel and iptables you could always try iptables instead of ipchains and see if it makes any difference :


echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/modprobe ipt_LOG ipt_state
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 172.16.16.0/24 -j MASQUERADE


(If any problem with the modules just load them all via : '/sbin/insmod/lib/modules/2.4.2/kernel/net/ipv4/netfilter/*' - where 2.4.2 is your actual kernel as per 'uname -r'. )

It looks more complicated but the main difference is that iptables comes with lots of optional modules - so you need to load the ones you need first !

Anyway, clearly from what you say there is something different going on with the masqueraded connex compared to direct connection. If you were really interested you could try to log the transactions to and from their ip address, i.e. 206.131.171.11 . If you're want to try this I'll give you the syntax...


Regards


0
 

Expert Comment

by:CleanupPing
ID: 9078702
gljr:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 

Author Comment

by:gljr
ID: 9079973
ifincham,

I can't actually say if your answer works as I don't have this setup any longer.... but I figure your effort is worth the 50 pts.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now