web access fails (only) from my local network

after much ado, I am pleased to have my home network working lately.. an NT workstation, a W2K workstation, and a RH Linux 7.1 server/router connected to DSL.  I have configured ipchains to do the routing which, for the most part, works.

But there is one web site (I expect others, but we haven't run into them yet,) that will not
load on the client machines.  If I switch the
cables and configuration to eliminate the
router (connecting W2K or NT to the DSL modem
directly,) the site comes up fine.  The site is "www.realtor.com"..

Any idea why this site gets stuck behind the router?  (not just their home page, but also direct links..)

Thanks, George
Who is Participating?
ifinchamConnect With a Mentor Commented:

Interesting one this. I'm using ip masquerading but with iptables instead of ipchains and I can connect from a win98 client via RH7.1 masquerading to that site (http://www.realtor.com or http://lib.realtor.com or without any apparent problems. It uses IIS 5 and javascript but thats really irrelevant if it works by direct connection. Perhaps theres a timeout of some kind.

If you have a 2.4.x kernel and iptables you could always try iptables instead of ipchains and see if it makes any difference :

echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/modprobe ipt_LOG ipt_state
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE

(If any problem with the modules just load them all via : '/sbin/insmod/lib/modules/2.4.2/kernel/net/ipv4/netfilter/*' - where 2.4.2 is your actual kernel as per 'uname -r'. )

It looks more complicated but the main difference is that iptables comes with lots of optional modules - so you need to load the ones you need first !

Anyway, clearly from what you say there is something different going on with the masqueraded connex compared to direct connection. If you were really interested you could try to log the transactions to and from their ip address, i.e. . If you're want to try this I'll give you the syntax...


How is your ipchains setup? Can you give me the hole script?

The only thing I can guess is because there is re-direction going on from the home page that maybe causes a firefall problem (for example packets back from different address to that sent to) ....

This is the raw HTML of the home page :

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Mon, 13 Aug 2001 07:13:51 GMT Connection: close Location: /default.asp?hm=on Content-Length: 139 Content-Type: text/html Cache-control: private  <head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/default.asp?hm=on">here</a>.</body>

Does it make a difference if clients do :


The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

gljrAuthor Commented:
fobzz, ifincham, thanks for your posts..

ipchains is set as
Policy=ACCEPT for inpupt/forward/output
forward rule="ipchains -A forward -j MASQ -s -i eth1"

it makes no difference if I reference the sub-page.

But since it seems plausible for this to be a firewall
problem, it seems odd to me that despite this "open firewall", I cannot connect via telnet or ftp from either internal or external clients...?

as always, your help is apreciated.

Have you turned on ipforwarding? If there is a 0 in the file /proc/sys/net/ipv4/ip_forward then it will not route anything through it. Type:
echo 1 > /proc/sys/net/ipv4/ip_forward

And see if that sorts it? It's always the one that I forget to do.
gljrAuthor Commented:

Thank you for your interest, but it should be clear from the fact that ONLY 1 web site has this problem, that I have enabled IP forwarding (the command you suggested).
Are you using a proxy server squid or something?
Also could you try going to www.jungle.com and www.btinternet.com. Do these 2 work?
I am working on a similar problem too at the moment, but with iptables not ipchains. What version of the kernel are you on?
gljrAuthor Commented:

I have no problem going to either of the sites you mentioned.  And as far as your similar problem, I will be happy to review it, once you have posted a question.  If you don't mind, I'd like to keep this question focussed on the problem at hand.

Thanks, George
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
gljrAuthor Commented:

I can't actually say if your answer works as I don't have this setup any longer.... but I figure your effort is worth the 50 pts.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.