Link to home
Start Free TrialLog in
Avatar of colonialiu20
colonialiu20Flag for United States of America

asked on

Yahoo mail affected by new Linux Firewall w/ web filter

I recently implimented a transparent proxy running Fedora Core 5 and Dansguardian for web filtering purposes.
Not knowing much about iptables, through a mix of resources and EE advice, I used the following for Internet traffic to be allowed through, and for traffic to be redirected to the Dansguardian filter:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE (where eth1 is the NIC connected to the wireless router)
iptables -A FORWARD -i eth0 -j ACCEPT (where eth0 is the nic connected to your LAN i.e. your laptop)
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080
/etc/init.d/iptables save

It works just fine.
I have one user on the simple network having problems with Yahoo Mail.  When they login with this network the colors are gone, the text jumbled everywhere, and much of the functionality not working.  In effect their email is unusable in this network. -Works fine elsewhere.

It was recommended that maybe Yahoo was using a port I didn't have open, BUT I believe the above iptable command allows all outbound ports.  I want to fix that too but first things first.

I can't find a reference to Yahoo using a special port.  All other web-based and POP3 mail works perfectly fine. is whitelisted with regard to the filter.

If someone thinks I need to make iptables changes please provide commands, as I haven't figured that aspect out yet.

Explanations and step by step directions are appreciated.
Avatar of noci

to find out what traffic passes you can use tcpdump.../ ethereal/ wireshark
and likewise packet sniffers.

use it like

tcpdump -ni eth0 host

and use the right ipaddress on
then try to access yahoo, that will tell you what ports are used.
if yahoo uses port 80, then also your proxy might have impact.

btw, all outside->inside access to port 80 is also redirected to port 8080,
dont known if it was meant that way.
And indeed if that's all you did to the iptables rules then you don't block any
traffic. (dansguardian).
Avatar of colonialiu20


Well the problem was resolved.  It just took a day for me to walk away from and of course it was simple.  Apparently ALL of the graphics in the site are located in the '' domain -which was blocked.  After whitelisting that site it all works fine.

I will likely have actual IPtable troubles in the near future, as I obviously need the firewall locked down.  For now there is at least a router sitting between the Linux box and the outside world to protect incoming traffic.
I agree
Avatar of Computer101
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial