This is one of the weirder issues I've come across.
We have a dedicated IP on our system that we recently assigned to a client's domain. We have APF enabled on our system and when you visit the site's IP in a browser it fails to load. Firefox gives:
Originally Posted by
Firefox
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
So we disable APF:
Code:
root@X [~]# service apf stop
Stopping APF: [ OK ]
root@X [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
as a test and the site loads fine. Obviously, something in APF is preventing this site from loading. So, we went through the standard config options in conf.apf, disabling the PHP list, P2P list, Spamhaus list, clearing deny_host.rules, basically stripping APF down to block as little as possible. No change.
We next tried to flush iptables after starting APF and this is what our iptables looks like afterwards:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DSHIELD (0 references)
target prot opt source destination
Chain FRAG_UDP (0 references)
target prot opt source destination
Chain IN_SANITY (0 references)
target prot opt source destination
Chain OUT_SANITY (0 references)
target prot opt source destination
Chain P2P (0 references)
target prot opt source destination
Chain PHP (0 references)
target prot opt source destination
Chain PROHIBIT (0 references)
target prot opt source destination
Chain PZERO (0 references)
target prot opt source destination
Chain RESET (0 references)
target prot opt source destination
Chain SDROP (0 references)
target prot opt source destination
Chain TALLOW (0 references)
target prot opt source destination
Chain TDENY (0 references)
target prot opt source destination
Chain TGALLOW (0 references)
target prot opt source destination
Chain TGDENY (0 references)
target prot opt source destination
Chain TMP_DROP (0 references)
target prot opt source destination
Chain acctboth (0 references)
target prot opt source destination
Even with no rules in iptables, the IP is still failing to load. So what's the difference? Well, I guess there are bunch of chains defined so let's get rid of those as well:
Code:
root@X [~]# iptables -X acctboth
root@X [~]# iptables -X TMP_DROP
root@X [~]# iptables -X TGDENY
root@X [~]# iptables -X TGALLOW
root@X [~]# iptables -X TDENY
root@X [~]# iptables -X TALLOW
root@X [~]# iptables -X SDROP
root@X [~]# iptables -X RESET
root@X [~]# iptables -X PZERO
root@X [~]# iptables -X PROHIBIT
root@X [~]# iptables -X PHP
root@X [~]# iptables -X P2P
root@X [~]# iptables -X OUT_SANITY
root@X [~]# iptables -X IN_SANITY
root@X [~]# iptables -X FRAG_UDP
root@X [~]# iptables -X DSHIELD
And now our iptables looks like this:
Code:
root@X [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But the IP still fails to load!
At this point, if I run:
Code:
root@X [~]# service apf stop
Stopping APF: [ OK ]
root@X [~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
the site loads fine. I am 100% baffled by this issue. How can two identical iptables listings have different behavior?
LinkBack URL
About LinkBacks
Empty APF still blocking web site?
Reply With Quote
