On 12/10/2019 12:01 AM, Nektarios Katakis wrote: > Hello, > > I am running an iptables firewall on an openwrt router I ve got. Which > acts as Firewall/gateway and performs NATing for my internal network - > debian PCs and android phones. > > All good but specific web sites are not loading for the machines that > are sitting behind the home router. > > When attempting on the browser (firefox but tried different ones) the > browser stays at `Performing a TLS handshake to bitbucket.org`. wget has > similar results: > ``` > wget https://bitbucket.org > --2019-12-09 22:07:32-- https://bitbucket.org/ > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, > 18.205.93.2, ... Connecting to bitbucket.org > (bitbucket.org)|18.205.93.0|:443... connected. > ``` > When doing a tcpdump on the router side I can see some initial TCP > session establishment and then nothing: > ``` > tcpdump -vvvi br-lan port 443 | grep bitbucket.org > tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size > 262144 bytes > 192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3 > (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val > 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 > > 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq > 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val > 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 > > bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win > 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0 > 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5 > (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684 > ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440: > Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options > [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 > > 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668, > ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684], > length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum > 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val > 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ``` > > Of course doing a wget from the router itself works fine as it also > works fine on my desktop if I do dynamic port-forwarding with eg. `ssh > -D 1050 router` (and configure of course firefox to use it). > > I m not sure what might be wrong here tbh. Of course other (most) sites > work fine without dynamic forwarding or anything. > > I am attaching the output of `iptables --list-rules` for whoever is > patient enough to read. > > Any help would be appreciated. >
Are you still seeing the error if you do: $ /etc/init.d/firewall stop WARNING: You will not have any firewall protection if you do that Is the issue still manifesting itself if the configuration is reset to factory default? This is a Debian mailing list, you might be better off on the OpenWrt forum. -- John Doe