On Sun, 2011-02-20 at 14:34 -0800, Shwaine wrote: > Sorry for the late reply, I've been swamped with program reviews, > candidate interviews, paper writing and teaching all week.... (the things > we do for academia, heh)
A *very* late reply. Where were you in August, to translate the implications for me when I made the same observations back then? http://lugod.org/mailinglists/archives/vox-tech/2010-08/msg00006.html > To follow-up on the TCP 3-way handshake issue, in particular, the ACK > packet is not getting through. If you look at the original tcpdump log, > the SYN from the outside world gets in, the SYN/ACK from satan gets out, > but the final ACK from the outside world never arrives. > > I sincerely doubt this is an Apache issue. It looks more like an iptables > issue to me. Try what Troy recommends to confirm that netcat also gets > blocked (which I suspect it will) just to be sure it isn't Apache. If you > cannot get through with netcat, the next thing to do is check iptables > with the following command: > > iptables -L -n > > Forward the output from that command to the list and we can see if its > your iptable rules that are preventing the connection from establishing. > In particular, I would bet you don't have an "allow RELATED,ESTABLISHED" > rule in place. You probably only have an "allow SYN to port 80" in place. > Without the corresponding related/established rule, your TCP 3-way > handshake would get cut off on sending the final ACK, just as was seen in > your tcpdump output. > > For example, for my webserver, you would see the following in the iptables > INPUT chain with the above iptables command: > > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 <my IP address> tcp > spts:1024:65535 dpt:80 flags:0x17/0x02 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > > If you are missing that second line while having the "flags" on the first > line (allow SYN flag only) and your default policy on INPUT is to DROP, > then you've found your culprit. > _______________________________________________ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech