Unusual iptables question

Thu Jan 23 16:14:21 EST 2003

Thanks for reading this. I have another unusual iptables question.

I've been censoring my son's access to web sites with iptables: I ban 
everything I haven't inspected first, and add sites on a case-by-base 
basis.

This works fine for most sites, but www.disney.com doesn't seem to fit 
the mold. When I add an exception to his "henry" viewing list for the 
Disney site, nothing happens. I can log the traffic, and see both his 
outgoing message and the replies, but the browser never shows them.

This happens ONLY with www.disney.com!

Here's the relevent part of the iptable ruleset from the iptables-save command:
note that the packet counts have been reinitialized since the incident.

# Generated by iptables-save v1.2.5 on Thu Jan 23 16:07:27 2003
*mangle [snipped]
*nat
:PREROUTING ACCEPT [593992:186785481]
:POSTROUTING ACCEPT [52429:9427068]
:OUTPUT ACCEPT [71202:10619230]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Jan 23 16:07:27 2003
# Generated by iptables-save v1.2.5 on Thu Jan 23 16:07:27 2003
*filter
:INPUT DROP [503745:179842804]
:FORWARD DROP [639:41691]
:OUTPUT ACCEPT [947114:378990286]
:henry - [0:0]
:http - [0:0]
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j DROP 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j http 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j http 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT 
-A FORWARD -s 192.168.0.3 -i eth1 -p tcp -m tcp --dport 80 -j henry 
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j DROP 
-A FORWARD -p tcp -m tcp --dport 19555 -j ACCEPT 
-A FORWARD -s 68.7.44.67 -i eth0 -j ACCEPT 
-A FORWARD -d 68.7.44.67 -i eth1 -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT 
-A FORWARD -p icmp -j ACCEPT 
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -p udp -m udp --dport 13 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 13 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 20:23 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT 
-A FORWARD -i eth1 -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 119 -j ACCEPT 
-A FORWARD -i eth1 -p udp -m udp --dport 123 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 123 -j ACCEPT 
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT 
-A henry -d 64.124.83.72 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 64.124.83.64 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 207.166.220.2 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 164.109.48.78 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 209.249.123.223 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 209.249.123.188 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 192.156.19.112 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 192.156.19.111 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 192.156.19.109 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 138.147.50.5 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 140.183.234.10 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 131.84.1.31 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -d 24.123.107.138 -p tcp -m tcp --dport 80 -j ACCEPT 
-A henry -j DROP 
-A http -s 61.58.219.253 -j DROP ["http" table used to ban virus sites]
-A http -s 217.99.141.71 -j DROP [remaining entries in http table snipped]

COMMIT
# Completed on Thu Jan 23 16:07:27 2003

Thanks in advance for your help.

Bill Horne