Ask HN: Why can't I access HTTP://news.yahoo.com through this firewall script?

3 points

4 years ago

I am stumped. I've run a Linux firewall for years using an "iptables" based configuration. Never a problem. The current gateway machine is running on CENTOS 6 installed 10 years ago, so it's time for an upgrade.

I installed Redhat Enterprise 8.5 (using a free personal developer licence) which comes with kernel 4.18. Decided to modernize and use an nft based firewall script.

At first glance it works. But a subset of the internet is inaccessible. Specifically, any attempt to access http://news.yahoo.com fails from any machine other than the gateway machine itself. Paring the script down to the bare minimum, which I paste here:

table ip nat { chain postrouting { type nat hook postrouting priority filter; policy accept; oifname "ppp0" masquerade } }

everything works except news.yahoo.com (and it appears other things on the same CDN or whatever).

I figured I'd wait until RHEL9 and its newer kernel, but I did a test using another machine running FC39 (same kernel version) and the problem is the same.

These setups can still load my old iptables based firewall config. That also works but also has the problem above. It does not on the old CENTOS 6 machine. I'm stumped. Where can I even begin to go for help with this?

2 comments