All webpages should load on android with blocked ads
Forums such as DDWRT never actually finish loading - they sit there with some of the page loaded, ads are blocked but the rest of the page content (forum posts) never load. Works fine on windows clients.
ddwrt is serving dns settings as my pihole with dhcp with dnsmasq. Pihole is using opendns as its dns.
uploading failed - think it's a firewall restriction on my end
btw - happy to upload the debug log somewhere manually - just don't know how to do that...
gentle bump ;o)
Hi - Thanks for the response - I disabled iptables and everything works fine (on a hunch after I read another post about android clients trying to connect). I'm pretty certain this is related to why openssl debug upload isnt working (though I can curl an https address no issues from the pihole.)
Not really sure whats going on as I'm allowing DNS, http and rejecting https as per the instructions on the link. Here's my iptables:
root@pihole:/usr/local/bin# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT tcp -- anywhere anywhere tcp dpt:51107
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:http
ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
REJECT tcp -- 192.168.1.0/24 anywhere tcp dpt:https reject-with tcp-reset
REJECT udp -- 192.168.1.0/24 anywhere udp dpt:80 reject-with icmp-port-unreachable
REJECT udp -- 192.168.1.0/24 anywhere udp dpt:443 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere ROUTER tcp dpt:https
DROP tcp -- anywhere ROUTER tcp dpt:ssh
DROP tcp -- anywhere ROUTER tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,ESTABLISHED
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp spt:http ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:51107 ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:ipsec-nat-t ctstate ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:isakmp ctstate ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
And specifically the input chain verbosely:
root@pihole:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
216 17663 ACCEPT all -- lo any anywhere anywhere
475 40088 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ssh ctstate NEW,ESTABLISHED
1134 105K ACCEPT all -- any any anywhere anywhere state NEW,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:isakmp
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipsec-nat-t
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:51107
0 0 ACCEPT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:http
0 0 ACCEPT udp -- any any 192.168.1.0/24 anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
0 0 REJECT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:https reject-with tcp-reset
0 0 REJECT udp -- any any 192.168.1.0/24 anywhere udp dpt:80 reject-with icmp-port-unreachable
0 0 REJECT udp -- any any 192.168.1.0/24 anywhere udp dpt:443 reject-with icmp-port-unreachable
And I ran the commands as follows for nmap debug:
root@server1:~# nmap --reason pihole -p443 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2018-04-11 09:31 BST
Nmap scan report for pihole
Host is up, received arp-response (0.00057s latency).
PORT STATE SERVICE REASON
443/tcp filtered https no-response
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
root@server1:~# nmap --reason pihole -p443 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2018-04-11 09:32 BST
Nmap scan report for pihole
Host is up, received arp-response (0.00064s latency).
PORT STATE SERVICE REASON
443/tcp filtered https no-response
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
root@server1:~#
I think something is wrong with my iptables settings as it's not rejecting with reset as it should - however when I remove all firewall rules temporarily the problem goes away. Highly confusing!
Hi somehow this got marked as resolved - it isnt resolved. Can anyone help please?
UPDATE - SOLVED! Because I am using default policies of DROP for INPUT, OUTPUT and FORWARD tables the tcp-reset return messages weren't getting out - the OUTPUT table was blocking them!
Added the following rule and all is working - the port is now showing as closed:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT
Nmap output:
PORT STATE SERVICE REASON
443/tcp closed https reset ttl 64
I still dont know how to allow the udp outputs for the following input rules but just allowing tcp 443 seems to have fixed it.
0 0 REJECT udp – any any 192.168.1.0/24 anywhere udp dpt:80 reject-with icmp-port-unreachable
0 0 REJECT udp – any any 192.168.1.0/24 anywhere udp dpt:443 reject-with icmp-port-unreachable
Thanks for your help - all good now, hope this helps someone else!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.