iptables issue?

Thu Dec 25 11:35:09 EST 2008

OK, this one's a little confusing.

Background: janus.thekramers.net is my server and my firewall, running 
Fedora 8.  eth0 (static IP address 75.149.142.17) goes to my cablemodem 
and eth1 goes to my intranet via a switch.

For a long time (I don't know when it started), images from many 
websites would not load, and trying to wget the URL of the image would 
hang, when browsing (using any browser) on janus.  The images load fine 
on machines in my intranet, so they're coming in through the cablemodem 
and out through eth1, but cannot be accessed locally.  I came to the 
realization yesterday that if you follow the rabbit hole down, the 
images from all these websites were served by IP addresses owned by 
Akamai.  AHA!

There are hundreds of lines like this in /var/log/messages with 96.17.x.x:
# grep 96.17 /var/log/messages
Dec 25 11:10:08 janus kernel: Inbound IN=eth0 OUT= 
MAC=00:50:8d:b3:d5:2a:00:13:f7:be:31:76:08:00 SRC=96.17.73.19 
DST=75.149.142.17 LEN=44 TOS=0x00 PREC=0x20 TTL=59 ID=0 DF PROTO=TCP 
SPT=80 DPT=51598 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Dec 25 11:11:42 janus kernel: Inbound IN=eth0 OUT= 
MAC=00:50:8d:b3:d5:2a:00:13:f7:be:31:76:08:00 SRC=96.17.72.33 
DST=75.149.142.17 LEN=44 TOS=0x00 PREC=0x20 TTL=59 ID=0 DF PROTO=TCP 
SPT=80 DPT=57413 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Dec 25 11:11:42 janus kernel: Inbound IN=eth0 OUT= 
MAC=00:50:8d:b3:d5:2a:00:13:f7:be:31:76:08:00 SRC=96.17.73.19 
DST=75.149.142.17 LEN=44 TOS=0x00 PREC=0x20 TTL=59 ID=0 DF PROTO=TCP 
SPT=80 DPT=51598 WINDOW=5840 RES=0x00 ACK SYN URGP=0

I found this in iptables NR chain:
LSI        all  --  96.0.0.0/8           75.149.142.16/30

The other reference to the NR chain is
NR         all  -- !75.149.142.16/30     0.0.0.0/0

You can see my whole iptables dump at
http://thekramers.net/tmp/iptables_dump

In fact, there are quite a few lines in that chain with x.0.0.0/8.  I 
don't know a ton about iptables, so I'm sorry if some of these questions 
are a little basic.

1) Does that rule look like it blocks all of 96.?

2) How would that have gotten in there?  I can't imagine I put it in 
there myself?

3) How could the rule block the IP address on Janus but let it through 
to my intranet?

4) How can I drop that rule to test it out?  Should I?

5) How can I delete that rule permanently?  I see there's a 
/etc/sysconfig/iptables and /etc/sysconfig/iptables-config, but neither 
file seems to hold all those rules.

6) This is a side question, but how can I get firewall messages to go to 
some other file than /var/log/messages?  I get so many it's impossible 
to find other messages.

Thanks, and have a great holiday!