Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 13th December 2009, 03:57 AM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
iptables masquerade, can ping but no http access...

I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.

Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0

Here is my current iptables

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ra0 -p tcp -m state --state NEW  --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 20,22,21,25,53,69,80,111,139,161,443,445,631,636 --syn -j$
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 849,875,898,990,2049,8037,9830,32803,51235,56750 --syn -j$
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 20,21,53,67,69,111,123,137,138,161,631,849,875,989 -j ACC$
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 990,1812,1813,1900,2049,5353,32769,56750 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT
COMMIT

*mangle
COMMIT

*nat
-A POSTROUTING -o ra0 -j MASQUERADE
COMMIT
I'm completely stumped as pinging works very well, but apparently TCP access is restricted.

Last edited by ACiD GRiM; 13th December 2009 at 04:06 AM.
Reply With Quote
  #2  
Old 14th December 2009, 04:14 PM
lensman3 Offline
Registered User
 
Join Date: Dec 2009
Location: Centennial, Colorado USA
Posts: 128
windows_7firefox
pinging uses icmp packets not tcp. Try using traceroute to get to the hosts. Traceroute uses tcp, but you will probably have to open up traceroute's tcp ports. See if ping has a tcp mode where it "pings" using tcp packets.
Reply With Quote
  #3  
Old 14th December 2009, 04:48 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
Well you're incorrect about traceroute using TCP, it definitely uses ICMP as well, but I tried tcptraceroute and

Code:
Tracing the path to 192.168.2.8 on TCP port 80 (http), 30 hops max
 1  10.0.0.2  1.038 ms  0.648 ms  0.695 ms
 2  192.168.2.8 [open]  4.661 ms  995.834 ms  2000.214 ms
It's got a very log delay so I'm going to see if wireshark sees anything when I try to connect via web browser

It turns out packets are getting dropped left and right. I get replies back from 192.168.2.8, but they're "Lost segment" ACKS. It's a wireless connection, so range is the issue here. Thanks for helping me discover tcping and tcptraceroute though.

So the wireless isn't an issue at all because I can lynx to 192.168.2.8 from the box just fine, but if I use lynx from my laptop same issue. What could be slowing this down? All other services are snappy and CPU load is 0.21, 0.08, 0.01

Last edited by ACiD GRiM; 14th December 2009 at 05:35 PM.
Reply With Quote
  #4  
Old 14th December 2009, 06:23 PM
lensman3 Offline
Registered User
 
Join Date: Dec 2009
Location: Centennial, Colorado USA
Posts: 128
windows_7firefox
Your right. Traceroute uses tcp on the transmit side with the "time to live" field set. It starts with 1 and increments until it gets to the other end. As the time-to-live expire, the intermediate routes reply with a "ICMP TIME_EXCEEDED" response.

Look at /etc/services, traceroute uses tcp and udp packets at port 33434.

As to your real problem. Maybe there is so much traffic that a lot of packets get resent. Those errors should be seen in the router logs or "ifconfig" errors.
Reply With Quote
  #5  
Old 14th December 2009, 06:35 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
There's literally 0 traffic going between 192.168.2.0 and 10.0.0.0 unless I make a request. I also don't see anything in dmesg or the iptables logs. And just to be clear, this box IS the router
Reply With Quote
  #6  
Old 14th December 2009, 07:21 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,398
unknownunknown
Post 1 should answer your question; it appears the 192.168.2.0/24 (its router) doesn't know the route to 10.0.0.0/23 and works because the 10.0.0.0/23 is masqueraded. Wireshark will confirm your requests (source & destination) but at quick glance I suspect your router on 192.168.2.0/24 (and possibly both) doesn't know the route.
Reply With Quote
  #7  
Old 14th December 2009, 07:30 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
But doesn't Masquerading do one-to-many address translation so that 192.168.2.0/24 only needs to know how to get to 192.168.2.2 (this box)? Shouldn't PNAT take place? Maybe I have a setting missing for this
Reply With Quote
  #8  
Old 14th December 2009, 09:06 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,398
unknownunknown
Right, but your missing the point you made in post 1. Take wireshark and snoop packets at two location (192.168.2.55 and 10.0.0.2 for ex.,) while you ping one another repectively. Look at dest and source. Bascically you're hung up on deciding who the -o interface is. But you demonstrated it by masquerading eth0 (successful) so all you need to do is snoop the packets and convince yourself that nat occures durring postprossing. i.e., if your masq'ing 10.x.x.x then should it be -o ra0 or should it be -o eth0. Else it fails or succeeds because your unknowingly routing.
Reply With Quote
  #9  
Old 14th December 2009, 09:50 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
Here's my troubleshooting steps:

masquerade eth0 and ra0
install static route in 10.0.0.1 and 192.168.2.1
access http site on 10.0.0.0 from 192.168.2.0 SUCCESS
access http site on 192.168.2.0 from 10.0.0.0 FAIL
Add -A INPUT -j ACCEPT to top of iptables
add ip_conntrack to iptables-settings
restart iptables
test 10.0.0.0 to 192.168.2.0 again FAIL
nmap 192.168.2.2 from 10.0.1.145 to port 80,443,22 etc FAIL
nmap 192.168.2.2 from 192.168.2.204 to port 80,443,etc SUCCESS
nmap 10.0.0.2 from 192.168.2.204 to port 80,443,etc SUCCESS

That's where I'm at so far. It looks like I can get to 192.168.2.2 from 192.168.2.0 but not from 10.0.0.0, so I think it's narrowed down to the NAT masquerade process.

Attatched is my wireshark capture. First I ping 192.168.2.8 then 192.168.2.2 (from 10.0.0.0). Then I nmap -PN -p 80 192.168.2.8 and then 192.168.2.2. (load nmap2.txt into wireshark, not a text editor)

, and here is my most recent iptables:

Code:
filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i ra0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ra0 -p tcp -m state --state NEW  --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 20,22,21,25,53,69,80,111,139,161,443,445,631,636 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 849,875,898,990,2049,8037,9830,32803,51235,56750 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 20,21,53,67,69,111,123,137,138,161,631,849,875,989 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 990,1812,1813,1900,2049,5353,32769,56750 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type redirect -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

*mangle
COMMIT

*nat
-A POSTROUTING -j MASQUERADE
COMMIT
Edits are in bold
Attached Files
File Type: txt nmap2.txt (5.3 KB, 110 views)

Last edited by ACiD GRiM; 14th December 2009 at 10:00 PM.
Reply With Quote
  #10  
Old 14th December 2009, 10:14 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,398
windows_xp_2003firefox
Slow down for a minute. Is this what you got? I ask because you throw 192.168.2.0 around as though eth0 is 192.168.2.0. Also, where is www and where is http? Is http www or is it apache running on the linux box?





(192.168.2.0/24)............................................... ...................(10.0.0.0/24)
192.168.2.1....................................... ..................................10.0.0.2
======== ----------- ra0 ---------Linux Box ---- eth0 -------- ====
|..|..|..................192.168.2.2)............. ...........(10.0.0.2)........|..|..|
pc1............................................... ......................................pc4
...pc2............................................ ........................................pc5
......pc3......................................... ..........................................pc6

Last edited by beaker_; 14th December 2009 at 10:16 PM.
Reply With Quote
  #11  
Old 14th December 2009, 10:24 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
Thanks for working this with me, it's been bugging me like crazy.

One change, in bold. 10.0.0.2 is the server and 10.0.0.1 is the router.

(192.168.2.0/24)............................................... ...................(10.0.0.0/24)
192.168.2.1....................................... ..................................10.0.0.1
======== ----------- ra0 ---------Linux Box ---- eth0 -------- ====
|..|..|..................192.168.2.2)............. ...........(10.0.0.2)........|..|..|
pc1............................................... ......................................pc4
...pc2............................................ ........................................pc5
......pc3......................................... ..........................................pc6

Edit: The server is a CentOS 5.4 and has an excruciatingly slow load up time, so I may just refresh the entire install if we aren't able to alleviate this here

10.0.0.2 is running apache and 192.168.2.8 and 192.168.2.1 are running what ever Linksys uses.

Last edited by ACiD GRiM; 14th December 2009 at 10:30 PM.
Reply With Quote
  #12  
Old 14th December 2009, 10:44 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,398
windows_xp_2003firefox
Ok. So let's flush those tables so were know there are no stragglers and work from the 10.0.0.0/24 subnet.

At the terminal;
Code:
su
# Flush out the tables
iptables --flush
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush -t nat
iptables --flush -t mangle

# Setting an unrestrictive policy.
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

# Unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

# Previously initiated and accpeted exchanges bypass rule checking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# ICMP requests
iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT
From the linux box ping your two interfaces, then your routers:
Code:
ping 10.0.0.2
ping 192.168.0.2
ping 10.0.0.1
ping 192.168.0.1
ok so far?
Reply With Quote
  #13  
Old 14th December 2009, 11:37 PM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
so far so good. I can still ping 192.168.2.1 from 10.0.1.x, but still no tcp traffic
Reply With Quote
  #14  
Old 15th December 2009, 01:11 AM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,398
windows_xp_2003firefox
that's ok, we're only confirming that both subnets are reachable from the linux box.

Which side has access to the www? I want to ping the far nic from a pc on a subnet who routes through the linux box to access the www. So if the router at 192.168.2.1 has access to the www then check if you can reach ra0 from any machine on the 10.0.0.0/24 network.
Quote:
from 192.168.2.3, ping 10.0.0.2.
Or if the router at 10.0.0.1 has access to the www, then check if you can reach eth0 from any machine on the 192.168.2.0/24 subnet.
Quote:
from 10.0.0.3, ping 192.168.2.2
Reply With Quote
  #15  
Old 15th December 2009, 01:44 AM
ACiD GRiM Offline
Registered User
 
Join Date: Sep 2008
Posts: 204
linuxfedorafirefox
Both networks have www, but 10.0.0.1 is the default gateway for this server.

Ping 10.0.0.2 from 192.168.2.143

Code:
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.223 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.249 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.250 ms
ping 192.168.2.2 from 10.0.1.143

Code:
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=1 ttl=64 time=1.06 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=64 time=0.758 ms
64 bytes from 192.168.2.2: icmp_seq=3 ttl=64 time=0.769 ms
Edit: I can successfully access 10.0.0.2:80, 10.0.0.20:80 and 10.0.0.1:443 from 192.168.2.143. I still have no access other than ICMP with 10.0.1.143 to 192.168.2.1, 192.168.2.2 or 192.168.2.8

---------- Post added at 06:44 PM CST ---------- Previous post was at 06:24 PM CST ----------

DAMN it. I figured out what it is. It's ALL caused by 10.0.0.0/24's router. I installed a manual route in my laptop

Code:
sudo route add -net 192.168.2.0/24 gw 10.0.0.2 eth0
and now I can see everything on 192.168.2.0/24!

It's a cisco ASA, so I'll play around with that before I go posting on a cisco forum. But thank you so much for your time! I wish I could buy you a beer

Last edited by ACiD GRiM; 15th December 2009 at 01:38 AM.
Reply With Quote
Reply

Tags
access, http, iptables, masquerade, ping

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can ping, can use host, cannot http to some websites linuxlen Servers & Networking 4 13th January 2009 09:44 AM
how iptables masquerade works sajjad81 Servers & Networking 2 15th March 2007 11:22 PM
nothing but ping when using iptables and nat tkw_fo Security and Privacy 1 22nd May 2005 04:50 AM
simple iptables/masquerade question illfingaz Servers & Networking 3 27th January 2005 01:28 PM


Current GMT-time: 17:10 (Thursday, 23-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Macerata Photos - Saundatti Travel Photos - Duderstadt Travel Photos on Instagram