Very Computer

by **Michael Taylo** » Sun, 25 Feb 2001 14:38:00

I have the 2.4.1 kernel compiled and am running IPTABLES 1.2 as kernel
modules with a
forwarded pppoe DSL connection (using roaring penguin and kernal pppoe).

From Linux I can access any site with no problem. From the clients, most
sites work but
there are several that I cannot access such as www.intuit.com, www.hp.com
etc.

What is more alarming is that Quicken can no longer access my bank account
which is
distressing. I should know better than to jump at new kernels!

I've tried leaving the firewall wide open with little luck. Why would these
sites cause problems?

The simplest firewall I've tried is:

iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

I'm new to IPTABLES and I hope I'm missing something simple.

-Mike

by **Manfred Bart** » Sun, 25 Feb 2001 15:47:59

> I have the 2.4.1 kernel compiled and am running IPTABLES 1.2 as
> kernel modules with a forwarded pppoe DSL connection (using roaring
> penguin and kernal pppoe).

> From Linux I can access any site with no problem. From the clients,
> most sites work but there are several that I cannot access such as
> www.intuit.com, www.hp.com etc.

Most likely you are experiencing a problem with ECN (Explicit
Congestion Notification). Many sites have not yet implemented
ECN even though there is no good excuse for that.

Try turning ECN off, it's a switch somwhere in /proc/

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Michael Taylo** » Mon, 26 Feb 2001 01:23:36

Thanks for the reply, but ECN is not compiled in my kernel and there is
no tcp_ecn in the /proc subdirectory. I can access all of these sites from
the Linux box. The problem exists with accessing them from any of the
connected clients.

Any ideas? I'm pretty much at a loss. I can't see anything in the logs
either.

- Mike

> > I have the 2.4.1 kernel compiled and am running IPTABLES 1.2 as
> > kernel modules with a forwarded pppoe DSL connection (using roaring
> > penguin and kernal pppoe).

> > From Linux I can access any site with no problem. From the clients,
> > most sites work but there are several that I cannot access such as
> > www.intuit.com, www.hp.com etc.

> Most likely you are experiencing a problem with ECN (Explicit
> Congestion Notification). Many sites have not yet implemented
> ECN even though there is no good excuse for that.

> Try turning ECN off, it's a switch somwhere in /proc/

> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Ian Jone** » Mon, 26 Feb 2001 01:27:05

> > I have the 2.4.1 kernel compiled and am running IPTABLES 1.2 as
> > kernel modules with a forwarded pppoe DSL connection (using roaring
> > penguin and kernal pppoe).

> > From Linux I can access any site with no problem. From the clients,
> > most sites work but there are several that I cannot access such as
> > www.intuit.com, www.hp.com etc.

> Most likely you are experiencing a problem with ECN (Explicit
> Congestion Notification). Many sites have not yet implemented
> ECN even though there is no good excuse for that.

> Try turning ECN off, it's a switch somwhere in /proc/

echo 1 > /proc/sys/net/ipv4/tcp_ecn

by **Manfred Bart** » Mon, 26 Feb 2001 07:38:01

> Thanks for the reply, but ECN is not compiled in my kernel and there is
> no tcp_ecn in the /proc subdirectory. I can access all of these sites from
> the Linux box. The problem exists with accessing them from any of the
> connected clients.

> Any ideas? I'm pretty much at a loss. I can't see anything in the logs
> either.

Hmm. Some obvious things:

All clients should have your forwarding box set as the gateway.

ipforwarding must be turned on:
echo 1 > /proc/sys/net/ipv4/ip_forward

You could run tcpdump on the incoming and outgoing interfaces and
check if packets are transmitted and what they look like.

Turning on logging for all your ipchains rules with a target of DENY
or REJECT. Or did you use iptables? With iptables meaningful logging
is more difficult.

If its still not obvious then post relevant information such as
the output from ``ifconfig'' and ``route -n''.

Good luck chasing the problem.
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Michael Taylo** » Tue, 27 Feb 2001 06:11:24

I'll keep trying but will probably have to revert to 2.2 shortly.

I'm fine as far as the gatways go and everything forwarded and worked fine
with 2.2. Thanks alot for your replies!

The ifconfig output is:
eth0 Link encap:Ethernet HWaddr 00:AA:00:3E:96:98

inet addr:192.168.10.3 Bcast:192.168.10.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1

RX packets:2847 errors:0 dropped:0 overruns:0 frame:0

TX packets:4728 errors:0 dropped:0 overruns:0 carrier:0

collisions:25 txqueuelen:100

Interrupt:5 Base address:0x210

eth1 Link encap:Ethernet HWaddr 00:A0:CC:63:CE:76

UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1

RX packets:617 errors:0 dropped:0 overruns:0 frame:0

TX packets:595 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

Interrupt:10 Base address:0xe400

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16192 Metric:1

RX packets:100 errors:0 dropped:0 overruns:0 frame:0

TX packets:100 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

ppp0 Link encap:Point-to-Point Protocol

inet addr:151.197.245.177 P-t-P:10.7.22.1 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1

RX packets:487 errors:0 dropped:0 overruns:0 frame:0

TX packets:471 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:3

The route -n output is:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.10.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

10.7.22.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0

192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

0.0.0.0 10.7.22.1 0.0.0.0 UG 0 0 0 ppp0

> > Thanks for the reply, but ECN is not compiled in my kernel and there is
> > no tcp_ecn in the /proc subdirectory. I can access all of these sites
from
> > the Linux box. The problem exists with accessing them from any of the
> > connected clients.

> > Any ideas? I'm pretty much at a loss. I can't see anything in the logs
> > either.

> Hmm. Some obvious things:

> All clients should have your forwarding box set as the gateway.

> ipforwarding must be turned on:
> echo 1 > /proc/sys/net/ipv4/ip_forward

> You could run tcpdump on the incoming and outgoing interfaces and
> check if packets are transmitted and what they look like.

> Turning on logging for all your ipchains rules with a target of DENY
> or REJECT. Or did you use iptables? With iptables meaningful logging
> is more difficult.

> If its still not obvious then post relevant information such as
> the output from ``ifconfig'' and ``route -n''.

> Good luck chasing the problem.
> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Manfred Bart** » Tue, 27 Feb 2001 07:46:23

> I'll keep trying but will probably have to revert to 2.2 shortly.

> I'm fine as far as the gatways go and everything forwarded
> and worked fine with 2.2. Thanks alot for your replies!

> The ifconfig output is:
> eth0 Link encap:Ethernet HWaddr 00:AA:00:3E:96:98
> inet addr:192.168.10.3 Bcast:192.168.10.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
> RX packets:2847 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4728 errors:0 dropped:0 overruns:0 carrier:0
> collisions:25 txqueuelen:100
> Interrupt:5 Base address:0x210
> eth1 Link encap:Ethernet HWaddr 00:A0:CC:63:CE:76

> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
> RX packets:617 errors:0 dropped:0 overruns:0 frame:0
> TX packets:595 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:10 Base address:0xe400

What happened to eth1's inet addr?

Quote:> ppp0 Link encap:Point-to-Point Protocol
> inet addr:151.197.245.177 P-t-P:10.7.22.1 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
> RX packets:487 errors:0 dropped:0 overruns:0 frame:0
> TX packets:471 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> The route -n output is:
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.10.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

this host route is superflous since you have the net route below

Quote:> 10.7.22.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 10.7.22.1 0.0.0.0 UG 0 0 0 ppp0

Again, what happened to eth1?
Other than the eth1 problem, everything looks ok.

Create a custom chain each for logging the inbuilt targets:

#! /bin/bash

#----------------------------------------------------------------------
# CreateChain NAME
#
# deletes the chain NAME if it exists and then (re)creates it
#

function CreateChain ()
{
echo "creating chain: $1"
iptables --flush $1 > /dev/null 2>&1
iptables --delete-chain $1 > /dev/null 2>&1
iptables --new-chain $1

Quote:}

#----------------------------------------------------------------------
# new chain: DROP_L

CreateChain DROP_L
iptables -A DROP_L -j LOG --log-prefix DROP \
--log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A DROP_L -j DROP

#------------------------------
# new chain: REJECT_L

CreateChain REJECT_L
iptables -A REJECT_L -j LOG --log-prefix REJECT \
--log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A REJECT_L -j REJECT

#------------------------------
# new chain: ACCEPT_L

CreateChain ACCEPT_L
iptables -A ACCEPT_L -j LOG --log-prefix ACCEPT \
--log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A ACCEPT_L -j ACCEPT
#----------------------------------------------------------------------

Now you can just append ``_L'' to the target and you will get messages
in the logs when the rule matches. F.e.:

iptables -A INPUT -i $IFINET -p tcp --dport 0:1023 -j DROP_L

Another thing to note is that any forwarded packets do not pass
through the INPUT chain as they did with ipchains; the only filter
point they pass through is the FORWARD chain. You need something
like this:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! $IFINET -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $IFINET -m state --state NEW,INVALID -j DROP_L

$IFINET is the Internet interface, f.e. ppp0

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Michael Taylo** » Tue, 27 Feb 2001 07:46:40

I got my system working finally. I tried going to 2.4.2 kernel and I also
removed the 'experimental' pppoe kernel support and went back to user-level
pppoe with rp-pppoe. One of these fixed the problem. When I get more time
I'll experiment further and find out which!

Thanks for helping.

- Mike

> I'll keep trying but will probably have to revert to 2.2 shortly.

> I'm fine as far as the gatways go and everything forwarded and worked fine
> with 2.2. Thanks alot for your replies!

> The ifconfig output is:
> eth0 Link encap:Ethernet HWaddr 00:AA:00:3E:96:98

> inet addr:192.168.10.3 Bcast:192.168.10.255 Mask:255.255.255.0

> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1

> RX packets:2847 errors:0 dropped:0 overruns:0 frame:0

> TX packets:4728 errors:0 dropped:0 overruns:0 carrier:0

> collisions:25 txqueuelen:100

> Interrupt:5 Base address:0x210

> eth1 Link encap:Ethernet HWaddr 00:A0:CC:63:CE:76

> UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1

> RX packets:617 errors:0 dropped:0 overruns:0 frame:0

> TX packets:595 errors:0 dropped:0 overruns:0 carrier:0

> collisions:0 txqueuelen:100

> Interrupt:10 Base address:0xe400

> lo Link encap:Local Loopback

> inet addr:127.0.0.1 Mask:255.0.0.0

> UP LOOPBACK RUNNING MTU:16192 Metric:1

> RX packets:100 errors:0 dropped:0 overruns:0 frame:0

> TX packets:100 errors:0 dropped:0 overruns:0 carrier:0

> collisions:0 txqueuelen:0

> ppp0 Link encap:Point-to-Point Protocol

> inet addr:151.197.245.177 P-t-P:10.7.22.1 Mask:255.255.255.255

> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1

> RX packets:487 errors:0 dropped:0 overruns:0 frame:0

> TX packets:471 errors:0 dropped:0 overruns:0 carrier:0

> collisions:0 txqueuelen:3

> The route -n output is:

> Kernel IP routing table

> Destination Gateway Genmask Flags Metric Ref Use Iface

> 192.168.10.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

> 10.7.22.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0

> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

> 0.0.0.0 10.7.22.1 0.0.0.0 UG 0 0 0 ppp0

> > > Thanks for the reply, but ECN is not compiled in my kernel and there
is
> > > no tcp_ecn in the /proc subdirectory. I can access all of these sites
> from
> > > the Linux box. The problem exists with accessing them from any of the
> > > connected clients.

> > > Any ideas? I'm pretty much at a loss. I can't see anything in the logs
> > > either.

> > Hmm. Some obvious things:

> > All clients should have your forwarding box set as the gateway.

> > ipforwarding must be turned on:
> > echo 1 > /proc/sys/net/ipv4/ip_forward

> > You could run tcpdump on the incoming and outgoing interfaces and
> > check if packets are transmitted and what they look like.

> > Turning on logging for all your ipchains rules with a target of DENY
> > or REJECT. Or did you use iptables? With iptables meaningful logging
> > is more difficult.

> > If its still not obvious then post relevant information such as
> > the output from ``ifconfig'' and ``route -n''.

> > Good luck chasing the problem.
> > --
> > Manfred
> > ---------------------------------------------------------------
> > ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

Very Computer

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites

IPTABLES problems with some sites