weird iptables behaviour

weird iptables behaviour

Post by Fabi » Sat, 25 Nov 2006 09:48:55



Hello,
I've got a strange problem with IP Masquerade:
PC1 is connected to internet and PC2 uses PC1
as the gateway.
From PC2 i can ping and even traceroute any URL
(for example ping and traceroute www.wikipedia.org
works great) but i can open very few web pages.
I only can see there 3 sites:
www.mozilla.org www.beppegrillo.it www.google.com
but I can't open for example www.yahoo.com and much more.
More than that is I can use skype from PC2, so I absolutely
don't have a clue about what to do.
This is my network's diagram:

[INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]

On PC1:
       eth0: 192.168.0.1 (with a cable to the modem)
       eth1: 192.168.1.1 (with a crossed cable to PC2)

On PC2:
       eth0: 192.168.1.2 (with a crossed cable to PC1)

iptables is configured via the following script:

-------- START SCRIPT -----------
#!/bin/bash
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
# Load the most important modules (NAT e MASQUERADE are mandatory!)
#.....
#.....

echo '0' > /proc/sys/net/ipv4/ip_forward
# No IP forward for now...

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Add a rule to the postrouting chain
# every packet going out through ppp0 must be masked

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept every packet that belongs to connections already
# established or related to them

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
# accept the traffic generated by the local net

iptables -A FORWARD -j DROP
# anything else is dropped

echo '1' > /proc/sys/net/ipv4/ip_forward
# now we can forward the connection

---------- END SCRIPT -------------

this is the result of /sbin/ifconfig

------------ /sbin/ifconfig---------------
eth0      Link encap:Ethernet  HWaddr 00:40:F4:97:AD:B0
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::240:f4ff:fe97:adb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5324543 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6272147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3141935438 (2.9 GiB)  TX bytes:4170449394 (3.8 GiB)
          Interrupt:17 Base address:0xf00

eth1      Link encap:Ethernet  HWaddr 00:20:ED:28:F2:6A
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::220:edff:fe28:f26a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6390 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1263495 (1.2 MiB)  TX bytes:5152233 (4.9 MiB)
          Interrupt:17 Base address:0x2e00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:655844 (640.4 KiB)  TX bytes:655844 (640.4 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:XXX.XXX.XXX.XXX P-t-P:XXX.XXX.XXX.XXX
          Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST
          MTU:1492  Metric:1 RX packets:1494583 errors:0 dropped:0
          overruns:0 frame:0 TX packets:1686118 errors:0 dropped:0
          overruns:0 carrier:0 collisions:0 txqueuelen:3 RX
          bytes:988981980 (943.1 MiB)  TX bytes:825238709 (787.0 MiB)

-------------------- end /sbin/ifconfig ------------------

Why I can see only few sites and ping them all? It makes non sense to me.
I hope somebody can help me, thank you in advance,
Fabio

 
 
 

weird iptables behaviour

Post by Gran » Sat, 25 Nov 2006 11:13:16



Quote:>I've got a strange problem with IP Masquerade:
>PC1 is connected to internet and PC2 uses PC1
>as the gateway.
>From PC2 i can ping and even traceroute any URL
>(for example ping and traceroute www.wikipedia.org
>works great) but i can open very few web pages.
>I only can see there 3 sites:
>www.mozilla.org www.beppegrillo.it www.google.com
>but I can't open for example www.yahoo.com and much more.
>More than that is I can use skype from PC2, so I absolutely
>don't have a clue about what to do.

Would it be you're not clamping MTU?  I have ('egress' is called from
FORWARD chain, MAX_MSS="1380" here):

        # clamp MTU for new TCP connections to world
        if [ -n "$MAX_MSS" ]
        then
                iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
                                -j TCPMSS --set-mss $MAX_MSS
        else
                iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
                                -j TCPMSS --clamp-mss-to-pmtu
        fi

Grant.
--
http://bugsplatter.mine.nu/

 
 
 

weird iptables behaviour

Post by Fabi » Sat, 25 Nov 2006 21:13:56




>>I've got a strange problem with IP Masquerade:
>>PC1 is connected to internet and PC2 uses PC1
>>as the gateway.
>>From PC2 i can ping and even traceroute any URL
>>(for example ping and traceroute www.wikipedia.org
>>works great) but i can open very few web pages.
>>I only can see there 3 sites:
>>www.mozilla.org www.beppegrillo.it www.google.com
>>but I can't open for example www.yahoo.com and much more.
>>More than that is I can use skype from PC2, so I absolutely
>>don't have a clue about what to do.

> Would it be you're not clamping MTU?  I have ('egress' is called from
> FORWARD chain, MAX_MSS="1380" here):

>         # clamp MTU for new TCP connections to world
>         if [ -n "$MAX_MSS" ]
>         then
>                 iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
>                                 -j TCPMSS --set-mss $MAX_MSS
>         else
>                 iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
>                                 -j TCPMSS --clamp-mss-to-pmtu
>         fi

> Grant.

Thak you for your help Grant,
I've created a new chain called "egress" with iptables -N egress, then
I've added the clamp part to my script and added
the optiont -v to iptables, and now i get:


MASQUERADE  all opt -- in * out ppp0  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt -- in * out *  192.168.1.0/24  -> 0.0.0.0/0
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
TCPMSS  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x06/0x02 TCPMSS set 1380

Anyway i get the same problem:
ping all, watch fews
I've tryied the bing the MTU values of the eth devices to 1380
and the valute of ppp0 (in /etc/ppp/options) to 1412
(1412 is suggested by pppoe-setup), but i didn't resolve
the problem, i really don't know what to do
thank you for your help
Fabio

 
 
 

weird iptables behaviour

Post by Jeroen Geilma » Sun, 26 Nov 2006 06:13:09



> iptables is configured via the following script:
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
> iptables -A FORWARD -j DROP

Erm.. okay, but that's not quite all, is it ?
On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
as you should.

You filter this shit on INPUT, *not* FORWARD.
In your situation, FORWARD is a trivial case, only interesting in and of
itself when PC1 is a *pure* router, which it isn't.

Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
rules will now be:

INPUT all interfaces, *including* the internet from PC1, DENY ALL
OUTPUT all interfaces, ACCEPT ALL
FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

If you have set ACCEPT on INPUT, on the other hand, you have zero actual
security.

Your PC1 is wide open to the Intarweb in that case.

Change the FORWARD to INPUT in your ruleset and you should be good.

--
All your bits are belong to us.

 
 
 

weird iptables behaviour

Post by Fabi » Sun, 26 Nov 2006 11:05:21




>> iptables is configured via the following script:

>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

>> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

>> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

>> iptables -A FORWARD -j DROP

> Erm.. okay, but that's not quite all, is it ?
> On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
> as you should.

> You filter this shit on INPUT, *not* FORWARD.
> In your situation, FORWARD is a trivial case, only interesting in and of
> itself when PC1 is a *pure* router, which it isn't.

> Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
> rules will now be:

> INPUT all interfaces, *including* the internet from PC1, DENY ALL
> OUTPUT all interfaces, ACCEPT ALL
> FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

> If you have set ACCEPT on INPUT, on the other hand, you have zero actual
> security.

> Your PC1 is wide open to the Intarweb in that case.

> Change the FORWARD to INPUT in your ruleset and you should be good.

Sorry, I think I didn't undestand well,
this is the script I use to make masquerade:

---- START SCRIPT---------
#!/bin/sh
iptables="/sbin/iptables"
MAX_MSS="1380"

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE

iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -v -A FORWARD -j DROP

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
        iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
else
        iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

echo '1' > /proc/sys/net/ipv4/ip_forward

------- END SCRIPT -----------

And here you can see the iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain egress (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp \
                flags:0x06/0x02 TCPMSS set 1380

and this is iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I can't undestand why I can see, let say www.google.com from
the localnet, and i can't open www.yahoo.com

Hope You can help me,
thank you in advance
Fabio

 
 
 

weird iptables behaviour

Post by Fabi » Sun, 26 Nov 2006 11:08:47





>>> iptables is configured via the following script:

>>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

>>> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

>>> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

>>> iptables -A FORWARD -j DROP

>> Erm.. okay, but that's not quite all, is it ?
>> On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
>> as you should.

>> You filter this shit on INPUT, *not* FORWARD.
>> In your situation, FORWARD is a trivial case, only interesting in and of
>> itself when PC1 is a *pure* router, which it isn't.

>> Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
>> rules will now be:

>> INPUT all interfaces, *including* the internet from PC1, DENY ALL
>> OUTPUT all interfaces, ACCEPT ALL
>> FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

>> If you have set ACCEPT on INPUT, on the other hand, you have zero actual
>> security.

>> Your PC1 is wide open to the Intarweb in that case.

>> Change the FORWARD to INPUT in your ruleset and you should be good.

> Sorry, I think I didn't undestand well,
> this is the script I use to make masquerade:

> ---- START SCRIPT---------
> #!/bin/sh
> iptables="/sbin/iptables"
> MAX_MSS="1380"

> modprobe ip_tables
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp ip_nat_ftp
> modprobe iptable_nat
> modprobe ipt_MASQUERADE

> iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
> iptables -v -A FORWARD -j DROP

> # clamp MTU for new TCP connections to world
> if [ -n "$MAX_MSS" ]
> then
>         iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
> else
>         iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> fi

> echo '1' > /proc/sys/net/ipv4/ip_forward

> ------- END SCRIPT -----------

> And here you can see the iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination

> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

> Chain egress (0 references)
> target     prot opt source               destination
> TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp \
>            flags:0x06/0x02 TCPMSS set 1380

> and this is iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination

> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

> I can't undestand why I can see, let say www.google.com from
> the localnet, and i can't open www.yahoo.com

> Hope You can help me,
> thank you in advance
> Fabio

Sorry, i mistyped something,
now the localnet is 10.0.0.0 and all the scripts are
changed, but the problem reamin the same:
ping them all, open fews
Help me please!!! :o>
Fabio
 
 
 

weird iptables behaviour

Post by Clifford Kit » Mon, 27 Nov 2006 08:38:23



> Hello,
> I've got a strange problem with IP Masquerade:
> PC1 is connected to internet and PC2 uses PC1
> as the gateway.
> From PC2 i can ping and even traceroute any URL
> (for example ping and traceroute www.wikipedia.org
> works great) but i can open very few web pages.
> I only can see there 3 sites:
> www.mozilla.org www.beppegrillo.it www.google.com
> but I can't open for example www.yahoo.com and much more.
> More than that is I can use skype from PC2, so I absolutely
> don't have a clue about what to do.
> This is my network's diagram:
> [INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]
> On PC1:
>        eth0: 192.168.0.1 (with a cable to the modem)
>        eth1: 192.168.1.1 (with a crossed cable to PC2)
> On PC2:
>        eth0: 192.168.1.2 (with a crossed cable to PC1)

Try doing "ifconfig eth0 mtu 1492" on PC2.

Quote:> iptables is configured via the following script:
> -------- START SCRIPT -----------

An unusual script.  I'd suggest instead,

---

#!/bin/bash
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_limit
modprobe ipt_LOG
#modprobe iptable_mangle

iptables -N no-conns-from-ppp0
iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix \
"Bad packet from ppp0:"
iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix \
"Bad packet not from ppp0:"
iptables -A no-conns-from-ppp0 -j DROP

iptables -A INPUT -j no-conns-from-ppp0
iptables -A FORWARD -j no-conns-from-ppp0

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

---

I've used the script but without mangle table PMTU clamping (commented
out) - so no guarantee on that.  Most sites should be accessible with the
PC2 MTU set to 1492 and no clamping.  And if you don't need/want pings
and ping-replies then the lines with icmp-type's 0 and 8 can be dropped.
The lines with other icmp-type's should remain as is.  If LOGging becomes
annoying then just truncate the lines with -m limit in them starting at
-j LOG.

Just for the record, the core of this script was taken from one written
by Rusty Russell.
http://help.phys.unsw.edu.au/doc/HOW-TO/packet-filtering-HOWTO.txt

--
Clifford Kite

 
 
 

1. : Weird ">" redirect behavior vs. ">>" redirect behavior

Hopefully, someone has already seen this and knows whats up.

Simple script myscript.sh:

#!/bin/sh
i=1

date
while [ 1 ]; do
   echo "Count - ${i}"
   cat /etc/system
   i=`expr ${i} + 1`
   sleep 5
done

Run it as:

nohup sh myscript.sh > /tmp/myscript.log &

Let it run for a while.  Then run:

grep Count /tmp/myscript.log | wc -l
ls -l /tmp/myscript.log
cat /dev/null /tmp/myscript.log
ls -l /tmp/myscript.log
ls -l /tmp/myscript.log
ls -l /tmp/myscript.log
grep Count /tmp/myscript.log | wc -l

The file size info on my system (Solaris 8) for the /tmp/myscript.log
is zero at first and then goes right back to where it was but a bit
more when the next iteration of the cat command output /etc/system.

Also, the first grep..wc -l command shows how many times the script
has basically looped.  The second grep will show only a couple.  This
shows that the inode is saying the file contains everything is always
did but the grep command is saying it only contains up to some of
point a buffer - maybe the output file descriptor buffer?  I'm
guessing I'm not a programmer

If you change the ">" to a ">>" with your nohup , it works as
expected. The file is zeroed out and the inode info shows it growing
as you would expect it to.

What's the differences between ">" and ">>" that makes this happen?
Running the script with ksh does the same thing.

Looks like a bug to me.

--
........................................................
......... ..- -. .. -..- .-. ..- .-.. . ... ............
.-- .. -. -... .-.. --- .-- ... -.. .-. --- --- .-.. ...

Sean O'Neill

2. Problem with GnuGK

3. Weird Ping, weird FTP, weird Telnet... HELP!!!

4. CANNOT BOOT WITH LILO (SLACKWARE)??

5. Weird, weird, weird issue ....

6. RAID-1 and 5 broken in 2.2.9?

7. Weird startx behavior

8. Script error-combining variables

9. Weird behavior during Sol7 install

10. Weird read/write behaviour

11. Please help with weird FTP behavior through browser

12. weird kdm/keyboard behavior on boot, SuSE 8.0

13. WEIRD BEHAVIOR OF LOGIN