Need help with IP Masquerading and UDP packets

Need help with IP Masquerading and UDP packets

Post by Luiz Otavio L. Zorzel » Tue, 01 Jun 1999 04:00:00



Hi,

I have a Win 95 inside a private LAN (ppp) that I set up with ip
masquerading.

To start, I had only one very simple rule:

ipfwadm -F -a m -S 192.168.10.0/24 -D 0.0.0.0/0

Everything works fine: www, ftp, etc. Then I installed net2phone
(http://www.net2phone.com), and I'm trying to make it work.

While seting up, net2phone makes a "Test for firewall", and fails in
this test. I set up 2 specific rules for net2phone, then:

ipfwadm -F -a m -b -P udp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
ipfwadm -F -a m -b -P tcp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
ipfwadm -F -a m -b -P icmp -S 192.168.10.51 10000

and I configured net2phone to use the 10000 port number (it can be
configured to anything you want, according to their website). The
test still fails.

I tcpdumped both by eth0 (private LAN) and ppp0 (internet) while
doing the test, and I think the problem comes in this line from my
ppp0, though I don't know exactly what to do:

12:45:31.461066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:31.461066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]

Any help is appreciated. Please note that I made a "global replace"
of my firewall IP address by w.x.y.z in the dumps, and a replace of
my internal machine by internal.mydomain.com. Forgive my paranoia...
:^>

Follows the traffic generated in the test, as seen by tcpdump in both
interfaces:

********

(eth0)

12:34:40.441066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=20,C) len=42 8404 0000 1f11 100f ce84 d6d5 a984 b8d3 ef90 1a91 0014 1e01 5e68 656c 6c6f 5f71 2031 200a 0000 0000 0000

12:34:40.441066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=20,C) len=42 8504 0000 1f11 86dd ce84 d6d5 a984 4105 ef91 1a91 0014 95cd 5e68 656c 6c6f 5f71 2032 200a 0000 0000 0000

12:34:40.751066 169.132.184.211.6801 > internal.mydomain.com.10000: udp 12 (DF)

12:34:40.751066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=91,P) len=178 8604 0000 1f11 0d81 ce84 d6d5 a984 b8d3 ef90 1a91 00a2 861a 5e67 6574 6261 6c5f 6571 2030 2030 2e30 2e30 2e30 2031 3030 3030

12:34:40.761066 ap2.labs.idt.net.6801 > internal.mydomain.com.10000: udp 12 (DF)

12:34:43.201066 0:0:86:16:5:6d > Broadcast sap e0 ui/C len=43 ffff 0022 0011 0000 0000 ffff ffff ffff 0452 0000 0000 0000 8616 056d 4008 0001 0004 0000 0000 0000 0000 00

*********

(ppp0)

12:45:12.201066 w.x.y.z.61330 > 169.132.184.211.6801: udp 12

12:45:12.201066 w.x.y.z.61331 > ap2.labs.idt.net.6801: udp 12

12:45:12.571066 169.132.184.211.6801 > internal.mydomain.com.10000: udp 12 (DF)

12:45:12.571066 w.x.y.z.61330 > 169.132.184.211.6801: udp 154 12:45:12.581066 ap2.labs.idt.net.6801 > internal.mydomain.com.10000: udp 12 (DF)

12:45:13.021066 169.132.184.211.62000 > w.x.y.z.10000: S 1448725872:1448725872(0) win 8760 <mss 1460> (DF)

12:45:13.021066 w.x.y.z.10000 > 169.132.184.211.62000: R 0:0(0) ack 1448725873 win 0

12:45:13.341066 169.132.184.211.62003 > w.x.y.z.10000: S 1449001890:1449001890(0) win 8760 <mss 1460> (DF)

12:45:13.341066 w.x.y.z.10000 > 169.132.184.211.62003: R 0:0(0) ack 1449001891 win 0

12:45:13.351066 169.132.184.211.62003 > w.x.y.z.10000: R 1449001891:1449001891(0) win 8760 (DF)

12:45:16.391066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)

12:45:16.391066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]

12:45:21.371066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)

12:45:21.371066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]

12:45:26.351066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)

12:45:26.351066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]

12:45:31.461066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)

12:45:31.461066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]

--
Luiz Otavio L. Zorzella                Computer Engineer

 
 
 

Need help with IP Masquerading and UDP packets

Post by Clif » Wed, 02 Jun 1999 04:00:00


  It looks like net2phone makes a call to the distant end on the 10000 port
and after a brief handshake changes to a different (possibly random) port to
make the actual transmission.  You will probably have to find out what the
range of the transmission port is and make allowances for it in your
firewall rules.  You could verify this by opening the firewall up and seeing
if the connection works.  Do it briefly, just to verify the problem.  Then
tweak your rules to allow for the port handoff.  The only other alternative
AFAIK is to use a proxy.  Either way, you still need to know what other
ports net2phone uses.

--
-Cliff
Views expressed are my own and not necessarily those of my employer
Concordia Net, Inc. When replying via email please use; cwheat at concordia
dot net not



Quote:

>Hi,

>I have a Win 95 inside a private LAN (ppp) that I set up with ip
>masquerading.

>To start, I had only one very simple rule:

>ipfwadm -F -a m -S 192.168.10.0/24 -D 0.0.0.0/0

>Everything works fine: www, ftp, etc. Then I installed net2phone
>(http://www.net2phone.com), and I'm trying to make it work.

>While seting up, net2phone makes a "Test for firewall", and fails in
>this test. I set up 2 specific rules for net2phone, then:

>ipfwadm -F -a m -b -P udp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
>ipfwadm -F -a m -b -P tcp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
>ipfwadm -F -a m -b -P icmp -S 192.168.10.51 10000

>and I configured net2phone to use the 10000 port number (it can be
>configured to anything you want, according to their website). The
>test still fails.

>I tcpdumped both by eth0 (private LAN) and ppp0 (internet) while
>doing the test, and I think the problem comes in this line from my
>ppp0, though I don't know exactly what to do:

>12:45:31.461066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
>12:45:31.461066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613

unreachable [tos 0xc0]

- Show quoted text -

>Any help is appreciated. Please note that I made a "global replace"
>of my firewall IP address by w.x.y.z in the dumps, and a replace of
>my internal machine by internal.mydomain.com. Forgive my paranoia...
>:^>

>Follows the traffic generated in the test, as seen by tcpdump in both
>interfaces:

 [snip]
>--
>Luiz Otavio L. Zorzella                Computer Engineer



 
 
 

1. Diablo UDP packet problems behind IP Masquerading

I have IP Masquerading set up on my linux box and my internal machines can
interact via numerous ip protocols (HTTP, FTP, ...) but UDP packets do not
seem to be masqueraded.  I could not find a module to load to perform this
function either.
I am running RH5.2 (kernel 2.0.36).
Can anyone point me to a way to masquerade all UDP packets or generically
all ip packets to a specific host if it is not masquerading on that port for
another host?

example:
192.168.0.1 is my linux "router" using ip masquerading with external
(internet) address 200.200.200.1
192.168.0.2 is my local machine running Diablo

Now, when a packet originates from 192.168.0.2 port 1400, it goes through
the gateway at 192.168.0.1 and is masqueraded to originate from
200.200.200.1 port 69005.  A reply then comes back to 200.200.200.1 port
69005 and is masqueraded to 192.168.0.2 port 1400.  This works great.

What I need to do is say that if a port on 200.200.200.1 is not being
masqueraded, forward the packet to the exact same port on 192.168.0.2.
Or perhaps set up some rules on how to do this.  Since 192.168.0.2 is not an
internet ip address, I still need to masquerade instead of just forwarding,
but I want all unknown traffic (or traffic on specific ports) to be
masqueraded to that machine (192.168.0.2).

--
Thanks,
        Justin

2. test -ignore

3. HELP: SuSE 5.2 masquerading/UDP-packets

4. Insmod says 2.0.27 doesn't match 2.0.27. Duh?

5. How to use voice features of mt5634zpx modem?

6. IP Forwarding problem fixed, but why did SSH and ICMP packets never need to MASQUERADE?

7. Linux version....?

8. Route IP masqueraded packets according to their source IP?

9. IP packet rewriting (IP masquerading??)

10. Linux 2.0.33 and Masquerading UDP packets

11. SuSE 5.2 as router with masquerading and UDP-packets