IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

Post by Michael A. Mac » Sat, 17 Feb 2001 16:52:39



Problem:

I set up a Redhat Linux 7.0 box with a modified version of David
Ranches TrinityOS strong IPCHAINS firewall. I modified the firewall to
allow for multiple aliased IPs on the same machine. Everything runs
fine until a few hours later (haven't pinned the time down yet, but it
happens overnight) the aliased IPs stop working (can't ping them,
etc.) and I get the following error messages in the syslog when I try
to ping one of the aliased boxes from an outside machine:

kernel: Packet log: input REJECT eth1 PROTO=1 <outside machine's IP>:8
<aliased IP>:0 L=60 S=0x00 I=38602 F=0x0000 T=14 (#5)

kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
machine's IP>:3 L=108 S=0xC0 I=518 F=0x0000 T=255 (#6)

I also get these messages when I try to access a web server (on an
aliased IP) from an outside machine:

kernel: Packet log: input REJECT eth1 PROTO=6 <outside machine's
IP>:37404 <aliased IP>:80 L=64 S=0x00 I=13228 F=0x4000 T=46 SYN (#5)

kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
machine's IP>:3 L=112 S=0xC0 I=6124 F=0x0000 T=255 (#6)

Note: If I restart the firewall, everything works fine again.

My first question is this: I'm pretty new to this and I am having a
hell of a time trying to figure out where to get some information on
decrypting these error messages. I.E. a listing of the PROTO numbers -
etc. Can anyone recommend a good source? Is there a HOWTO on this
subject that I missed?

Second question is: Anyone have any idea what is causing this? I also
noticed that the DNS server running on the same machine's main IP is
logging system messages that are 8 hours ahead of the local system
time. This could very well be the time at which the aliased IPs stop
working.

Man, I would really appreciate any help. Learning this stuff can be a
* when you get stuck ;-)

Thanks in advance,

Michael A. Mack

 
 
 

IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

Post by Manfred Bart » Sat, 17 Feb 2001 17:34:04



Quote:> Problem:

> I set up a Redhat Linux 7.0 box with a modified version of David
> Ranches TrinityOS strong IPCHAINS firewall. I modified the firewall to
> allow for multiple aliased IPs on the same machine. Everything runs
> fine until a few hours later (haven't pinned the time down yet, but it
> happens overnight) the aliased IPs stop working (can't ping them,
> etc.) and I get the following error messages in the syslog when I try
> to ping one of the aliased boxes from an outside machine:

What do you mean by ``an aliased box''?

Quote:> kernel: Packet log: input REJECT eth1 PROTO=1 <outside machine's IP>:8
> <aliased IP>:0 L=60 S=0x00 I=38602 F=0x0000 T=14 (#5)

echo request, rejected with ``destination unreachable''

Quote:> kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
> machine's IP>:3 L=108 S=0xC0 I=518 F=0x0000 T=255 (#6)

destination unreachable reply, blocked

There is no point in using REJECT if you then block the consequent,
outgoing ICMP packet.

Quote:> I also get these messages when I try to access a web server (on an
> aliased IP) from an outside machine:

> kernel: Packet log: input REJECT eth1 PROTO=6 <outside machine's
> IP>:37404 <aliased IP>:80 L=64 S=0x00 I=13228 F=0x4000 T=46 SYN (#5)

incoming connection to web server, rejected with ``destination unreachable''

Quote:> kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
> machine's IP>:3 L=112 S=0xC0 I=6124 F=0x0000 T=255 (#6)

destination unreachable reply, blocked.  See above.

Quote:> Note: If I restart the firewall, everything works fine again.

> My first question is this: I'm pretty new to this and I am having a
> hell of a time trying to figure out where to get some information on
> decrypting these error messages. I.E. a listing of the PROTO numbers -
> etc. Can anyone recommend a good source? Is there a HOWTO on this
> subject that I missed?

<http://logi.cc/linux/ipchains-log-format.html>

Quote:> Second question is: Anyone have any idea what is causing this?

There is no way that the ipchains rules change by themselves after a
while.  So your problem is either there all the time or something else
is causing rules to be added or deleted (any cron jobs?).

Or, the problem might be elsewhere altogether.

Quote:> I also noticed that the DNS server running on the same machine's
> main IP is logging system messages that are 8 hours ahead of the
> local system time.

It probably uses UTC because its TZ is not set.  US time is approx
8h behind UTC isn't it?

You system clock should use UTC and the TZ should be set for
your locality.

Quote:> This could very well be the time at which the aliased IPs stop
> working.

Hmm -- I can't think of a mechanism for that, but anything is
possible....

Try to make sense of the log messages and to understand the basic
syntax of the ipchains command.  It should only take an hour or so
and you will be in a much better position to ask more specific
questions, which are easier to answer  :)

Cheers
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

Post by Michael A. Mac » Sat, 17 Feb 2001 19:06:19





>> Problem:

>> I set up a Redhat Linux 7.0 box with a modified version of David
>> Ranches TrinityOS strong IPCHAINS firewall. I modified the firewall to
>> allow for multiple aliased IPs on the same machine. Everything runs
>> fine until a few hours later (haven't pinned the time down yet, but it
>> happens overnight) the aliased IPs stop working (can't ping them,
>> etc.) and I get the following error messages in the syslog when I try
>> to ping one of the aliased boxes from an outside machine:

>What do you mean by ``an aliased box''?

I have set up the Linux Box to have 5  IP numbers on the same
interface (external). IFCONFIG shows 5 entries (IPs) for the same
interface -  eth1, eth1:0, eth1:1, eth1:2, eth1:3 and eth1:4. The
culprit interfaces that stop working (from the outside only) are the
the "Aliased" ones - eth:0 etc. All five IPs work fine when accessed
from the internal network (via the inward facing interface eth0).

Quote:

>> kernel: Packet log: input REJECT eth1 PROTO=1 <outside machine's IP>:8
>> <aliased IP>:0 L=60 S=0x00 I=38602 F=0x0000 T=14 (#5)

>echo request, rejected with ``destination unreachable''

>> kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
>> machine's IP>:3 L=108 S=0xC0 I=518 F=0x0000 T=255 (#6)

>destination unreachable reply, blocked

>There is no point in using REJECT if you then block the consequent,
>outgoing ICMP packet.

>> I also get these messages when I try to access a web server (on an
>> aliased IP) from an outside machine:

>> kernel: Packet log: input REJECT eth1 PROTO=6 <outside machine's
>> IP>:37404 <aliased IP>:80 L=64 S=0x00 I=13228 F=0x4000 T=46 SYN (#5)

>incoming connection to web server, rejected with ``destination unreachable''

>> kernel: Packet log: output REJECT eth1 PROTO=1 <aliased IP>:3 <outside
>> machine's IP>:3 L=112 S=0xC0 I=6124 F=0x0000 T=255 (#6)

>destination unreachable reply, blocked.  See above.

>> Note: If I restart the firewall, everything works fine again.

>> My first question is this: I'm pretty new to this and I am having a
>> hell of a time trying to figure out where to get some information on
>> decrypting these error messages. I.E. a listing of the PROTO numbers -
>> etc. Can anyone recommend a good source? Is there a HOWTO on this
>> subject that I missed?

><http://logi.cc/linux/ipchains-log-format.html>

Thanks, Manfred, this is REALLY usefull.

Quote:

>> Second question is: Anyone have any idea what is causing this?

>There is no way that the ipchains rules change by themselves after a
>while.  So your problem is either there all the time or something else
>is causing rules to be added or deleted (any cron jobs?).

No CRON Jobs - took them out.  the main reason I've singled out the
firewall code is that everything works again once I restart the
firewall.

- Show quoted text -

Quote:

>Or, the problem might be elsewhere altogether.

>> I also noticed that the DNS server running on the same machine's
>> main IP is logging system messages that are 8 hours ahead of the
>> local system time.

>It probably uses UTC because its TZ is not set.  US time is approx
>8h behind UTC isn't it?

>You system clock should use UTC and the TZ should be set for
>your locality.

>> This could very well be the time at which the aliased IPs stop
>> working.

>Hmm -- I can't think of a mechanism for that, but anything is
>possible....

>Try to make sense of the log messages and to understand the basic
>syntax of the ipchains command.  It should only take an hour or so
>and you will be in a much better position to ask more specific
>questions, which are easier to answer  :)

I'm going to work on this and post a more detailed question once I
spend some more time on this. The more I look at this, I think it
probably isn't a firewall problem. Thanks for your help.

Quote:

>Cheers

Cheers to you.
 
 
 

IPCHAINS problem (TrinityOS firewall + Aliased IPs + RH7.0)

Post by Manfred Bart » Sat, 17 Feb 2001 19:29:44






> >> I set up a Redhat Linux 7.0 box with a modified version of David
> >> Ranches TrinityOS strong IPCHAINS firewall. I modified the firewall to
> >> allow for multiple aliased IPs on the same machine. Everything runs
> >> fine until a few hours later (haven't pinned the time down yet, but it
> >> happens overnight) the aliased IPs stop working (can't ping them,
> >> etc.) and I get the following error messages in the syslog when I try
> >> to ping one of the aliased boxes from an outside machine:

> >What do you mean by ``an aliased box''?

> I have set up the Linux Box to have 5  IP numbers on the same
> interface (external). IFCONFIG shows 5 entries (IPs) for the same
> interface -  eth1, eth1:0, eth1:1, eth1:2, eth1:3 and eth1:4. The
> culprit interfaces that stop working (from the outside only) are the
> the "Aliased" ones - eth:0 etc. All five IPs work fine when accessed
> from the internal network (via the inward facing interface eth0).

Ok, there should be no problem with that.  Just two points:

1. All 5 IP addresses will appear on your eth1.  ipchains has no
   concept of virtual interfaces.

2. You can write different ipchains-rules for the different IP
   addresses.  So point 1 should be no problem.

For example:

   ipchains -A input -i eth1 -d ipaddr4 ......

Cheers
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

1. ipchains firewall, problems with looking up IPs

Hey all,

I allow traffic on port 119 to my ISP's news server. However, the IPs that
are returned on a lookup are often different.

Sometimes I get x.x.x.2 and x.x.x.3, then other times I get x.x.x.5 and
x.x.x.3. Sometimes I get more than this. The problem is that when the
firewall is set up, it uses the particular IPs that were returned from the
lookup. Then when my local news server goes to fetch articles, it does a
lookup, and if the IP is different it is blocked.

I have 2 questions:

1/- Is it bad doing lookups like this because of the possiblility of
spoofing the addresses?

2/- Is hard coding the range of IPs a good solution? What happens if the
IPs change?

Thanks, Matt

-- #!/usr/bin/perl
$A='A';while(print+($A.=(grep{($A=~/(...).{78}$/)[0]eq$_}"  A A A  "
=~m{(...)}g)?"A":" ")=~/([ A])$/){if(!(++$l%80)){print"\n";sleep 1}}

2. 'read error' after 2.2.1 install job

3. Web browsing problems on LAN through RH7.2 ipchains firewall

4. redundant default routes?

5. TrinityOS Strong rc.firewall - FTP problem

6. kpm in kde 2.1 won't load

7. ipconfig - multiple IPs - swapping IP effect on alias IPs?

8. forwarding outgoing packets

9. Pass 3 static IPs' trafic through a ipchains firewall with new iproute2 tools: How?

10. RH7.2; Netmeeting; IPCHAINS Firewall

11. Web Server Firewall: IPCHAINS + IP Aliasing + ipmasqadm ?

12. TrinityOS Firewall log & Samba

13. TRINITYOS firewall script