Strange network problem

Taking care of your Linux box.

Strange network problem

Postby osama » Tue Mar 31, 2009 12:30 am

I am facing a strange problem. I have this config

Eth0
Internal
192.168.3.0/24
Eth1
External
ISP dynamic IP
Eth2
External but on LAN and communicate with internal proxy
192.168.10.0/24

MASQ is done properly

Everything is fine but for just two clients nothing working. I logged packets and found this

Mar 31 00:21:41 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10573 DF PROTO=TCP SPT=1117 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:45 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10708 DF PROTO=TCP SPT=1119 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:46 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10769 DF PROTO=TCP SPT=1121 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:54 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10937 DF PROTO=TCP SPT=1123 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:54 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10949 DF PROTO=TCP SPT=1124 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:22:01 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=11128 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

These packets are entering from eth2 instead of eth0. I dont know why and this is the problem. How do I solve this? Any suggestion?

If a change default FORWARD/INPUT policy to ACCEPT then things start for those clients too as everything is accepted in firewall.
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Re: Strange network problem

Postby LinuxFreaK » Tue Mar 31, 2009 10:25 am

Dear osama,
Salam,

Post your firewall rules.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby osama » Tue Mar 31, 2009 12:16 pm

Here it is

#Packets are marked like this
#$IPTABLES -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -s $1 -m mac --mac-source $2 -j MARK --set-mark 101

###############################


#!/bin/bash

IPTABLES=/sbin/iptables
IP=/sbin/ip

EXTERNAL_INTERFACE="eth1"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE_SEC="eth2"

do_start() {

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F


/sbin/modprobe ip_nat_ftp

$IPTABLES -P FORWARD DROP

$IPTABLES -P INPUT DROP

$IPTABLES -t nat -A PREROUTING -p tcp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 445 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 139 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 80 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 5060 -j DROP

$IPTABLES -t nat -A PREROUTING -p icmp -m length --length 100: -j DROP

$IPTABLES -t nat -A PREROUTING -m state --state INVALID -j DROP

# All of the bits are cleared
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

#########virus ip start start
$IPTABLES -t nat -A PREROUTING -d 62.219.197.36/32 -j DROP # virus

$IPTABLES -t nat -A PREROUTING -d 82.103.128.83/24 -j DROP # virus
#########virus ip start END

$IPTABLES -t nat -A PREROUTING -m mark --mark 101 -p tcp --dport 80 -j REDIRECT --to-port 8085

$IPTABLES -t nat -A POSTROUTING -m mark --mark 101 -o $EXTERNAL_INTERFACE -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_SEC -j MASQUERADE

$IPTABLES -A INPUT -i lo -d 0/0 -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 15/minute -j LOG --log-prefix FORWARD-Firewall: --log-level 4

$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT

#VNC
$IPTABLES -A INPUT -p udp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 5901 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5901 -j ACCEPT

#DHCP
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p udp --sport 68 --dport 67 -j ACCEPT

#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

#TELNET
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 23 --syn -j ACCEPT

}

case "$1" in
*)
do_start
;;
esac
###############################
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby osama » Mon Apr 06, 2009 12:24 pm

things are fine now by themself:)
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 2 guests

cron