I am facing a strange problem. I have this config
Eth0
Internal
192.168.3.0/24
Eth1
External
ISP dynamic IP
Eth2
External but on LAN and communicate with internal proxy
192.168.10.0/24
MASQ is done properly
Everything is fine but for just two clients nothing working. I logged packets and found this
Mar 31 00:21:41 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10573 DF PROTO=TCP SPT=1117 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:45 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10708 DF PROTO=TCP SPT=1119 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:46 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10769 DF PROTO=TCP SPT=1121 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:54 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10937 DF PROTO=TCP SPT=1123 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:21:54 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10949 DF PROTO=TCP SPT=1124 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 31 00:22:01 office kernel: FORWARD-Firewall:IN=eth2 OUT=eth1 SRC=192.168.3.5 DST=74.54.6.3 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=11128 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
These packets are entering from eth2 instead of eth0. I dont know why and this is the problem. How do I solve this? Any suggestion?
If a change default FORWARD/INPUT policy to ACCEPT then things start for those clients too as everything is accepted in firewall.
Strange network problem
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re: Strange network problem
Dear osama,
Salam,
Post your firewall rules.
Best Regards.
Salam,
Post your firewall rules.
Best Regards.
Farrukh Ahmed
Here it is
#Packets are marked like this
#$IPTABLES -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -s $1 -m mac --mac-source $2 -j MARK --set-mark 101
###############################
#!/bin/bash
IPTABLES=/sbin/iptables
IP=/sbin/ip
EXTERNAL_INTERFACE="eth1"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE_SEC="eth2"
do_start() {
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F
/sbin/modprobe ip_nat_ftp
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 445 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 139 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 80 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p icmp -m length --length 100: -j DROP
$IPTABLES -t nat -A PREROUTING -m state --state INVALID -j DROP
# All of the bits are cleared
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
#########virus ip start start
$IPTABLES -t nat -A PREROUTING -d 62.219.197.36/32 -j DROP # virus
$IPTABLES -t nat -A PREROUTING -d 82.103.128.83/24 -j DROP # virus
#########virus ip start END
$IPTABLES -t nat -A PREROUTING -m mark --mark 101 -p tcp --dport 80 -j REDIRECT --to-port 8085
$IPTABLES -t nat -A POSTROUTING -m mark --mark 101 -o $EXTERNAL_INTERFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_SEC -j MASQUERADE
$IPTABLES -A INPUT -i lo -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 15/minute -j LOG --log-prefix FORWARD-Firewall: --log-level 4
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT
#VNC
$IPTABLES -A INPUT -p udp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 5901 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5901 -j ACCEPT
#DHCP
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p udp --sport 68 --dport 67 -j ACCEPT
#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT
#TELNET
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 23 --syn -j ACCEPT
}
case "$1" in
*)
do_start
;;
esac
###############################
#Packets are marked like this
#$IPTABLES -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -s $1 -m mac --mac-source $2 -j MARK --set-mark 101
###############################
#!/bin/bash
IPTABLES=/sbin/iptables
IP=/sbin/ip
EXTERNAL_INTERFACE="eth1"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE_SEC="eth2"
do_start() {
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F
/sbin/modprobe ip_nat_ftp
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 445 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 139 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 80 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p icmp -m length --length 100: -j DROP
$IPTABLES -t nat -A PREROUTING -m state --state INVALID -j DROP
# All of the bits are cleared
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
#########virus ip start start
$IPTABLES -t nat -A PREROUTING -d 62.219.197.36/32 -j DROP # virus
$IPTABLES -t nat -A PREROUTING -d 82.103.128.83/24 -j DROP # virus
#########virus ip start END
$IPTABLES -t nat -A PREROUTING -m mark --mark 101 -p tcp --dport 80 -j REDIRECT --to-port 8085
$IPTABLES -t nat -A POSTROUTING -m mark --mark 101 -o $EXTERNAL_INTERFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_SEC -j MASQUERADE
$IPTABLES -A INPUT -i lo -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 15/minute -j LOG --log-prefix FORWARD-Firewall: --log-level 4
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT
#VNC
$IPTABLES -A INPUT -p udp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 5901 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5901 -j ACCEPT
#DHCP
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p udp --sport 68 --dport 67 -j ACCEPT
#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT
#TELNET
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 23 --syn -j ACCEPT
}
case "$1" in
*)
do_start
;;
esac
###############################