| View previous topic :: View next topic |
| Author |
Message |
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
 Posted: Thu Jul 29, 2004 8:16 pm Post subject: Two weird iptables/NAT problems [KERNEL BUG!] |
 |
|
Basically I have two problems, you can find a link to the analysis/detailed report below.
- When pinging a machine on the Internet from a machine behind the router, it recieves duplicate pings: First one with little delay and the second one with the real delay. This means that when my router first recieves the ICMP echo-request packet, it instantly replies using the source IP of the target machine, and forwards the packet to the target machine, which also responds, causing the duplicate.
- When a machine behind the router starts a TCP connection to the external interface's IP of the router the connection is made, but then instantly reset. The daemon, however, which the connection was destined for, never gets reset, resulting in a stale connection.
The detailed report is located at http://www.rafb.net/paste/results/ikpusj46.html. If you think it's worthwile, I can post the description from that URL to this forum. I can also provide any additional information.
EDIT: Already did that, scroll down for the report.
Last edited by intgr on Fri Jul 30, 2004 3:12 am; edited 2 times in total |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Thu Jul 29, 2004 9:16 pm Post subject: |
|
|
shot into the dark - do you have proxyarp enabled?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Thu Jul 29, 2004 9:20 pm Post subject: |
|
|
| Think4UrS11 wrote: | | shot into the dark - do you have proxyarp enabled? |
No, disabled for all interfaces. |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Thu Jul 29, 2004 10:57 pm Post subject: |
|
|
Ok. here we go (I'm importing the whole report):
Problem 1
My router seems to reply to and forward ICMP echo-request packets not destined for itself, so other machines report duplicates. ark.lan (10.0.0.7) is a machine behind the router, with its gateway set to warp.lan (10.0.0.4). The gateway uses rp-pppoe for connecting to my ADSL provider.
The second ping line doesn't show a DUP because ping returns immediatelly after the last, wrong packet is recieved.
| Code: |
sipsick@ark ~]$ ping -c2 noa.linux.ee
PING noa.linux.ee (195.222.16.154) 56(84) bytes of data.
64 bytes from noa.linux.ee (195.222.16.154): icmp_seq=1 ttl=64 time=18.6 ms
64 bytes from noa.linux.ee (195.222.16.154): icmp_seq=1 ttl=59 time=64.3 ms (DUP!)
64 bytes from noa.linux.ee (195.222.16.154): icmp_seq=2 ttl=64 time=12.6 ms
--- noa.linux.ee ping statistics ---
2 packets transmitted, 2 received, +1 duplicates, 0% packet loss, time 1021ms
rtt min/avg/max/mdev = 12.646/31.890/64.358/23.089 ms
|
Pinging an inexistant IP - the host doesn't respond, but my router still does
| Code: |
[sipsick@ark ~]$ ping -c2 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=64 time=9.58 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=64 time=17.5 ms
--- 1.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1026ms
rtt min/avg/max/mdev = 9.589/13.549/17.509/3.960 ms
|
Route length 1, huh? No - noa.linux.ee is located at 6 hops from the router itself.
| Code: |
[sipsick@ark ~]$ tracepath noa.linux.ee
1: ark.lan (10.0.0.7) 0.171ms pmtu 1500
1: warp.lan (10.0.0.4) 5.339ms
1: noa.linux.ee (195.222.16.154) 5.506ms reached
Resume: pmtu 1500 hops 1 back 1
|
What happened at the other end:
| Code: |
[warp ~]# tcpdump -tttt host 10.0.0.7 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
2004-07-29 18:56:17.041929 IP ark.lan > noa.linux.ee: icmp 64: echo request seq 1
2004-07-29 18:56:17.042289 IP noa.linux.ee > ark.lan: icmp 64: echo reply seq 1
2004-07-29 18:56:17.190847 IP noa.linux.ee > ark.lan: icmp 64: echo reply seq 1
2004-07-29 18:56:18.049750 IP ark.lan > noa.linux.ee: icmp 64: echo request seq 2
2004-07-29 18:56:18.050094 IP noa.linux.ee > ark.lan: icmp 64: echo reply seq 2
2004-07-29 18:56:18.103174 IP noa.linux.ee > ark.lan: icmp 64: echo reply seq 2
6 packets captured
6 packets received by filter
0 packets dropped by kernel
|
(I created some special LOG rules for debugging. The counters, that get increased with every ping are prefixed with an '*')
| Code: |
[warp ~]# iptables -nvL
Chain INPUT (policy DROP 34 packets, 1757 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- * * 10.0.0.7 0.0.0.0/0 LOG flags 0 level 4
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
67 4669 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 106 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
* 2 168 LOG icmp -- * * 10.0.0.7 0.0.0.0/0 LOG flags 0 level 4
* 2 168 LOG icmp -- * * 0.0.0.0/0 10.0.0.7 LOG flags 0 level 4
176 104K ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0
232 174K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 304 packets, 14856 bytes)
pkts bytes target prot opt in out source destination
* 2 168 LOG icmp -- * * 0.0.0.0/0 10.0.0.7 LOG flags 0 level 4
|
(Irrelevant entries removed)
| Code: |
[warp ~]# tail /var/log/messages
Jul 29 18:56:17 warp IN=eth0 OUT=ppp0 SRC=10.0.0.7 DST=195.222.16.154 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=61751 SEQ=1
Jul 29 18:56:17 warp IN= OUT=eth0 SRC=195.222.16.154 DST=10.0.0.7 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=20841 PROTO=ICMP TYPE=0 CODE=0 ID=61751 SEQ=1
Jul 29 18:56:17 warp IN=ppp0 OUT=eth0 SRC=195.222.16.154 DST=10.0.0.7 LEN=84 TOS=0x00 PREC=0x00 TTL=59 ID=36374 PROTO=ICMP TYPE=0 CODE=0 ID=61751 SEQ=1
Jul 29 18:56:18 warp IN=eth0 OUT=ppp0 SRC=10.0.0.7 DST=195.222.16.154 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=61751 SEQ=2
Jul 29 18:56:18 warp IN= OUT=eth0 SRC=195.222.16.154 DST=10.0.0.7 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35406 PROTO=ICMP TYPE=0 CODE=0 ID=61751 SEQ=2
Jul 29 18:56:18 warp IN=ppp0 OUT=eth0 SRC=195.222.16.154 DST=10.0.0.7 LEN=84 TOS=0x00 PREC=0x00 TTL=59 ID=36375 PROTO=ICMP TYPE=0 CODE=0 ID=61751 SEQ=2
|
Problem 2
My router seems to create stale TCP connections when I access the IP of my router's remote interface (warp.dyn.ee, 213.35.249.222) from a machine behind the router, while the connection gets reset from the client's end.
| Code: |
[sipsick@ark ~]$ telnet warp.dyn.ee 80
Trying 213.35.249.222...
Connected to warp.dyn.ee.
Escape character is '^]'.
Connection closed by foreign host.
|
At the router's end:
| Code: |
[warp /etc/firewall]# tcpdump -tttt host 10.0.0.7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
2004-07-29 19:06:26.642936 IP ark.lan.2085 > warp.lan.domain: 60168+ A? warp.dyn.ee. (29)
2004-07-29 19:06:26.645905 IP warp.lan.domain > ark.lan.2085: 60168 1/2/0 A warp.dyn.ee (97)
2004-07-29 19:06:26.661455 IP ark.lan.2117 > warp.dyn.ee.www: S 778200300:778200300(0) win 5840 <mss 1460,sackOK,timestamp 19630628 0,nop,wscale 0>
2004-07-29 19:06:26.661586 IP warp.dyn.ee.www > ark.lan.2117: S 3723894989:3723894989(0) ack 778200301 win 5792 <mss 1460,sackOK,timestamp 700110390 19630628,nop,wscale 0>
2004-07-29 19:06:26.661826 IP warp.dyn.ee.www > ark.lan.2117: S 0:0(0) ack 778200301 win 16000 <mss 1460>
2004-07-29 19:06:26.680992 IP ark.lan.2117 > warp.dyn.ee.www: . ack 3723894990 win 5840 <nop,nop,timestamp 19630631 700110390>
2004-07-29 19:06:26.681259 IP warp.dyn.ee.www > ark.lan.2117: R 1:1(0) ack 1 win 16000
2004-07-29 19:06:26.696450 IP ark.lan.2117 > warp.dyn.ee.www: . ack 3723894990 win 5840 <nop,nop,timestamp 19630632 700110390>
2004-07-29 19:06:26.696644 IP warp.dyn.ee.www > ark.lan.2117: R 3723894990:3723894990(0) win 0
|
My firewall configuration
| Code: |
[sipsick@warp ~]$ uname -a
Linux warp 2.6.7-gentoo-r11 #1 Wed Jul 21 14:06:47 Local time zone must be set--see zic manu i686 Pentium II (Deschutes) GenuineIntel GNU/Linux
|
| Code: |
[warp ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
warp.dyn.ee * 255.255.255.255 UH 0 0 0 ppp0
net.lan * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default warp.dyn.ee 0.0.0.0 UG 0 0 0 ppp0
|
I use FERM for creating my iptables rules. (grep filters out all commented lines)
| Code: |
[warp ~]# ferm --debug --noexec /etc/firewall/fw.ferm |grep '^[^#]'
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -X -t filter
iptables -X -t nat
iptables -X -t mangle
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -A INPUT -p icmp -s 10.0.0.7 -j LOG
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -d 10.0.0.7 -j LOG
iptables -t filter -A FORWARD -p icmp -s 10.0.0.7 -j LOG
iptables -t filter -A FORWARD -p icmp -d 10.0.0.7 -j LOG
iptables -t filter -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
|
| Code: |
[warp ~]# grep '^[^#]' /etc/firewall/fw.ferm
option iptables
option clearall
option createchains
option automod
table filter chain (INPUT,FORWARD) policy DROP;
table filter chain OUTPUT policy ACCEPT;
chain INPUT
{
proto icmp saddr 10.0.0.7 LOG;
if lo ACCEPT;
if eth0 ACCEPT;
proto(tcp,icmp,udp) state ESTABLISHED,RELATED ACCEPT;
}
chain OUTPUT
{
proto icmp daddr 10.0.0.7 LOG;
}
chain FORWARD
{
proto icmp saddr 10.0.0.7 LOG;
proto icmp daddr 10.0.0.7 LOG;
if ppp0 of eth0 ACCEPT;
if eth0 ACCEPT;
}
table nat chain (PREROUTING,POSTROUTING,OUTPUT) policy ACCEPT;
table nat chain POSTROUTING
{
of ppp0 MASQ;
}
table mangle chain (PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING) policy ACCEPT;
|
Last edited by intgr on Fri Jul 30, 2004 3:32 am; edited 1 time in total |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Fri Jul 30, 2004 3:12 am Post subject: |
|
|
Ok, it turned out to be a bug in the kernel. After hours of debugging with Blissex on the #iptables channel on irc.freenode.net, I decided to try rebooting my system, and everything was back to normal after the reboot.
I'll try to get somebody look into this problem tomorrow (maybe even myself). Meanwhile, the logs are available at http://www.rafb.net/paste/results/nWWlNw95.html
The same log wrapped at 120 columns: http://www.rafb.net/paste/results/RzRDoj76.html |
|
| Back to top |
|
|
To
Veteran
Joined: 12 Apr 2003
Posts: 1145
Location: Coimbra, Portugal
|
| Posted: Fri Jul 30, 2004 8:32 am Post subject: |
|
|
Kernel with smurf built in, do you want it any better? 
Tó
_________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Fri Jul 30, 2004 7:39 pm Post subject: |
|
|
| To wrote: | | Kernel with smurf built in, do you want it any better? |
Right, urgent things like this would better be solved at the kernel level  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
