iptables, rt2400, only ping is routed

[sta_chu]

Hi.

I'm trying to set up my gentoo server as a router. Here how it looks like:

INTERNET -------- ISP -------- (Server)[192.168.2.29 128.0.0.1] -------- my local network (128.0.0.x]

Server is connecter do the internet via wireless NIC (rt2400 chipset). This NIC ip is 192.168.2.29. My kernel version is: 2.6.12-r10.

Here's my iptables script:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

iptables -A FORWARD -i eth0 -o ra0 -j ACCEPT

iptables -A FORWARD -i ra0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ra0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

iptables -A POSTROUTING -t nat -o ra0 -j MASQUERADE

where:
- ra0 is NIC connected to internet (rt2400)
- eth0 is 100MBit NIC card

WHAT WORKS:
1. Any type of trasfer works betwen server and computers in my local network. (ping, ftp, vnc)
2. Server can access internet.
3. Computers in my local network can only ping computers in internet. Also DNS work fine for them.

WHAT DOESN'T WORK:
1. As mentioned before: Computers in my local network can only ping computers in internet BUT no other protocol is routed.

I've already set up this kind of router before. The only diference is that the previous one was connected to internet via normal 100Mbit NIC. I've set up everything exacly as in my first router, but this time only ping is routed.

Gregory Stachowiak

PS. Sorry for my poor english.

[saturas]

the rules are O.K

seems to me that there are 3 posibilities of your problems:

1. you have a routing problem on the router
2. it is something wrong with masquarade module in the kernel (trie to upgrade the kernel or reload the module)
3. you did not load the state module for iptables

i sugest to try with nat
load this modules

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state


and then this rule
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
_________________
"I can't go on. I'll go on."
S.B

[sta_chu]

Hi

Thanks for fast reply. I've added the line to my iptables. Now it looks like this:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- anywhere anywhere to:192.168.2.29

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Unfortunately it didn't worked. I just got an idea. I'll try to find a program that will log package traffic. Maybe the routing is ok, maybe it's my ISP fault. Do you know any program that will do this??

Answers to other questions.
1. I already have the newest kernel.
2. I'm not using modules. The network options are compiled into the kernel. I tried modules before, but the result was identical: only ping was routed.

[saturas]

you can log with iptables and tcpdump
here is an example of logging syn packages with iptables

iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN package: "--log-ip-options --log-tcp-options
iptables -A INPUT -p tcp --syn -j ACCEPT

the last rule can be DROP

with tcpdump you can monitor with the command

tcpdump host ip_address



another thing you said nothing about the state module (built-in). it is very important. icmp doesn't use this, but state protocol like TCP use it.

to make sure it is not the state module (builtin) try this one:

iptables -A FORWARD -i ra0 -o eth0 -j ACCEPT

PS the example above is for INPUT for you it woulf be relevant for forward. the result of iptables log is in /var/log/messages
_________________
"I can't go on. I'll go on."
S.B

[sta_chu]

Hi.

1. If by "state" you mean "Connection state match support" in kernel menuconfig, then yes, i have this option build into kernel. This command

iptables -A FORWARD -i ra0 -o eth0 -j ACCEPT

executed without any problems.

2. Tcpdump

I did not exacly understood end of your post. However I've instected eth0 and ra0 with tcpdump and here what it looks like:

First test
i've executed ping www.wp.pl on computer in my local network. I have fount logs coresponding to that ping in eth0 and ra0.

Second test
I've tried to access www.wp.pl vie net browser, and this opertaion was only loged on eth0.

So we can assume that it's my router problem.

What else is needed by tcp except "state"?

[saturas]

first let's explain my last post
i sugested you to use this command because i was not convinced that you enabled the "Connection state match support"
so this command avoids this state match

iptables -A FORWARD -i ra0 -o eth0 -j ACCEPT

the "PS" at the end of the post was refering to this set of rules
"
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN package: "--log-ip-options --log-tcp-options
iptables -A INPUT -p tcp --syn -j ACCEPT"

where you suposed to replace INPUT with FORWARD and observe the logs in /var/log/messages

O.K

about your last post.. hmm it is curious but you say that icmp works so i belive that you don't have any problems on routing but at tcp/udp packages.

there is another way to see if packages match each rule in your firewall (if you don't like logs )

try this command:
#iptables -L -n -v

it should display counters infront of each rule that you put in the firewall script. if you see counters other then "0 " it means that you have some matching packages. pay attention to the counters for the forwarding rules. maybe you could paste the result of this command in your last post.
_________________
"I can't go on. I'll go on."
S.B

[sta_chu]

I've checked this iptables -L -n -v command.

The FORWARD counters were set to zeros (server was restarted). First i've tried ping and both couters were set to 5. Than another test with web browser (without restarting server):

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 1247 ACCEPT all -- eth0 ra0 0.0.0.0/0 0.0.0.0/0
9 1262 ACCEPT all -- ra0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Does it make any sense to you?

[sta_chu]

Mystery solved (mostly)

I phoned to my ISP and they said that they are blocking this kind of transfer. The trick is that routing works under win 2k with kerio winroute. So the routing is posible, it is prapobly a matter of configuring iptables to fool their defence. Do you have any idea how to do it.

[saturas]

they detect that you have a router because they observed the ttl. you can read more about this here http://www.sflow.org/detectNAT/. you have to make a nat that doesn't modify the ttl value. in other words you have to alter the ttl value in the header of the package. you can do this with mangle table. for this you need a patch for the kernel.

you can find it here http://dev.gentoo.org/~spock/stuff/2.6-ipt_TTL.patch
or here http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2824

the rule is like this

iptables -t mangle -A PREROUTING -j TTL --ttl-dec 2 -i eth0

maybe a proxy like squid can be an alternative
_________________
"I can't go on. I'll go on."
S.B

[sta_chu]

Hi

I'm having probles apllying this patch. I found on internet how to aplly it. I'm executing:

patch -p1 2.6-ipt_TTL.patch

in /usr/src/linux

and i'm waiting, waiting, ... After hour i gave up.

How long does it take to apply this patch?? (I'm running pentium II 400Mhz)

Maybe in gentoo there is another way of applying patch??

[sta_chu]

Ups my mistake

patch -p1 < 2.6-ipt_TTL.patch

forgot "<"

However I got error;

patching file include/linux/netfilter_ipv4/ipt_TTL.h
patching file net/ipv4/netfilter/ipt_TTL.c
patching file net/ipv4/netfilter/Kconfig
Hunk #1 succeeded at 405 (offset -82 lines).
patching file net/ipv4/netfilter/Makefile
Hunk #1 FAILED at 81.
Hunk #2 succeeded at 88 with fuzz 1 (offset -7 lines).
1 out of 2 hunks FAILED -- saving rejects to file net/ipv4/netfilter/Makefile.rej

And here is content of Makefile.rej

***************
*** 81,86 ****
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o

# generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
--- 81,87 ----
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
+ obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o

# generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o


Any idea what this might be all about??

[sta_chu]

KILL ME, i'm haveing enough of this.

This patch works only on kernel 2.6.3. But I can not emerge this version. The oldest 2.6.x is 2.6.9. But i've downloaded 2.6.3 from www.kernel.org and successfully aplied patch and compiled it and....

iptables -t mangle -A PREROUTING -j TTL --ttl-dec 2 -i eth0

gives error:

iptables: No chain/target/match by that name

[sta_chu]

I've mailed guy who wrote this patch, and he gave me few tips. Howewer I won't have be able to do anything in this week. So I let you know how I'm doing in next week.

[sta_chu]

I gave up (temporarly). Wright now I'm setting poxy servers for different protocolos.

The problem with ttl was that I just couldn apply the patch. Everytime something was wrong. If you have some tutorial, that describes step by step, what todo, to make it work, i'd be wery greatfull.

And another question, I've been playing online game called "KalOnline". DO you have any idea if that kind of game can be played via proxy????