| View previous topic :: View next topic |
| Author |
Message |
blue_calling
n00b
Joined: 23 Jun 2009
Posts: 8
|
 Posted: Tue Jun 23, 2009 4:50 pm Post subject: Resolve issue |
 |
|
Problem:
Applications like ping and mplayer can't resolve web adresses occationally and "randomly". I also get a long time when accessing the box through ssh (between login as: and password:). Although I can still access the gentoo-box from a windows installation using samba over an openvpn installation.
I'm guessing this is a iptables problem, and the log seems to indicate that. But the iptables should allow DNS lookups, and the iptables rules stays the same when ping resolving works, and when it doesn't.
Can someone please help me to troubleshoot?
Here are my info:
| Code: | Route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
83.111.116.0 0.0.0.0 255.255.252.0 U 2000 0 0 wlan0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 83.111.116.1 0.0.0.0 UG 2000 0 0 wlan0 |
| Code: | iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:1195
ACCEPT udp -- anywhere anywhere udp dpt:1195
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535
ACCEPT tcp -- dynupdate.no-ip.com anywhere tcp spt:8245 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:6600 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:6600 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:6600
ACCEPT tcp -- anywhere anywhere tcp dpt:6600
ACCEPT tcp -- anywhere anywhere tcp dpt:sunrpc
ACCEPT tcp -- localhost anywhere tcp dpt:sunrpc
ACCEPT tcp -- localhost anywhere tcp spt:sunrpc state ESTABLISHED
ACCEPT tcp -- !clue/24 anywhere tcp dpt:sunrpc
ACCEPT tcp -- !localhost anywhere tcp dpt:sunrpc
ACCEPT udp -- anywhere anywhere udp dpt:sunrpc
ACCEPT udp -- anywhere anywhere udp spt:sunrpc state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `iptables: INPUT_debug: '
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:1195
ACCEPT udp -- anywhere anywhere udp spt:1195
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
ACCEPT tcp -- anywhere dynupdate.no-ip.com tcp dpt:8245
ACCEPT tcp -- anywhere anywhere tcp dpt:6600
ACCEPT tcp -- anywhere anywhere tcp dpt:6600
ACCEPT tcp -- anywhere anywhere tcp spt:6600
ACCEPT tcp -- anywhere anywhere tcp spt:6600
ACCEPT tcp -- anywhere localhost tcp dpt:sunrpc
ACCEPT tcp -- anywhere clue/24 tcp dpt:sunrpc
ACCEPT tcp -- anywhere localhost tcp spt:sunrpc state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere clue/24 tcp spt:sunrpc state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:sunrpc
ACCEPT udp -- anywhere anywhere udp spt:sunrpc state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `iptables: OUTPUT_debug: ' |
From the log file:
| Code: | Jun 21 12:12:23 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=93 TOS=0x00 PREC=0xC0 TTL=64 ID=20926 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=195.54.122.204 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=34305 DF PROTO=UDP SPT=34369 DPT=53 LEN=45 ]
Jun 21 12:12:29 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20927 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=195.54.122.199 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=54322 DF PROTO=UDP SPT=53169 DPT=53 LEN=65 ]
Jun 21 12:12:34 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20928 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=81.26.227.3 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=59327 DF PROTO=UDP SPT=43286 DPT=53 LEN=65 ]
Jun 21 12:12:37 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20929 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=195.54.122.204 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=62328 DF PROTO=UDP SPT=50618 DPT=53 LEN=65 ]
Jun 21 12:12:43 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20930 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=195.54.122.199 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=54323 DF PROTO=UDP SPT=53169 DPT=53 LEN=65 ]
Jun 21 12:12:48 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20931 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=81.26.227.3 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=59328 DF PROTO=UDP SPT=43286 DPT=53 LEN=65 ]
Jun 21 12:12:51 localhost iptables: OUTPUT_debug: IN= OUT=lo SRC=83.111.117.107 DST=83.111.117.107 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=20932 PROTO=ICMP TYPE=3 CODE=1 [SRC=83.111.117.107 DST=195.54.122.204 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=62329 DF PROTO=UDP SPT=50618 DPT=53 LEN=65 ] |
|
|
| Back to top |
|
 |
palettentreter
Tux's lil' helper
Joined: 06 Feb 2006
Posts: 104
|
| Posted: Tue Jun 23, 2009 6:57 pm Post subject: |
|
|
why exactly do you need OUTPUT filtering? What untrusted stuff might go out of that machine?
I'd set the OUTPUT policy to ACCEPT for a start and then check the behaviour. You might also try tcpdump -i $SSH_INTERFACE port ssh on the server and then ssh in there to see which end is causing the delay.
err... just took a closer look at your rules. What's with the
ACCEPT all -- anywhere anywhere
line in INPUT and OUTPUT? Did you put that in for debugging? Because with that in there, the LOG rule should never be reached. |
|
| Back to top |
|
|
blue_calling
n00b
Joined: 23 Jun 2009
Posts: 8
|
| Posted: Tue Jun 23, 2009 8:04 pm Post subject: |
|
|
I started to do output filterering to decrease the damage in case of something bad reaches my pc (trojan, missconfigured email server etc). Maybe a vain idea, but that's the reason. I tried setting the policy of the iptables OUTPUT to ACCEPT, but it didn't help with my problem 
The accept all everywhere rules is on the tap0 interface, so it should be ok.
In the above log extract, it looks like the DNS querys goes to the loopback interface, instead of the wlan0. Is that correct? I have no local DNS server, and should use my ISP nameserver.
I also noticed that the dhcpcd goes down approx ones each hour, and then renews the ip adress (and about ones a day get a totaly new ip adress). Could that be an issue?
Thanks 4 the help |
|
| Back to top |
|
|
palettentreter
Tux's lil' helper
Joined: 06 Feb 2006
Posts: 104
|
| Posted: Tue Jun 23, 2009 8:30 pm Post subject: |
|
|
yep. So this is probably not related to iptables. The DNS query going out of lo is definitely strange. Could you post your /etc/resolv.conf and another output of ifconfig and route -n, just to be sure? thx.
Ah and also, just to be sure, the output of iptables -t nat -L -v |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
