Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> LAN Allowed, WAN Blocked
venom85
 Posted: Oct 17 2011, 04:31 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









This is probably going to end up being some stupid mistake I made, but I'm really confused right now. Without intentionally accomplishing it, I've managed to block all access to my SL 6.1 server outside my home LAN. Inside the LAN, I've got full access to any port that I've opened in iptables even using the external DNS names. The router I have uses NAT loopback and its internal port forwards to know where to route the requests.

Outside the LAN, I can't get to anything. I've got a home router running the Tomato firmware (which, for those not familiar, is an embedded Linux firmware), and it has the proper ports forwarded to the proper IP. I can see in the logs that the packets are being forwarded to the correct internal IP, but I don't see a thing in any logs for the services running on the corresponding ports. This applies to SSH, LDAP, and HTTP. Obviously, there can be a ton of different things causing it, but does anybody have any suggestions for things to look at?

To narrow it down some, my hosts.allow and hosts.deny files are empty, SELinux is disabled, and I've even tried turning off iptables entirely. I also disabled ebtables, though honestly I'm not entirely sure how that works. I just saw that it's another firewall. Have I missed any other firewalls that are either installed by default or available in the default repos that I could have accidentally ended up with? Are there any network settings that could be tripping me up that anyone is familiar with? I know it's not a lot of information to go on, but I have no idea where to look or what you might want to see. I can post configs or logs as requested. Thanks a lot in advance for any help!
PM
^
tux99
 Posted: Oct 17 2011, 07:54 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









Install tcpdump (it's in the official SL6 repo) and see if you can see any incoming packets on your server when attempting to connect from the outside.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
venom85
 Posted: Oct 17 2011, 08:22 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









Thanks for the suggestion. I installed it and tried to load up a couple of websites while it was running. I see packets showing up with the correct source IP heading for the correct destination IP on the correct destination port. The pages never load in the browser though, and I see no hints of problems or access attempts at all in the Apache logs. I've copied a line of tcpdump below in case I'm not reading it correctly, but I think that indicates that I'm getting the data to the server properly.

10:17:18.247390 IP (tos 0x20, ttl 45, id 345, offset 0, flags [none], proto TCP (6), length 48)
199.xxx.xxx.xxx.44395 > 10.xxx.xxx.xxx.80: Flags [S], cksum 0x42a0 (correct), seq 811201926, win 65535, options [mss 1460,sackOK,eol], length 0
PM
^
helikaon
 Posted: Oct 18 2011, 04:05 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 606
Member No.: 4
Joined: 8-April 11









Hi,
from what you say, the problem is on your router. I dont know you home LAN topology (if you have ip forwarding up on server, properly setup gateway, routes, NICs, etc etc.) but from you home server, you have to be able reach out through the router.
Check you router settings again, proper forwarding, rules.

cheers


--------------------
PMEmail Poster
^
tux99
 Posted: Oct 18 2011, 12:14 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (venom85 @ Oct 17 2011, 09:22 PM)

10:17:18.247390 IP (tos 0x20, ttl 45, id 345, offset 0, flags [none], proto TCP (6), length 48)
    199.xxx.xxx.xxx.44395 > 10.xxx.xxx.xxx.80: Flags [S], cksum 0x42a0 (correct), seq 811201926, win 65535, options [mss 1460,sackOK,eol], length 0


Yes if 10.xxx is your server (on which you are running tcpdump) and 199.xxx is the remote client then your server is receiving the packets from the client. Do you see any response packets leaving the server towards 199.xxx?
Have you tried disabling the firewall on your server?

You can check to see that the firewall is really disabled by running:

CODE
iptables -n -L


WIth a disabled firewall the output should look like this:
CODE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
venom85
 Posted: Oct 18 2011, 01:41 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









Correct, 10.xxx is my server and 199.xxx is the remote client. I do not see any packets returning. The firewall is definitely off (output matches what you posted exactly), so that doesn't seem to be it.

For the router, if I point the exact same port forward to the internal IP of a different Linux server running CentOS, it works perfectly. Also, I forgot to mention before that this machine has four physical NICs, one of which (eth3) is set up with a bridge for KVM virtual machines to use. The port is being forwarded to eth0, and I've never had a problem with this setup in the past. Granted, I did switch from CentOS 5.x to SL 6.1 recently, but there was a significant gap between the OS installation and this problem showing up. Outside of the bridge, I don't believe I have any unusual network configurations, but if there's anything specific in there I should be looking at I'm all ears.
PM
^
tux99
 Posted: Oct 18 2011, 03:01 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









What applications are you trying to reach on the server from the outside client (httpd or dns server or mail server or whatelse)?

Do the logs of these server apps show that they receive the requests from the outside client?

Can you post the output of netstat -rn on the server?
(posting your internal IPs here shouldn't be a problem)


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
venom85
 Posted: Oct 18 2011, 06:16 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









I'm attempting to reach OpenSSH and Apache. Both are on default ports. OpenSSH has almost no default settings changed. I have no indication in any logs that the connection attempt made it to those apps. I don't see any 199.xxx references anywhere.

Here's the output of netstat:

CODE
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth2
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 bridge3
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         10.179.1.1      0.0.0.0         UG        0 0          0 eth1


Also, thanks so much for your patience and help! biggrin.gif
PM
^
tux99
 Posted: Oct 18 2011, 07:42 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (venom85 @ Oct 18 2011, 07:16 PM)
I'm attempting to reach OpenSSH and Apache. Both are on default ports. OpenSSH has almost no default settings changed. I have no indication in any logs that the connection attempt made it to those apps. I don't see any 199.xxx references anywhere.

Here's the output of netstat:

CODE
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth2
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 bridge3
10.179.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         10.179.1.1      0.0.0.0         UG        0 0          0 eth1


Also, thanks so much for your patience and help!  biggrin.gif


Your routing table looks wrong to me.

I thought you said eth0 was your local network interface, instead it looks like eth0, eth1, eth2, bridge3 are all configured to route packets to your local network (which won't work unless they are all physically connected to the local network too).
Also any packets to outside destinations (default gateway / 0.0.0.0 ) are being routed via eth1.

Can you also post the output of ifconfig ?


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
venom85
 Posted: Oct 18 2011, 07:52 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









All four NICs are physically connected to the local network. At one point, my plan was to set up VLANs or subnets for segmenting different network tasks, but I haven't gotten around to actually setting anything up yet. Would you suggest changing the routing somehow? And, if so, how do I do that? unsure.gif

I also tried forwarding the ports to eth1 instead of eth0 with the same results.

CODE
bridge3   Link encap:Ethernet  HWaddr 00:24:8C:1B:42:C1
         inet addr:10.179.2.67  Bcast:10.179.255.255  Mask:255.255.0.0
         inet6 addr: fe80::224:8cff:fe1b:42c1/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:486370 errors:0 dropped:0 overruns:0 frame:0
         TX packets:17253 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:101533052 (96.8 MiB)  TX bytes:4470272 (4.2 MiB)

eth0      Link encap:Ethernet  HWaddr 00:24:8C:1B:42:54
         inet addr:10.179.2.1  Bcast:10.179.255.255  Mask:255.255.0.0
         inet6 addr: fe80::224:8cff:fe1b:4254/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3033379 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2817040 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:2306007741 (2.1 GiB)  TX bytes:2239009518 (2.0 GiB)
         Interrupt:18 Memory:fdfa0000-fdfc0000

eth1      Link encap:Ethernet  HWaddr 00:24:8C:1B:42:55
         inet addr:10.179.2.65  Bcast:10.179.255.255  Mask:255.255.0.0
         inet6 addr: fe80::224:8cff:fe1b:4255/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:366605 errors:0 dropped:0 overruns:0 frame:0
         TX packets:42951 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:119568412 (114.0 MiB)  TX bytes:6245972 (5.9 MiB)
         Interrupt:19 Memory:fdfe0000-fe000000

eth2      Link encap:Ethernet  HWaddr 00:24:8C:1B:42:C5
         inet addr:10.179.2.66  Bcast:10.179.255.255  Mask:255.255.0.0
         inet6 addr: fe80::224:8cff:fe1b:42c5/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:312228 errors:0 dropped:0 overruns:0 frame:0
         TX packets:13750 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:38484039 (36.7 MiB)  TX bytes:4219369 (4.0 MiB)
         Interrupt:18 Memory:fdce0000-fdd00000

eth3      Link encap:Ethernet  HWaddr 00:24:8C:1B:42:C1
         inet6 addr: fe80::224:8cff:fe1b:42c1/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:981841 errors:0 dropped:0 overruns:0 frame:0
         TX packets:28225 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:298351934 (284.5 MiB)  TX bytes:4974868 (4.7 MiB)
         Interrupt:19 Memory:fdbe0000-fdc00000

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:8612 errors:0 dropped:0 overruns:0 frame:0
         TX packets:8612 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:936761 (914.8 KiB)  TX bytes:936761 (914.8 KiB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:57:66:F0
         inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
PM
^
tux99
 Posted: Oct 18 2011, 08:22 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









Unfortunately you xxx'ed out the 10.xx IP address in the earlier post when you where monitoring incoming packets with tcpdump so I can't tell for sure, but I would guess that your server is receiving the initial handshake packets on eth0 and then sending responses on eth1 (since that's the default gw).
Your NAT-router will likely ignore these responses as they are arriving from the wrong address.

I think the best way to solve this is if you disconnect all but one eth port to the local lan (and unconfigure the respective interfaces), then check if it works correctly and only then think about how to make correct use of the additional interfaces again.

Also I don't have much experience with bridges, but AFAIK bridges are layer2 devices and therefore shouldn't have an IP address assigned? Why do you have a local lan IP address on the bridge3 device?


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
helikaon
 Posted: Oct 19 2011, 05:24 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 606
Member No.: 4
Joined: 8-April 11









Ok,
resume:
(outside IP of router)
199.bla.bla.bla --| router | --10.179.1.1 (inside IP on router)

server with httpd and sshd ports open:
--eth0 --10.179.2.1
--eth1 --10.179.2.65
--eth2 --10.179.2.66
--eth3-- no IP since bridged --bridge3-- 10.179.2.67

1 default route set to inside IP defined on router -> correct
2. ?? what is default gateway setting on the interfaces?? - check in ifcfg-eth* and on bridge, you should have there the "GATEWAY=" stanza
3. ?? what is the card your packet arriving to? - you stated it with 'XXX' at your posted tcpdump - dont worry, this is inside IP and you can post it freely (dont post outside IP)
4. is you NetworkManager turned off?

Tux, the bridge setting is correct in this way, eg:
ethx:
DEVICE=eth0
TYPE=Ethernet
HWADDR=00:14:5E:C2:1E:40
ONBOOT=yes
NM_CONTROLLED=no
BRIDGE=br0

bridge:
DEVICE=br0
TYPE=Bridge
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=10.10.1.152
NETMASK=255.255.255.0
ONBOOT=yes

cheers,

This post has been edited by helikaon: Oct 19 2011, 05:27 AM


--------------------
PMEmail Poster
^
venom85
 Posted: Oct 22 2011, 05:11 PM
Quote Post


SLF Newbie


Group: Members
Posts: 6
Member No.: 942
Joined: 17-October 11









Sorry about the delayed response, was sick most of the week.

I tried unplugging all but eth0's cable and shutting off eth1-3. I also noticed that, despite not seeing NetworkManager installed, the configs were set to be NM_CONTROLLED = "yes". So I changed that to no. Still nothing. I'm completely stumped. sad.gif
PM
^
tux99
 Posted: Oct 22 2011, 05:36 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (venom85 @ Oct 22 2011, 06:11 PM)
I'm completely stumped.  sad.gif


Me too, I don't know what else to suggest. sad.gif


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
helikaon
 Posted: Oct 22 2011, 08:10 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 606
Member No.: 4
Joined: 8-April 11









QUOTE (venom85 @ Oct 22 2011, 05:11 PM)
Sorry about the delayed response, was sick most of the week.

I tried unplugging all but eth0's cable and shutting off eth1-3. I also noticed that, despite not seeing NetworkManager installed, the configs were set to be NM_CONTROLLED = "yes".  So I changed that to no. Still nothing. I'm completely stumped.  sad.gif


Hi,
you didnt answer my questions, so again:

1. is you ip forwardin on server on
cat /etc/sysctl.conf has net.ipv4.ip_forward = 1?
2. past output
netstat -r

3. i noticed now (i overlooked it) that your default route state 10.179.1.1 while your interfaces are 10.179.2.x is this on purpose? your default route points onto different network segment. ..
check your IP on router's 'inside' interface and check your default route, this seams to me weird, i'd expect your default route point to 10.179.2.1

4. output of
chkconfig --list | grep NetworkManager
chkconfig --list | grep network

5. what is default gateway setting on the interfaces
cat /etc/sysconfig/network-scripts/ifcfg-ethxx ??
gateway=??

cheers




--------------------
PMEmail Poster
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll