I have a couple of RedHat servers (8.0 and 9.0) deployed in a similar
quite common scenario: broadband attached to the server's ethernet
card protected with iptables firewall and office workstations
connected to the second ethernet card of the server through which they
can access the Internet as they like.
There is also a poptop VPN installed (1.1.4 b4) on the servers
allowing me to connect my laptop on WinXP to the office network using
PPTP over the Internet.
Everything seemed to be OK until I found out that certain websites
will not open and time out for no apparent reason on the laptop when
connected through the VPN. This issue is true for both servers, each
one uses even different ISP.
To rule out issues with ppp, dns and routing I have dialed into one of
the servers using an analog modem (this is a backup admin line) and
could browse the Internet fine.
WinXP laptop->ppp->analog_modem->phone_network->analog_modem->ppp2->RH
server->ppp0->xDSL->Internet->webserver
Hence one would assume that it is the VPN that is to blame.
Following is the configuration causing trouble:
WinXP laptop->pptp->Internet->pptp ppp1->RH
server->ppp0->xDSL->Internet->webserver
Note that both ppp0 and ppp1 are going through the same physical
interface eth2.
I captured packets both for successfull connection to a website and
unsuccessfull one (timeout) but can make no sense out of it.
192.168.0.242 is the laptop, web 216.239.37.147 can browse fine, web
80.188.162.193 times out.
############# This one is OK:
tcpdump: listening on ppp1
23:28:42.039971 192.168.0.241.1402 > 216.239.37.147.http: S [tcp sum
ok] 2585160176:2585160176(0) win 64240 <mss 1360,nop,wscale
0,nop,nop,sackOK> (DF) (ttl 64, id 54415, len 52)
23:28:42.164905 216.239.37.147.http > 192.168.0.241.1402: S [tcp sum
ok] 1379970363:1379970363(0) ack 2585160177 win 8190 <mss 1356> (ttl
244, id 50356, len 44)
23:28:42.260022 192.168.0.241.1402 > 216.239.37.147.http: . [tcp sum
ok] 1:1(0) ack 1 win 64240 (DF) (ttl 64, id 54420, len 40)
23:28:42.350204 192.168.0.241.1402 > 216.239.37.147.http: P 1:542(541)
ack 1 win 64240 (DF) (ttl 64, id 54421, len 581)
23:28:42.490047 216.239.37.147.http > 192.168.0.241.1402: . [tcp sum
ok] 1:1(0) ack 542 win 7649 (ttl 244, id 61876, len 40)
23:28:42.492508 216.239.37.147.http > 192.168.0.241.1402: . [tcp sum
ok] 1:1(0) ack 542 win 31280 (ttl 53, id 4516, len 40)
23:28:42.512877 216.239.37.147.http > 192.168.0.241.1402: P
1:1049(1048) ack 542 win 32640 (ttl 53, id 4520, len 1088)
23:28:42.517688 216.239.37.147.http > 192.168.0.241.1402: P
1049:1695(646) ack 542 win 32640 (ttl 53, id 4522, len 686)
23:28:42.902758 192.168.0.241.1402 > 216.239.37.147.http: . [tcp sum
ok] 542:542(0) ack 1695 win 64240 (DF) (ttl 64, id 54433, len 40)
23:28:43.010581 216.239.37.147.http > 192.168.0.241.1402: P
1:1049(1048) ack 542 win 32640 (ttl 53, id 4920, len 1088)
23:28:43.277880 192.168.0.241.1402 > 216.239.37.147.http: . [tcp sum
ok] 542:542(0) ack 1695 win 64240 (DF) (ttl 64, id 54440, len 40)
11 packets received by filter
0 packets dropped by kernel
############ The following one fails
tcpdump: listening on ppp1
23:32:26.577766 192.168.0.241.1411 > 80.188.162.193.http: S [tcp sum
ok] 2641200620:2641200620(0) win 64240 <mss 1360,nop,wscale
0,nop,nop,sackOK> (DF) (ttl 64, id 54823, len 52)
23:32:26.667694 80.188.162.193.http > 192.168.0.241.1411: S [tcp sum
ok] 2321164847:2321164847(0) ack 2641200621 win 65535 <mss
1356,nop,wscale 0,nop,nop,sackOK> (DF) (ttl 108, id 12305, len 52)
23:32:26.765247 192.168.0.241.1411 > 80.188.162.193.http: . [tcp sum
ok] 1:1(0) ack 1 win 64240 (DF) (ttl 64, id 54826, len 40)
23:32:26.830557 192.168.0.241.1411 > 80.188.162.193.http: P 1:426(425)
ack 1 win 64240 (DF) (ttl 64, id 54828, len 465)
23:32:26.935447 80.188.162.193.http > 192.168.0.241.1411: P 1:382(381)
ack 426 win 65110 (DF) (ttl 108, id 12342, len 421)
23:32:27.265439 192.168.0.241.1411 > 80.188.162.193.http: . [tcp sum
ok] 426:426(0) ack 382 win 63859 (DF) (ttl 64, id 54839, len 40)
6 packets received by filter
0 packets dropped by kernel
To make matters even more interesting one of the servers has a second
VPN installed based on CIPE that exhibits the same issues, i.e.
network behind it can not browse certain websites.
The CIPE configuration is following:
workstation->ethernet->auxilliary RH9.0
server->CIPE->untrusted_network->CIPE->main RH
server->ppp0->xDSL->Internet->webserver
So I guess it should not be VPN related? Any idea where should I look?
DNS works without a glitch and the sites that allow it are pinged
within 60 ms but some of them will not open in a browser. I can not
hack it.
Firewall pasted below:
#!/bin/bash
iptables -F
# eth0 is internal trusted network served by DHCP
# eth1 is untrusted private network (UN)
# eth2 is untrusted broadband Internet network (ADSL)
# Log suspicious packets
#iptables -A INPUT -i eth2 -m state --state NEW,INVALID -m limit
--limit 3/minute --limit-burst 3 -j LOG --log-level debug --log-prefix
"ADSL packet: "
# Allow CIPE VPN traffic from the UN
iptables -A INPUT -i eth1 -p udp --dport 4343 -j ACCEPT
iptables -A INPUT -i cipecb0 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
iptables -A OUTPUT -o cipecb0 -j ACCEPT
iptables -t filter -A FORWARD -p udp -o eth1 --dport 137:139 -j REJECT
iptables -t filter -A FORWARD -p tcp -o eth1 --dport 137:139 -j REJECT
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# PPtP server
iptables -A INPUT -p tcp --syn --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
# Isolate ADSL
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -t filter -A FORWARD -p udp -o ppp0 --dport 137:139 -j REJECT
iptables -t filter -A FORWARD -p tcp -o ppp0 --dport 137:139 -j REJECT
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
If anybody has any idea where to look please let me know. Thank you.
Peter
Similar Threads
Linear Mode
