Problem with Linux 2.6.4 DSL Gateway using Iptables and Shorewall

Hi,

i used to use SuSeFirewall2 under Suse Linux 9.1. Now i changed to
Shorewall. Everything seems to work fine, though there are some
Destinations in the internet I am hardly able to connect to.
There is e.g. http://www.apple.com or http://www.microsoft.com which I
am not able to load to my Browser. Microsoft comes but EXTREMLY slow
for my connection speed. Apple won't display at all. When i do a
traceroute to www.apple.com it looks like this:

traceroute to www.apple.com (17.254.0.91), 30 hops max, 40 byte
packets
1 192.168.0.1 0.425 ms 0.326 ms 0.398 ms
2 217.5.98.182 18.305 ms 24.331 ms 33.508 ms
3 217.237.154.146 34.744 ms 40.827 ms 46.910 ms
4 NYC-gw15.USA.net.DTAG.DE (62.156.131.150) 135.542 ms 141.819 ms
147.904 ms
5 dt-gw.n54ny.ip.att.net (192.205.32.57) 153.547 ms 159.630 ms
165.159 ms
6 tbr1-p010401.n54ny.ip.att.net (12.123.3.57) 172.675 ms 179.056
ms 186.475 ms
7 tbr1-cl1.cgcil.ip.att.net (12.122.10.2) 211.299 ms 217.676 ms
223.613 ms
8 tbr1-cl1.sffca.ip.att.net (12.122.10.6) 266.537 ms 273.782 ms
279.356 ms
9 gar1-p300.placa.ip.att.net (12.123.221.17) 272.279 ms 277.594
ms 283.984 ms
10 12.118.116.10 197.026 ms 201.897 ms 208.277 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *

I am really surprised about that. When I unload shorewall and activate
SuseFirewall2 it works just fine. Here's my Firewall (shorewall)
config with iptables-save:

intertux:~ # iptables-save
# Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
*mangle
:PREROUTING ACCEPT [21396:4675009]
:INPUT ACCEPT [11937:1199941]
:FORWARD ACCEPT [9409:3471851]
:OUTPUT ACCEPT [11980:2717115]
:POSTROUTING ACCEPT [21323:6173817]
uttos - [0:0]
retos - [0:0]
-A PREROUTING -j pretos
-A OUTPUT -j outtos
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 80 -j TOS --set-tos 0x00
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 80 -j TOS --set-tos 0x00
COMMIT
# Completed on Sat Sep 18 12:13:15 2004
# Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
*nat
:PREROUTING ACCEPT [1755:149562]
:POSTROUTING ACCEPT [291:23070]
:OUTPUT ACCEPT [0:0]
pp0_masq - [0:0]
:vpnlink_masq - [0:0]
-A POSTROUTING -o ppp0 -j ppp0_masq
-A POSTROUTING -o vpnlink -j vpnlink_masq
-A ppp0_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE
-A vpnlink_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Sat Sep 18 12:13:15 2004
# Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:48]
:OUTPUT DROP [0:0]
rop - [0:0]
ropDNSrep - [0:0]
ropSMB - [0:0]
ropUPnP - [0:0]
:Reject - [0:0]
:RejectAuth - [0:0]
:RejectSMB - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:icmpdef - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:loc2vpn - [0:0]
:net2all - [0:0]
pp0_fwd - [0:0]
pp0_in - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:vpn2all - [0:0]
:vpnlink_fwd - [0:0]
:vpnlink_in - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ! icmp -m state --state INVALID -j DROP
-A INPUT -i eth0 -j eth0_in
-A INPUT -i ppp0 -j ppp0_in
-A INPUT -i vpnlink -j vpnlink_in
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUTROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i ppp0 -j ppp0_fwd
-A FORWARD -i vpnlink -j vpnlink_fwd
-A FORWARD -j Drop
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARDROP:" --log-level 6
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ! icmp -m state --state INVALID -j DROP
-A OUTPUT -o ppp0 -j fw2net
-A OUTPUT -o eth0 -j fw2loc
-A OUTPUT -o vpnlink -j fw2vpn
-A OUTPUT -j Drop
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUTROP:" --log-level 6
-A OUTPUT -j DROP
-A Drop -j RejectAuth
-A Drop -j dropBcast
-A Drop -j dropInvalid
-A Drop -j DropSMB
-A Drop -j DropUPnP
-A Drop -j dropNotSyn
-A Drop -j DropDNSrep
-A DropDNSrep -p udp -m udp --sport 53 -j DROP
-A DropSMB -p udp -m udp --dport 135 -j DROP
-A DropSMB -p udp -m udp --dport 137:139 -j DROP
-A DropSMB -p udp -m udp --dport 445 -j DROP
-A DropSMB -p tcp -m tcp --dport 135 -j DROP
-A DropSMB -p tcp -m tcp --dport 139 -j DROP
-A DropSMB -p tcp -m tcp --dport 445 -j DROP
-A DropUPnP -p udp -m udp --dport 1900 -j DROP
-A Reject -j RejectAuth
-A Reject -j dropBcast
-A Reject -j dropInvalid
-A Reject -j RejectSMB
-A Reject -j DropUPnP
-A Reject -j dropNotSyn
-A Reject -j DropDNSrep
-A RejectAuth -p tcp -m tcp --dport 113 -j reject
-A RejectSMB -p udp -m udp --dport 135 -j reject
-A RejectSMB -p udp -m udp --dport 137:139 -j reject
-A RejectSMB -p udp -m udp --dport 445 -j reject
-A RejectSMB -p tcp -m tcp --dport 135 -j reject
-A RejectSMB -p tcp -m tcp --dport 139 -j reject
-A RejectSMB -p tcp -m tcp --dport 445 -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -o ppp0 -j loc2net
-A eth0_fwd -o vpnlink -j loc2vpn
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j loc2fw
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:ACCEPT:" --log-level 6
-A fw2loc -j ACCEPT
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6
-A fw2net -j ACCEPT
-A fw2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2vpn -j LOG --log-prefix "Shorewall:fw2vpn:ACCEPT:" --log-level 6
-A fw2vpn -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:ACCEPT:" --log-level 6
-A loc2fw -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j LOG --log-prefix "Shorewall:loc2net:ACCEPT:" --log-level
6
-A loc2net -j ACCEPT
-A loc2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2vpn -j LOG --log-prefix "Shorewall:loc2vpn:ACCEPT:" --log-level
6
-A loc2vpn -j ACCEPT
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2allROP:" --log-level 6
-A net2all -j DROP
-A ppp0_fwd -m state --state INVALID,NEW -j dynamic
-A ppp0_fwd -o eth0 -j net2all
-A ppp0_fwd -o vpnlink -j net2all
-A ppp0_in -m state --state INVALID,NEW -j dynamic
-A ppp0_in -j net2all
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.0.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.168.0.255 -j LOG --log-prefix
"Shorewall:smurfsROP:" --log-level 6
-A smurfs -s 192.168.0.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix
"Shorewall:smurfsROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix
"Shorewall:smurfsROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A vpn2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A vpn2all -j Drop
-A vpn2all -j LOG --log-prefix "Shorewall:vpn2allROP:" --log-level 6
-A vpn2all -j DROP
-A vpnlink_fwd -m state --state INVALID,NEW -j dynamic
-A vpnlink_fwd -o ppp0 -j vpn2all
-A vpnlink_fwd -o eth0 -j vpn2all
-A vpnlink_in -m state --state INVALID,NEW -j dynamic
-A vpnlink_in -j vpn2all
COMMIT

The fact that it works with SuseFirewall2 let me think that my
shorewall config is incorrect. Would someone please help me...
Thanks in Advance!

Jochen Demmer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Jochen Demmer <(E-Mail Removed)> suggested:
> Hi,

> i used to use SuSeFirewall2 under Suse Linux 9.1. Now i changed to
> Shorewall. Everything seems to work fine, though there are some
> Destinations in the internet I am hardly able to connect to.
> There is e.g. http://www.apple.com or http://www.microsoft.com which I
> am not able to load to my Browser. Microsoft comes but EXTREMLY slow
> for my connection speed. Apple won't display at all. When i do a

After all, not that bad.

[..]

> I am really surprised about that. When I unload shorewall and activate
> SuseFirewall2 it works just fine. Here's my Firewall (shorewall)
> config with iptables-save:
[..]

Now it would be the easiest, if you enhance logging, keep an
'tail -f <logfile>' running while trying to connect to the
problematic sites and see what it tells.

> The fact that it works with SuseFirewall2 let me think that my
> shorewall config is incorrect. Would someone please help me...

Yup, very likely. I'd double check if the SuseFirewall2 does
something in addition, Ie. modify one or another value in /proc.

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTBx8AkPEju3Se5QRAr8EAJ4vkK+hQ+GiniO3CFOCjb Eu3Xku9ACgi8sq
OhNsYEpagCuWjDxI0M625f0=
=SFdb
-----END PGP SIGNATURE-----

"Michael Heiming" <michael+(E-Mail Removed)> wrote

> Now it would be the easiest, if you enhance logging, keep an
> 'tail -f <logfile>' running while trying to connect to the
> problematic sites and see what it tells.

I gave it a try, but with no conclusion. The firewall says that the packet
DSTPORT 80 is accepted. Now i got the same problem with www.map24.de.

> Yup, very likely. I'd double check if the SuseFirewall2 does
> something in addition, Ie. modify one or another value in /proc.

Sorry, i don't know, what you mean with that.

> Michael Heiming (GPG-Key ID: 0xEDD27B94)


BTW: I got three interfaces with my shorewall configuration: vpn,
net(internet) and loc (lan).
Both vpn and net are MAQUERADED to my local lan. When i start my vpn
connection, through which i am also able to reach the internet i can reach
the destinations, which are unreachable without vpn.
eg. www.map24.de www.apple.com www.microsoft.com


Thanks in Advance,

Jochen Demmer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Jochen Demmer <(E-Mail Removed)> suggested:

> "Michael Heiming" <michael+(E-Mail Removed)> wrote
[..]

>> Yup, very likely. I'd double check if the SuseFirewall2 does
>> something in addition, Ie. modify one or another value in /proc.

> Sorry, i don't know, what you mean with that.

Like modifying the content (0 or 1) of:
/proc/sys/net/ipv4/tcp_sack
/proc/sys/net/ipv4/tcp_window_scaling
/proc/sys/net/ipv4/tcp_ecn

[..]

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTZSFAkPEju3Se5QRAp2fAKDW0ewW1dVGX9V7tbXk/elBzg5TtQCfaAvk
5sLi0s8i9aPfHteWGSCyI5k=
=rzNF
-----END PGP SIGNATURE-----

> > "Michael Heiming" <michael+(E-Mail Removed)> wrote

> >> Yup, very likely. I'd double check if the SuseFirewall2 does
> >> something in addition, Ie. modify one or another value in /proc.
> Like modifying the content (0 or 1) of:
> /proc/sys/net/ipv4/tcp_sack
> /proc/sys/net/ipv4/tcp_window_scaling
> /proc/sys/net/ipv4/tcp_ecn

Sorry! I still don't understand. What are these files for? I opened them
with vi and i just see e.g. a "1" in the file. Could the MTU be the reason
for my Problem? What is different between the hosts I can arrive and them i
cannot? I don't see a difference. Why should my Firewall treat them in a
different way? I don't set policies or filter-rules which would explain the
behaviour. Why am I not having the problems when going through the vpn. I
set up the same policies for vpn and net. That's really a strange problem i
never had before.

Jochen Demmer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Jochen Demmer <(E-Mail Removed)> suggested:
>> > "Michael Heiming" <michael+(E-Mail Removed)> wrote

>> >> Yup, very likely. I'd double check if the SuseFirewall2 does
>> >> something in addition, Ie. modify one or another value in /proc.
>> Like modifying the content (0 or 1) of:
>> /proc/sys/net/ipv4/tcp_sack
>> /proc/sys/net/ipv4/tcp_window_scaling
>> /proc/sys/net/ipv4/tcp_ecn

> Sorry! I still don't understand. What are these files for? I opened them
> with vi and i just see e.g. a "1" in the file. Could the MTU be the reason

Those are not really files, more an interface to the kernel, 'man
proc' should have more info.

Now the setting of those files may have to do with your problem,
you can change settings while running with simply (as root):

echo "0" > /proc/sys/net/ipv4/tcp_ecn

Or use 'sysctl' (man sysctl)

MTU might be another reason, but you couldn't probably reach any
host really well and not just a few and others work fine.

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTbNsAkPEju3Se5QRAqVYAJ9/OGw/8wX1GgOnLH441FvCfmT//ACgk4+d
Ed0zlqcsPb4mrbpz0JOFibc=
=+cd+
-----END PGP SIGNATURE-----

> >> > "Michael Heiming" <michael+(E-Mail Removed)> wrote

> Those are not really files, more an interface to the kernel, 'man
> proc' should have more info.
>
> Now the setting of those files may have to do with your problem,
> you can change settings while running with simply (as root):
>
> echo "0" > /proc/sys/net/ipv4/tcp_ecn
>
> Or use 'sysctl' (man sysctl)


Fine, now how can i realize where the problem is? I typed echo "0"... in the
shell, but unfortunately with no conclusion.

Jochen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Jochen Demmer <(E-Mail Removed)> suggested:
>> >> > "Michael Heiming" <michael+(E-Mail Removed)> wrote
[..]

>> Now the setting of those files may have to do with your problem,
>> you can change settings while running with simply (as root):
>>
>> echo "0" > /proc/sys/net/ipv4/tcp_ecn
>>
>> Or use 'sysctl' (man sysctl)


> Fine, now how can i realize where the problem is? I typed echo "0"... in the
> shell, but unfortunately with no conclusion.

As written in my first reply "I'd double check if the
SuseFirewall2 does something in addition.". See what it does
inside the scripts it's using and diff 'iptables -L' output with
the output of your config.

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBTbqmAkPEju3Se5QRAgasAJ4vxoEy6VtGzdCqqMEKzp qftZCclgCdGalH
rPebNFqQtI77vdldc7269gY=
=A33g
-----END PGP SIGNATURE-----

> >> >> > "Michael Heiming" <michael+(E-Mail Removed)> wrote

> As written in my first reply "I'd double check if the
> SuseFirewall2 does something in addition.". See what it does
> inside the scripts it's using and diff 'iptables -L' output with
> the output of your config.

Hi,

now i tried to find out the difference between the two
iptables-configurations, but i'm not an expert in configurating iptables.
That's the reason why i'm using shorewall, or SuseFirewall2 in the past.
I put the file generated by 'diff -y shorewall.txt susefw2.txt >
unterschiede.txt" online. http://www.winteltosh.de/unterschiede.txt . I
generated shorewall.txt when the shorewall firewall was loaded by typing
"iptables-save > shorewall.txt" and the same with susefw.txt, but of course
while the susefw2 was loaded.
Maybe you could have a short look if you see an apparent mistake. The left
column in the textfile should be Susefw2 i think.
BTW: I'm using opera 7.54 as Browser and the IE does display www.apple.com
at least. But also not all webpages i got problems with Opera.
I'm really annoyed with this problem.
Thanks for your help.
Jochen

HI,

i got it! I just reinstalled shorewall, used a configuration sample and
edited for my purposes. Now the firewall runs fine and i don't got problems
any more with some pages. I don't know where the problem was but everthing
is running fine. Thanks again for your help!

Jochen


"Jochen Demmer" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed)...
> > >> >> > "Michael Heiming" <michael+(E-Mail Removed)> wrote
>
> > As written in my first reply "I'd double check if the
> > SuseFirewall2 does something in addition.". See what it does
> > inside the scripts it's using and diff 'iptables -L' output with
> > the output of your config.
>
> Hi,
>
> now i tried to find out the difference between the two
> iptables-configurations, but i'm not an expert in configurating iptables.
> That's the reason why i'm using shorewall, or SuseFirewall2 in the past.
> I put the file generated by 'diff -y shorewall.txt susefw2.txt >
> unterschiede.txt" online. http://www.winteltosh.de/unterschiede.txt . I
> generated shorewall.txt when the shorewall firewall was loaded by typing
> "iptables-save > shorewall.txt" and the same with susefw.txt, but of
course
> while the susefw2 was loaded.
> Maybe you could have a short look if you see an apparent mistake. The left
> column in the textfile should be Susefw2 i think.
> BTW: I'm using opera 7.54 as Browser and the IE does display www.apple.com
> at least. But also not all webpages i got problems with Opera.
> I'm really annoyed with this problem.
> Thanks for your help.
> Jochen
>
>