How can I trace a broken port forward?

Discussion in 'Linux Networking' started by Todd, Mar 28, 2011.

  1. Todd

    Todd Guest

    Hi All,

    I have a customer with an embedded Linux device that the
    vendor wants to communicate with. It goes through my
    iptables firewall.

    I have run "iptables -- list" against two other tables
    that do the same thing in my firewall. Everything
    matches, except the ports and IP's are different. For
    instance (sorry for all the redacting):

    # service iptables status | grep -i xxxx
    3 DNAT tcp -- tcp
    spts:1024:65535 dpt:xxxx flags:0x17/0x02 to:
    5 ACCEPT tcp -- tcp
    spts:1024:65535 dpt:xxxx flags:0x17/0x02
    9 ACCEPT tcp -- tcp
    spts:1024:65535 dpt:xxxx flags:0x17/0x02 state NEW,ESTABLISHED
    4 ACCEPT tcp -- tcp
    spt:xxxx dpts:1024:65535 state RELATED,ESTABLISHED

    # service iptables status | grep -i yyyy
    5 DNAT udp -- udp
    spts:1024:65535 dpt:yyyy to:
    7 ACCEPT udp -- udp
    spts:1024:65535 dpt:yyyy
    11 ACCEPT udp -- udp
    dpt:yyyy state NEW,ESTABLISHED
    6 ACCEPT udp -- udp
    spt:yyyy dpts:1024:65535 state RELATED,ESTABLISHED

    The only difference is tcp vs udp. I think the problem is the
    vendor's equipment.

    Problem: how do I go about proving it?

    Many thank,
    Todd, Mar 28, 2011
    1. Advertisements

  2. Todd

    jack Guest

    Do a tcpdump capture on both interfaces for the IP addresses involved.
    Alternatively, depending on how heavily loaded the firewall is, and how
    complex the ruleset, log all blocked traffic. But then the vendor can
    still claim 'you forgot one -j LOG'.

    jack, Mar 28, 2011
    1. Advertisements

  3. Todd

    Todd Guest

    Thank you!

    I do log "everything else". Does not show up. All sorts of other
    crap does though.l

    tcpdump does not seem to hard to use (man tcpdump). I think I
    will just use either the device's IP or the port that is being
    forwarded. Do you have tips on using it?

    Todd, Mar 28, 2011
  4. Todd

    Todd Guest

    Hi Jack,

    I have what I need. I love this tcpdump! Thank you so much.

    Todd, Mar 28, 2011
  5. Todd

    Todd Guest

    And, I fixed it. The devices did not have their default
    router configured. Rasberries!

    Bad: GATEIPAddress=
    good: GATEIPAddress=

    Yipee! It took me about 7 hours to figure this out,
    but I finally did. And, the default router was not in the
    vendors configuration directions!

    Thank you Jack. I could not have figured it out without you!

    Now, I will do my best to stop strutting. Maybe in an hour
    or so!

    P.s. Yipee!
    Todd, Mar 28, 2011
  6. Todd

    jack Guest

    Glad you sorted it out, unknown devices and finger-pointing can both be
    a pain. tcpdump can be a great help to see what is happening on the
    wire. What I often do is take a capture using tcpdump -s0 -w
    /tmp/somefile.pcap, copy the pcap files to my own machine, and use
    wireshark to go through the capture file.

    jack, Mar 29, 2011
  7. [...]
    I bet you mean 'chains'.
    What's that tcp flags stuff doing there?
    The nat table only sees packets of state NEW. And will only map on SYN
    packets automatically.
    Again tcp flags. If i read it correctly, you specify SYN packets. So why
    state ESTABLISHED? That cannot match. Better sort out bad tcp packets in
    a dedicated chain before. With a rule like:
    -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
    state --state NEW -j DROP

    Design suggestions:

    - top rule: allow state ESTABLISHED(,RELATED)
    - sort out bad tcp packets
    - allow by state new in dedicated chain:
    -A NEW_CONNECTIONS --your_match_conditions ...
    --state NEW -j NEW_CONNECTIONS


    Best regards

    Mart Frauenlob, Mar 30, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.