Problem with Linux 2.6.4 DSL Gateway using Iptables and Shorewall

Discussion in 'Linux Networking' started by Jochen Demmer, Sep 18, 2004.

  1. Hi,

    i used to use SuSeFirewall2 under Suse Linux 9.1. Now i changed to
    Shorewall. Everything seems to work fine, though there are some
    Destinations in the internet I am hardly able to connect to.
    There is e.g. http://www.apple.com or http://www.microsoft.com which I
    am not able to load to my Browser. Microsoft comes but EXTREMLY slow
    for my connection speed. Apple won't display at all. When i do a
    traceroute to www.apple.com it looks like this:

    traceroute to www.apple.com (17.254.0.91), 30 hops max, 40 byte
    packets
    1 192.168.0.1 0.425 ms 0.326 ms 0.398 ms
    2 217.5.98.182 18.305 ms 24.331 ms 33.508 ms
    3 217.237.154.146 34.744 ms 40.827 ms 46.910 ms
    4 NYC-gw15.USA.net.DTAG.DE (62.156.131.150) 135.542 ms 141.819 ms
    147.904 ms
    5 dt-gw.n54ny.ip.att.net (192.205.32.57) 153.547 ms 159.630 ms
    165.159 ms
    6 tbr1-p010401.n54ny.ip.att.net (12.123.3.57) 172.675 ms 179.056
    ms 186.475 ms
    7 tbr1-cl1.cgcil.ip.att.net (12.122.10.2) 211.299 ms 217.676 ms
    223.613 ms
    8 tbr1-cl1.sffca.ip.att.net (12.122.10.6) 266.537 ms 273.782 ms
    279.356 ms
    9 gar1-p300.placa.ip.att.net (12.123.221.17) 272.279 ms 277.594
    ms 283.984 ms
    10 12.118.116.10 197.026 ms 201.897 ms 208.277 ms
    11 * * *
    12 * * *
    13 * * *
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *

    I am really surprised about that. When I unload shorewall and activate
    SuseFirewall2 it works just fine. Here's my Firewall (shorewall)
    config with iptables-save:

    intertux:~ # iptables-save
    # Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
    *mangle
    :pREROUTING ACCEPT [21396:4675009]
    :INPUT ACCEPT [11937:1199941]
    :FORWARD ACCEPT [9409:3471851]
    :OUTPUT ACCEPT [11980:2717115]
    :pOSTROUTING ACCEPT [21323:6173817]
    :eek:uttos - [0:0]
    :pretos - [0:0]
    -A PREROUTING -j pretos
    -A OUTPUT -j outtos
    -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
    -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
    -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
    -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
    -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
    -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
    -A outtos -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
    -A outtos -p tcp -m tcp --sport 80 -j TOS --set-tos 0x00
    -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
    -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
    -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
    -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
    -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
    -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
    -A pretos -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
    -A pretos -p tcp -m tcp --sport 80 -j TOS --set-tos 0x00
    COMMIT
    # Completed on Sat Sep 18 12:13:15 2004
    # Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
    *nat
    :pREROUTING ACCEPT [1755:149562]
    :pOSTROUTING ACCEPT [291:23070]
    :OUTPUT ACCEPT [0:0]
    :ppp0_masq - [0:0]
    :vpnlink_masq - [0:0]
    -A POSTROUTING -o ppp0 -j ppp0_masq
    -A POSTROUTING -o vpnlink -j vpnlink_masq
    -A ppp0_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE
    -A vpnlink_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE
    COMMIT
    # Completed on Sat Sep 18 12:13:15 2004
    # Generated by iptables-save v1.2.9 on Sat Sep 18 12:13:15 2004
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [1:48]
    :OUTPUT DROP [0:0]
    :Drop - [0:0]
    :DropDNSrep - [0:0]
    :DropSMB - [0:0]
    :DropUPnP - [0:0]
    :Reject - [0:0]
    :RejectAuth - [0:0]
    :RejectSMB - [0:0]
    :dropBcast - [0:0]
    :dropInvalid - [0:0]
    :dropNotSyn - [0:0]
    :dynamic - [0:0]
    :eth0_fwd - [0:0]
    :eth0_in - [0:0]
    :fw2loc - [0:0]
    :fw2net - [0:0]
    :fw2vpn - [0:0]
    :icmpdef - [0:0]
    :loc2fw - [0:0]
    :loc2net - [0:0]
    :loc2vpn - [0:0]
    :net2all - [0:0]
    :ppp0_fwd - [0:0]
    :ppp0_in - [0:0]
    :reject - [0:0]
    :shorewall - [0:0]
    :smurfs - [0:0]
    :vpn2all - [0:0]
    :vpnlink_fwd - [0:0]
    :vpnlink_in - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p ! icmp -m state --state INVALID -j DROP
    -A INPUT -i eth0 -j eth0_in
    -A INPUT -i ppp0 -j ppp0_in
    -A INPUT -i vpnlink -j vpnlink_in
    -A INPUT -j Drop
    -A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
    -A INPUT -j DROP
    -A FORWARD -p ! icmp -m state --state INVALID -j DROP
    -A FORWARD -i eth0 -j eth0_fwd
    -A FORWARD -i ppp0 -j ppp0_fwd
    -A FORWARD -i vpnlink -j vpnlink_fwd
    -A FORWARD -j Drop
    -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6
    -A FORWARD -j DROP
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p ! icmp -m state --state INVALID -j DROP
    -A OUTPUT -o ppp0 -j fw2net
    -A OUTPUT -o eth0 -j fw2loc
    -A OUTPUT -o vpnlink -j fw2vpn
    -A OUTPUT -j Drop
    -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6
    -A OUTPUT -j DROP
    -A Drop -j RejectAuth
    -A Drop -j dropBcast
    -A Drop -j dropInvalid
    -A Drop -j DropSMB
    -A Drop -j DropUPnP
    -A Drop -j dropNotSyn
    -A Drop -j DropDNSrep
    -A DropDNSrep -p udp -m udp --sport 53 -j DROP
    -A DropSMB -p udp -m udp --dport 135 -j DROP
    -A DropSMB -p udp -m udp --dport 137:139 -j DROP
    -A DropSMB -p udp -m udp --dport 445 -j DROP
    -A DropSMB -p tcp -m tcp --dport 135 -j DROP
    -A DropSMB -p tcp -m tcp --dport 139 -j DROP
    -A DropSMB -p tcp -m tcp --dport 445 -j DROP
    -A DropUPnP -p udp -m udp --dport 1900 -j DROP
    -A Reject -j RejectAuth
    -A Reject -j dropBcast
    -A Reject -j dropInvalid
    -A Reject -j RejectSMB
    -A Reject -j DropUPnP
    -A Reject -j dropNotSyn
    -A Reject -j DropDNSrep
    -A RejectAuth -p tcp -m tcp --dport 113 -j reject
    -A RejectSMB -p udp -m udp --dport 135 -j reject
    -A RejectSMB -p udp -m udp --dport 137:139 -j reject
    -A RejectSMB -p udp -m udp --dport 445 -j reject
    -A RejectSMB -p tcp -m tcp --dport 135 -j reject
    -A RejectSMB -p tcp -m tcp --dport 139 -j reject
    -A RejectSMB -p tcp -m tcp --dport 445 -j reject
    -A dropBcast -m pkttype --pkt-type broadcast -j DROP
    -A dropBcast -m pkttype --pkt-type multicast -j DROP
    -A dropInvalid -m state --state INVALID -j DROP
    -A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
    -A eth0_fwd -m state --state INVALID,NEW -j dynamic
    -A eth0_fwd -o ppp0 -j loc2net
    -A eth0_fwd -o vpnlink -j loc2vpn
    -A eth0_in -m state --state INVALID,NEW -j dynamic
    -A eth0_in -j loc2fw
    -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:ACCEPT:" --log-level 6
    -A fw2loc -j ACCEPT
    -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A fw2net -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6
    -A fw2net -j ACCEPT
    -A fw2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A fw2vpn -j LOG --log-prefix "Shorewall:fw2vpn:ACCEPT:" --log-level 6
    -A fw2vpn -j ACCEPT
    -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:ACCEPT:" --log-level 6
    -A loc2fw -j ACCEPT
    -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A loc2net -j LOG --log-prefix "Shorewall:loc2net:ACCEPT:" --log-level
    6
    -A loc2net -j ACCEPT
    -A loc2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A loc2vpn -j LOG --log-prefix "Shorewall:loc2vpn:ACCEPT:" --log-level
    6
    -A loc2vpn -j ACCEPT
    -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A net2all -j Drop
    -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
    -A net2all -j DROP
    -A ppp0_fwd -m state --state INVALID,NEW -j dynamic
    -A ppp0_fwd -o eth0 -j net2all
    -A ppp0_fwd -o vpnlink -j net2all
    -A ppp0_in -m state --state INVALID,NEW -j dynamic
    -A ppp0_in -j net2all
    -A reject -m pkttype --pkt-type broadcast -j DROP
    -A reject -m pkttype --pkt-type multicast -j DROP
    -A reject -s 192.168.0.255 -j DROP
    -A reject -s 255.255.255.255 -j DROP
    -A reject -s 224.0.0.0/240.0.0.0 -j DROP
    -A reject -p tcp -j REJECT --reject-with tcp-reset
    -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
    -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
    -A reject -j REJECT --reject-with icmp-host-prohibited
    -A smurfs -s 192.168.0.255 -j LOG --log-prefix
    "Shorewall:smurfs:DROP:" --log-level 6
    -A smurfs -s 192.168.0.255 -j DROP
    -A smurfs -s 255.255.255.255 -j LOG --log-prefix
    "Shorewall:smurfs:DROP:" --log-level 6
    -A smurfs -s 255.255.255.255 -j DROP
    -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix
    "Shorewall:smurfs:DROP:" --log-level 6
    -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
    -A vpn2all -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A vpn2all -j Drop
    -A vpn2all -j LOG --log-prefix "Shorewall:vpn2all:DROP:" --log-level 6
    -A vpn2all -j DROP
    -A vpnlink_fwd -m state --state INVALID,NEW -j dynamic
    -A vpnlink_fwd -o ppp0 -j vpn2all
    -A vpnlink_fwd -o eth0 -j vpn2all
    -A vpnlink_in -m state --state INVALID,NEW -j dynamic
    -A vpnlink_in -j vpn2all
    COMMIT

    The fact that it works with SuseFirewall2 let me think that my
    shorewall config is incorrect. Would someone please help me...
    Thanks in Advance!

    Jochen Demmer
     
    Jochen Demmer, Sep 18, 2004
    #1
    1. Advertisements

  2. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    After all, not that bad.

    [..]
    [..]

    Now it would be the easiest, if you enhance logging, keep an
    Yup, very likely. I'd double check if the SuseFirewall2 does
    something in addition, Ie. modify one or another value in /proc.

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBTBx8AkPEju3Se5QRAr8EAJ4vkK+hQ+GiniO3CFOCjbEu3Xku9ACgi8sq
    OhNsYEpagCuWjDxI0M625f0=
    =SFdb
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Sep 18, 2004
    #2
    1. Advertisements

  3. I gave it a try, but with no conclusion. The firewall says that the packet
    DSTPORT 80 is accepted. Now i got the same problem with www.map24.de.
    Sorry, i don't know, what you mean with that.

    BTW: I got three interfaces with my shorewall configuration: vpn,
    net(internet) and loc (lan).
    Both vpn and net are MAQUERADED to my local lan. When i start my vpn
    connection, through which i am also able to reach the internet i can reach
    the destinations, which are unreachable without vpn.
    eg. www.map24.de www.apple.com www.microsoft.com


    Thanks in Advance,

    Jochen Demmer
     
    Jochen Demmer, Sep 19, 2004
    #3
  4. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    Like modifying the content (0 or 1) of:
    /proc/sys/net/ipv4/tcp_sack
    /proc/sys/net/ipv4/tcp_window_scaling
    /proc/sys/net/ipv4/tcp_ecn

    [..]

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBTZSFAkPEju3Se5QRAp2fAKDW0ewW1dVGX9V7tbXk/elBzg5TtQCfaAvk
    5sLi0s8i9aPfHteWGSCyI5k=
    =rzNF
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Sep 19, 2004
    #4
  5. Sorry! I still don't understand. What are these files for? I opened them
    with vi and i just see e.g. a "1" in the file. Could the MTU be the reason
    for my Problem? What is different between the hosts I can arrive and them i
    cannot? I don't see a difference. Why should my Firewall treat them in a
    different way? I don't set policies or filter-rules which would explain the
    behaviour. Why am I not having the problems when going through the vpn. I
    set up the same policies for vpn and net. That's really a strange problem i
    never had before.

    Jochen Demmer
     
    Jochen Demmer, Sep 19, 2004
    #5
  6. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    Those are not really files, more an interface to the kernel, 'man
    proc' should have more info.

    Now the setting of those files may have to do with your problem,
    you can change settings while running with simply (as root):

    echo "0" > /proc/sys/net/ipv4/tcp_ecn

    Or use 'sysctl' (man sysctl)

    MTU might be another reason, but you couldn't probably reach any
    host really well and not just a few and others work fine.

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBTbNsAkPEju3Se5QRAqVYAJ9/OGw/8wX1GgOnLH441FvCfmT//ACgk4+d
    Ed0zlqcsPb4mrbpz0JOFibc=
    =+cd+
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Sep 19, 2004
    #6

  7. Fine, now how can i realize where the problem is? I typed echo "0"... in the
    shell, but unfortunately with no conclusion.

    Jochen
     
    Jochen Demmer, Sep 19, 2004
    #7
  8. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    As written in my first reply "I'd double check if the
    SuseFirewall2 does something in addition.". See what it does
    inside the scripts it's using and diff 'iptables -L' output with
    the output of your config.

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBTbqmAkPEju3Se5QRAgasAJ4vxoEy6VtGzdCqqMEKzpqftZCclgCdGalH
    rPebNFqQtI77vdldc7269gY=
    =A33g
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Sep 19, 2004
    #8
  9. Hi,

    now i tried to find out the difference between the two
    iptables-configurations, but i'm not an expert in configurating iptables.
    That's the reason why i'm using shorewall, or SuseFirewall2 in the past.
    I put the file generated by 'diff -y shorewall.txt susefw2.txt >
    unterschiede.txt" online. http://www.winteltosh.de/unterschiede.txt . I
    generated shorewall.txt when the shorewall firewall was loaded by typing
    "iptables-save > shorewall.txt" and the same with susefw.txt, but of course
    while the susefw2 was loaded.
    Maybe you could have a short look if you see an apparent mistake. The left
    column in the textfile should be Susefw2 i think.
    BTW: I'm using opera 7.54 as Browser and the IE does display www.apple.com
    at least. But also not all webpages i got problems with Opera.
    I'm really annoyed with this problem.
    Thanks for your help.
    Jochen
     
    Jochen Demmer, Sep 20, 2004
    #9
  10. HI,

    i got it! I just reinstalled shorewall, used a configuration sample and
    edited for my purposes. Now the firewall runs fine and i don't got problems
    any more with some pages. I don't know where the problem was but everthing
    is running fine. Thanks again for your help!

    Jochen
     
    Jochen Demmer, Sep 20, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.