LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-27-2010, 08:20 PM   #1
edsmithers
Member
 
Registered: Jul 2003
Distribution: slackware 9.1
Posts: 45

Rep: Reputation: 15
Firestarter kills OUTGOING SSH Ubuntu 10.04- rejects SYN/ACK from SSH server


Hi,

I have a LAN with the following topology:

Ubuntu Laptop <------> Dlink Wireless Router/Switch <-------> Ubuntu Gateway Server <----------> ADSL

with this addressing scheme:

Laptop (192.168.5.106) <-----> (192.168.5.1 wifi) Dlink (uplink 172.16.5.2) <----------> (eth1 172.16.5.1) GW SRV (eth0 192.168.63.202) <------------------> ADSL (ISP provides me private IP 192.168.63.201 as uplink)


1. When I try to SSH from Laptop to GW SRV, the connection times out unless I disable Firestarter (on Laptop). GW SRV accepts SSH from local net and it works from several other PCs.
2. In the logs, I can see that the SYN-ACK from the GW SRV is blocked by Firestarter.
3. I have a default iptables config generated by Firestarter which should allow all outgoing connections.

Using Wireshark I see my Laptop send out the TCP Syn packet to port 22 on the server. The server responds TCP Syn-ACK to the appropriate port, but the connection times out. It works just fine with Firestarter disabled.



Could it be something is wrong with the SYN-ACK packet returned by GW SRV which makes it invalid and therefore not considered part of an Established/Related connection?

Below is my iptables -L and the output of conntrack while trying the SSH, as far as I can tell the SYN ACK is received and processed correctly. Thanks in advance for your help.


Code:
[NEW] tcp      6 120 SYN_SENT src=192.168.5.106 dst=172.16.5.1 sport=41391 dport=22 [UNREPLIED] src=172.16.5.1 dst=192.168.5.106 sport=22 dport=41391
 [UPDATE] tcp      6 57 SYN_RECV src=192.168.5.106 dst=172.16.5.1 sport=41391 dport=22 src=172.16.5.1 dst=192.168.5.106 sport=22 dport=41391

.... for other TCP connections then I see [ESTABLISHED] but not here....

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.5.1          0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  192.168.5.1          0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
LSI        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434 
LSI        icmp --  0.0.0.0/0            0.0.0.0/0           
NR         all  -- !192.168.5.0/24       0.0.0.0/0           
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  0.0.0.0/0            192.168.5.255       
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LSI        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434 
LSI        icmp --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.5.106        192.168.5.1         tcp dpt:53 
ACCEPT     udp  --  192.168.5.106        192.168.5.1         udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 

Chain INBOUND (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (54 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain LSO (0 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain NR (1 references)
target     prot opt source               destination         
LSI        all  --  0.0.0.0/8            192.168.5.0/24      
LSI        all  --  1.0.0.0/8            192.168.5.0/24      
LSI        all  --  2.0.0.0/8            192.168.5.0/24      
LSI        all  --  5.0.0.0/8            192.168.5.0/24      
LSI        all  --  10.0.0.0/8           192.168.5.0/24      
LSI        all  --  14.0.0.0/8           192.168.5.0/24      
LSI        all  --  23.0.0.0/8           192.168.5.0/24      
LSI        all  --  27.0.0.0/8           192.168.5.0/24      
LSI        all  --  31.0.0.0/8           192.168.5.0/24      
LSI        all  --  36.0.0.0/8           192.168.5.0/24      
LSI        all  --  37.0.0.0/8           192.168.5.0/24      
LSI        all  --  39.0.0.0/8           192.168.5.0/24      
LSI        all  --  42.0.0.0/8           192.168.5.0/24      
LSI        all  --  46.0.0.0/8           192.168.5.0/24      
LSI        all  --  49.0.0.0/8           192.168.5.0/24      
LSI        all  --  50.0.0.0/8           192.168.5.0/24      
LSI        all  --  100.0.0.0/8          192.168.5.0/24      
LSI        all  --  101.0.0.0/8          192.168.5.0/24      
LSI        all  --  102.0.0.0/8          192.168.5.0/24      
LSI        all  --  103.0.0.0/8          192.168.5.0/24      
LSI        all  --  104.0.0.0/8          192.168.5.0/24      
LSI        all  --  105.0.0.0/8          192.168.5.0/24      
LSI        all  --  106.0.0.0/8          192.168.5.0/24      
LSI        all  --  107.0.0.0/8          192.168.5.0/24      
LSI        all  --  108.0.0.0/8          192.168.5.0/24      
LSI        all  --  109.0.0.0/8          192.168.5.0/24      
LSI        all  --  110.0.0.0/8          192.168.5.0/24      
LSI        all  --  111.0.0.0/8          192.168.5.0/24      
LSI        all  --  127.0.0.0/8          192.168.5.0/24      
LSI        all  --  169.254.0.0/16       192.168.5.0/24      
LSI        all  --  172.16.0.0/12        192.168.5.0/24      
LSI        all  --  175.0.0.0/8          192.168.5.0/24      
LSI        all  --  176.0.0.0/8          192.168.5.0/24      
LSI        all  --  177.0.0.0/8          192.168.5.0/24      
LSI        all  --  178.0.0.0/8          192.168.5.0/24      
LSI        all  --  179.0.0.0/8          192.168.5.0/24      
LSI        all  --  180.0.0.0/8          192.168.5.0/24      
LSI        all  --  181.0.0.0/8          192.168.5.0/24      
LSI        all  --  182.0.0.0/8          192.168.5.0/24      
LSI        all  --  183.0.0.0/8          192.168.5.0/24      
LSI        all  --  184.0.0.0/8          192.168.5.0/24      
LSI        all  --  185.0.0.0/8          192.168.5.0/24      
LSI        all  --  192.0.2.0/24         192.168.5.0/24      
LSI        all  --  192.168.0.0/16       192.168.5.0/24      
LSI        all  --  197.0.0.0/8          192.168.5.0/24      
LSI        all  --  198.18.0.0/15        192.168.5.0/24      
LSI        all  --  223.0.0.0/8          192.168.5.0/24      
LSI        all  --  224.0.0.0/3          192.168.5.0/24      

Chain OUTBOUND (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
 
Old 09-27-2010, 10:28 PM   #2
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 8,248

Rep: Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558
In the Firestarter Policies, what selection do you have for the outgoing policy?

I usuall choose "permissive by default" and have not had a problem with outgoing ssh on any box running Firestarter.
 
Old 09-29-2010, 09:47 AM   #3
edsmithers
Member
 
Registered: Jul 2003
Distribution: slackware 9.1
Posts: 45

Original Poster
Rep: Reputation: 15
thanks for the reply, yes I have this setting on "permissive by default". when I initiate the ssh I immediately see packets blocked in the Firestarter log, but they are from port 22 to the source TCP port on my laptop, so shouldn't be blocked.
 
Old 09-29-2010, 03:53 PM   #4
edsmithers
Member
 
Registered: Jul 2003
Distribution: slackware 9.1
Posts: 45

Original Poster
Rep: Reputation: 15
does someone have any other pointers?

I think this might be because of the double NAT on the local network?
 
  


Reply

Tags
firestarter, iptables, lan, nat, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP handshake fails, SYN/ACK ignored by system. xnomad Linux - Networking 1 09-28-2011 12:10 PM
DNAT on first SYN ACK packet sseeley Linux - Networking 2 08-24-2010 02:33 PM
SYN, SYN_ACK but no ACK nitinarora Linux - Kernel 1 05-21-2009 07:31 PM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 01:34 PM
SSH rejects my host key for version 2 only. Travis86 Linux - Networking 19 08-08-2003 04:48 AM


All times are GMT -5. The time now is 06:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration