Firestarter kills OUTGOING SSH Ubuntu 10.04- rejects SYN/ACK from SSH server

edsmithers · 09-27-2010, 07:20 PM

Hi,

I have a LAN with the following topology:

Ubuntu Laptop <------> Dlink Wireless Router/Switch <-------> Ubuntu Gateway Server <----------> ADSL

with this addressing scheme:

Laptop (192.168.5.106) <-----> (192.168.5.1 wifi) Dlink (uplink 172.16.5.2) <----------> (eth1 172.16.5.1) GW SRV (eth0 192.168.63.202) <------------------> ADSL (ISP provides me private IP 192.168.63.201 as uplink)

1. When I try to SSH from Laptop to GW SRV, the connection times out unless I disable Firestarter (on Laptop). GW SRV accepts SSH from local net and it works from several other PCs.
2. In the logs, I can see that the SYN-ACK from the GW SRV is blocked by Firestarter.
3. I have a default iptables config generated by Firestarter which should allow all outgoing connections.

Using Wireshark I see my Laptop send out the TCP Syn packet to port 22 on the server. The server responds TCP Syn-ACK to the appropriate port, but the connection times out. It works just fine with Firestarter disabled.

Could it be something is wrong with the SYN-ACK packet returned by GW SRV which makes it invalid and therefore not considered part of an Established/Related connection?

Below is my iptables -L and the output of conntrack while trying the SSH, as far as I can tell the SYN ACK is received and processed correctly. Thanks in advance for your help.

Code:

[NEW] tcp      6 120 SYN_SENT src=192.168.5.106 dst=172.16.5.1 sport=41391 dport=22 [UNREPLIED] src=172.16.5.1 dst=192.168.5.106 sport=22 dport=41391
 [UPDATE] tcp      6 57 SYN_RECV src=192.168.5.106 dst=172.16.5.1 sport=41391 dport=22 src=172.16.5.1 dst=192.168.5.106 sport=22 dport=41391

.... for other TCP connections then I see [ESTABLISHED] but not here....

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.5.1          0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  192.168.5.1          0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
LSI        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434 
LSI        icmp --  0.0.0.0/0            0.0.0.0/0           
NR         all  -- !192.168.5.0/24       0.0.0.0/0           
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  0.0.0.0/0            192.168.5.255       
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LSI        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434 
LSI        icmp --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.5.106        192.168.5.1         tcp dpt:53 
ACCEPT     udp  --  192.168.5.106        192.168.5.1         udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  224.0.0.0/8          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/8         
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 

Chain INBOUND (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (54 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain LSO (0 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain NR (1 references)
target     prot opt source               destination         
LSI        all  --  0.0.0.0/8            192.168.5.0/24      
LSI        all  --  1.0.0.0/8            192.168.5.0/24      
LSI        all  --  2.0.0.0/8            192.168.5.0/24      
LSI        all  --  5.0.0.0/8            192.168.5.0/24      
LSI        all  --  10.0.0.0/8           192.168.5.0/24      
LSI        all  --  14.0.0.0/8           192.168.5.0/24      
LSI        all  --  23.0.0.0/8           192.168.5.0/24      
LSI        all  --  27.0.0.0/8           192.168.5.0/24      
LSI        all  --  31.0.0.0/8           192.168.5.0/24      
LSI        all  --  36.0.0.0/8           192.168.5.0/24      
LSI        all  --  37.0.0.0/8           192.168.5.0/24      
LSI        all  --  39.0.0.0/8           192.168.5.0/24      
LSI        all  --  42.0.0.0/8           192.168.5.0/24      
LSI        all  --  46.0.0.0/8           192.168.5.0/24      
LSI        all  --  49.0.0.0/8           192.168.5.0/24      
LSI        all  --  50.0.0.0/8           192.168.5.0/24      
LSI        all  --  100.0.0.0/8          192.168.5.0/24      
LSI        all  --  101.0.0.0/8          192.168.5.0/24      
LSI        all  --  102.0.0.0/8          192.168.5.0/24      
LSI        all  --  103.0.0.0/8          192.168.5.0/24      
LSI        all  --  104.0.0.0/8          192.168.5.0/24      
LSI        all  --  105.0.0.0/8          192.168.5.0/24      
LSI        all  --  106.0.0.0/8          192.168.5.0/24      
LSI        all  --  107.0.0.0/8          192.168.5.0/24      
LSI        all  --  108.0.0.0/8          192.168.5.0/24      
LSI        all  --  109.0.0.0/8          192.168.5.0/24      
LSI        all  --  110.0.0.0/8          192.168.5.0/24      
LSI        all  --  111.0.0.0/8          192.168.5.0/24      
LSI        all  --  127.0.0.0/8          192.168.5.0/24      
LSI        all  --  169.254.0.0/16       192.168.5.0/24      
LSI        all  --  172.16.0.0/12        192.168.5.0/24      
LSI        all  --  175.0.0.0/8          192.168.5.0/24      
LSI        all  --  176.0.0.0/8          192.168.5.0/24      
LSI        all  --  177.0.0.0/8          192.168.5.0/24      
LSI        all  --  178.0.0.0/8          192.168.5.0/24      
LSI        all  --  179.0.0.0/8          192.168.5.0/24      
LSI        all  --  180.0.0.0/8          192.168.5.0/24      
LSI        all  --  181.0.0.0/8          192.168.5.0/24      
LSI        all  --  182.0.0.0/8          192.168.5.0/24      
LSI        all  --  183.0.0.0/8          192.168.5.0/24      
LSI        all  --  184.0.0.0/8          192.168.5.0/24      
LSI        all  --  185.0.0.0/8          192.168.5.0/24      
LSI        all  --  192.0.2.0/24         192.168.5.0/24      
LSI        all  --  192.168.0.0/16       192.168.5.0/24      
LSI        all  --  197.0.0.0/8          192.168.5.0/24      
LSI        all  --  198.18.0.0/15        192.168.5.0/24      
LSI        all  --  223.0.0.0/8          192.168.5.0/24      
LSI        all  --  224.0.0.0/3          192.168.5.0/24      

Chain OUTBOUND (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

frankbell · 09-27-2010, 09:28 PM

In the Firestarter Policies, what selection do you have for the outgoing policy?

I usuall choose "permissive by default" and have not had a problem with outgoing ssh on any box running Firestarter.

edsmithers · 09-29-2010, 08:47 AM

thanks for the reply, yes I have this setting on "permissive by default". when I initiate the ssh I immediately see packets blocked in the Firestarter log, but they are from port 22 to the source TCP port on my laptop, so shouldn't be blocked.

edsmithers · 09-29-2010, 02:53 PM

does someone have any other pointers?

I think this might be because of the double NAT on the local network?