LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPtables&routing on an Untangle box, need some advice, traffic not being returned (http://www.linuxquestions.org/questions/linux-networking-3/iptables-and-routing-on-an-untangle-box-need-some-advice-traffic-not-being-returned-827463/)

scheidel21 08-20-2010 10:18 AM

IPtables&routing on an Untangle box, need some advice, traffic not being returned
 
1 Attachment(s)
Hi all I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN. The routes on the machine are as follow:

Code:

untangle:~# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.100.0  *              255.255.255.0  U    0      0        0 br.eth0
192.168.1.0    *              255.255.255.0  U    0      0        0 br0
192.0.2.0      *              255.255.255.0  U    0      0        0 dummy0
192.0.2.0      *              255.255.255.0  U    0      0        0 utun
untangle:~#

I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.

The iptables rules are as follow:

Code:

untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall
-N alpaca-nat-firewall
-A INPUT -i ! utun -p tcp -m tcp --dport 9500:9627 -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p udp -m multiport --dports 68 -j RETURN
-A INPUT -p udp -m mark --mark 0x2/0x2 -m multiport --dports 67 -j RETURN
-A INPUT -j alpaca-firewall
-A INPUT -p udp -m multiport --dports 67 -j DROP
-A FORWARD -m mark --mark 0x0/0x40000000 -j alpaca-firewall
-A FORWARD -i br.eth0 -g alpaca-nat-firewall
-A alpaca-firewall -m mark --mark 0x0/0xc000000 -j RETURN
-A alpaca-firewall -m mark --mark 0x8000000/0x8000000 -j DROP
-A alpaca-firewall -p tcp -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with tcp-reset
-A alpaca-firewall -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with icmp-port-unreachable
-A alpaca-nat-firewall -m conntrack --ctstate DNAT -j RETURN
-A alpaca-nat-firewall -m mark --mark 0x80000000/0x80000000 -j RETURN
-A alpaca-nat-firewall -o tun0 -j DROP

untangle:~# iptables -L -v
Chain INPUT (policy ACCEPT 3514K packets, 534M bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 DROP      tcp  --  !utun  any    anywhere            anywhere            tcp dpts:9500:9627 ctstate INVALID,NEW
  142 47146 RETURN    udp  --  any    any    anywhere            anywhere            multiport dports bootpc
    0    0 RETURN    udp  --  any    any    anywhere            anywhere            mark match 0x2/0x2 multiport dports bootps
1677K  254M alpaca-firewall  all  --  any    any    anywhere            anywhere
    0    0 DROP      udp  --  any    any    anywhere            anywhere            multiport dports bootps

Chain FORWARD (policy ACCEPT 1351 packets, 198K bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 alpaca-firewall  all  --  any    any    anywhere            anywhere            mark match 0x0/0x40000000
    0    0 alpaca-nat-firewall  all  --  br.eth0 any    anywhere            anywhere            [goto]

Chain OUTPUT (policy ACCEPT 3610K packets, 711M bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain alpaca-firewall (2 references)
 pkts bytes target    prot opt in    out    source              destination
1641K  248M RETURN    all  --  any    any    anywhere            anywhere            mark match 0x0/0xc000000
35363 5672K DROP      all  --  any    any    anywhere            anywhere            mark match 0x8000000/0x8000000
    0    0 REJECT    tcp  --  any    any    anywhere            anywhere            mark match 0x4000000/0x4000000 reject-with tcp-reset
    0    0 REJECT    all  --  any    any    anywhere            anywhere            mark match 0x4000000/0x4000000 reject-with icmp-port-unreachable

Chain alpaca-nat-firewall (1 references)
 pkts bytes target    prot opt in    out    source              destination
    0    0 RETURN    all  --  any    any    anywhere            anywhere            ctstate DNAT
    0    0 RETURN    all  --  any    any    anywhere            anywhere            mark match 0x80000000/0x80000000
    0    0 DROP      all  --  any    tun0    anywhere            anywhere

There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. Any help would be greatly appreciated. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. Any help would be appreciated. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).

Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule.

The exact original iptables information before I modified anything can be viewed at http://www.scheidel21.com/viewpage.php?page_id=4

Again thank you in advance for any assistance.

nimnull22 08-21-2010 06:44 AM

Quote:

Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0?
You know, what you have right now is quite complicated to understand.
I can suggest you to use "tcpdump -nnt -i ethX" and see you self what is going on on your network.
Tcpdump output will show you where from and to packets go.

scheidel21 08-31-2010 11:25 AM

I took a look at the output of tcpdump and the data was going into the ether never getting sent back out, I checked the routing table and there was no default route set up. I tried a tracert to yahoo.com and it went through the normal gateway on my LAN. I added a default route to the gateway on the DMZ interface and then tried tracert again it went through the DMZ gateway. I then tried to ping from a machine in a third subnet that was not known to the system I am having trouble with and the ping was returned fine, if I removed that default route then the pings were not returned to the third subnet. So this is a routing issue. My possible solutions are to find a way to use the routing table to specify that data coming in on the DMZ interface be routed back out that way, which I don't think is possible without iproute2. Or the second option is find an iptables rule to route all traffic that came in on that interface out that same interface. I think I would have to use NAT pre rotuing for that, but I don't have any idea how to do it. Does anyone have an idea how I can do this.

scheidel21 09-02-2010 08:57 AM

Ok this is now resolved. The issue was a combination of iptables, in that I needed to add an Accept rule for traffic coming into my br0 bridge, and Linux Advanced routing using the iproute2 package. I needed to use the ip tool to create a new routing table that said anything coming in on br0 gets sent out br0 then I used the ip tool to add the new table into the routing table rules. I used several site for reference, but the one that explained exactly what I wanted to do and helped me most was http://kindlund.wordpress.com/2007/1...utes-in-linux/ Many thanks to this individual.


All times are GMT -5. The time now is 05:35 AM.