LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-20-2010, 10:18 AM   #1
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Rep: Reputation: 91
IPtables&routing on an Untangle box, need some advice, traffic not being returned


Hi all I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN. The routes on the machine are as follow:

Code:
untangle:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   *               255.255.255.0   U     0      0        0 br.eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.0.2.0       *               255.255.255.0   U     0      0        0 dummy0
192.0.2.0       *               255.255.255.0   U     0      0        0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.

The iptables rules are as follow:

Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall
-N alpaca-nat-firewall
-A INPUT -i ! utun -p tcp -m tcp --dport 9500:9627 -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p udp -m multiport --dports 68 -j RETURN
-A INPUT -p udp -m mark --mark 0x2/0x2 -m multiport --dports 67 -j RETURN
-A INPUT -j alpaca-firewall
-A INPUT -p udp -m multiport --dports 67 -j DROP
-A FORWARD -m mark --mark 0x0/0x40000000 -j alpaca-firewall
-A FORWARD -i br.eth0 -g alpaca-nat-firewall
-A alpaca-firewall -m mark --mark 0x0/0xc000000 -j RETURN
-A alpaca-firewall -m mark --mark 0x8000000/0x8000000 -j DROP
-A alpaca-firewall -p tcp -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with tcp-reset
-A alpaca-firewall -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with icmp-port-unreachable
-A alpaca-nat-firewall -m conntrack --ctstate DNAT -j RETURN
-A alpaca-nat-firewall -m mark --mark 0x80000000/0x80000000 -j RETURN
-A alpaca-nat-firewall -o tun0 -j DROP

untangle:~# iptables -L -v
Chain INPUT (policy ACCEPT 3514K packets, 534M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  !utun  any     anywhere             anywhere            tcp dpts:9500:9627 ctstate INVALID,NEW
  142 47146 RETURN     udp  --  any    any     anywhere             anywhere            multiport dports bootpc
    0     0 RETURN     udp  --  any    any     anywhere             anywhere            mark match 0x2/0x2 multiport dports bootps
1677K  254M alpaca-firewall  all  --  any    any     anywhere             anywhere
    0     0 DROP       udp  --  any    any     anywhere             anywhere            multiport dports bootps

Chain FORWARD (policy ACCEPT 1351 packets, 198K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 alpaca-firewall  all  --  any    any     anywhere             anywhere            mark match 0x0/0x40000000
    0     0 alpaca-nat-firewall  all  --  br.eth0 any     anywhere             anywhere            [goto]

Chain OUTPUT (policy ACCEPT 3610K packets, 711M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain alpaca-firewall (2 references)
 pkts bytes target     prot opt in     out     source               destination
1641K  248M RETURN     all  --  any    any     anywhere             anywhere            mark match 0x0/0xc000000
35363 5672K DROP       all  --  any    any     anywhere             anywhere            mark match 0x8000000/0x8000000
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            mark match 0x4000000/0x4000000 reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere            mark match 0x4000000/0x4000000 reject-with icmp-port-unreachable

Chain alpaca-nat-firewall (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere            ctstate DNAT
    0     0 RETURN     all  --  any    any     anywhere             anywhere            mark match 0x80000000/0x80000000
    0     0 DROP       all  --  any    tun0    anywhere             anywhere
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. Any help would be greatly appreciated. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. Any help would be appreciated. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).

Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule.

The exact original iptables information before I modified anything can be viewed at http://www.scheidel21.com/viewpage.php?page_id=4

Again thank you in advance for any assistance.
Attached Images
File Type: png Untangle.png (48.3 KB, 8 views)

Last edited by scheidel21; 08-20-2010 at 10:25 AM. Reason: Add some information
 
Old 08-21-2010, 06:44 AM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0?
You know, what you have right now is quite complicated to understand.
I can suggest you to use "tcpdump -nnt -i ethX" and see you self what is going on on your network.
Tcpdump output will show you where from and to packets go.
 
Old 08-31-2010, 11:25 AM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Original Poster
Rep: Reputation: 91
I took a look at the output of tcpdump and the data was going into the ether never getting sent back out, I checked the routing table and there was no default route set up. I tried a tracert to yahoo.com and it went through the normal gateway on my LAN. I added a default route to the gateway on the DMZ interface and then tried tracert again it went through the DMZ gateway. I then tried to ping from a machine in a third subnet that was not known to the system I am having trouble with and the ping was returned fine, if I removed that default route then the pings were not returned to the third subnet. So this is a routing issue. My possible solutions are to find a way to use the routing table to specify that data coming in on the DMZ interface be routed back out that way, which I don't think is possible without iproute2. Or the second option is find an iptables rule to route all traffic that came in on that interface out that same interface. I think I would have to use NAT pre rotuing for that, but I don't have any idea how to do it. Does anyone have an idea how I can do this.
 
Old 09-02-2010, 08:57 AM   #4
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Original Poster
Rep: Reputation: 91
Ok this is now resolved. The issue was a combination of iptables, in that I needed to add an Accept rule for traffic coming into my br0 bridge, and Linux Advanced routing using the iproute2 package. I needed to use the ip tool to create a new routing table that said anything coming in on br0 gets sent out br0 then I used the ip tool to add the new table into the routing table rules. I used several site for reference, but the one that explained exactly what I wanted to do and helped me most was http://kindlund.wordpress.com/2007/1...utes-in-linux/ Many thanks to this individual.
 
  


Reply

Tags
bridging, iptables, openvpn, routing, rules


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice on traffic shaping/control/routing? fmillion Linux - Networking 11 11-29-2009 10:10 PM
Iptables - Allowing BitTorrent & aMule Traffic mistersnorfles Linux - Networking 2 08-20-2007 09:08 AM
routing http traffic to the correct box on subnet nodine Linux - Security 1 07-15-2004 09:51 AM
Newbie Project: Box dedicated to MythTV + Routing + Firewall + Hub - Need Advice i-Silver Linux - Newbie 3 06-27-2004 11:46 AM


All times are GMT -5. The time now is 04:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration