LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   What is my firewall blocking? (maybe ipsec-tools and/or nfsv4 related?) (http://www.linuxquestions.org/questions/linux-networking-3/what-is-my-firewall-blocking-maybe-ipsec-tools-and-or-nfsv4-related-4175415062/)

Artemus 07-05-2012 09:58 AM

What is my firewall blocking? (maybe ipsec-tools and/or nfsv4 related?)
 
I have two Ubuntu 12.04 LTS boxes acting as gateways that also join two LANs using an ipsec tunnel. The details are

Gateway 1:
LAN: 10.56.182.0/24
LAN IP: 10.56.182.1
WAN IP: xxx.yyy.68.11

ip route add 10.56.183.0/24 via xxx.yyy.68.11 src 10.56.182.1
is run on boot from /etc/rc.local


Gateway 2:
LAN: 10.56.183.0/24
LAN IP: 10.56.183.1
WAN IP: xxx.yyy.68.30

ip route add 10.56.182.0/24 via xxx.yyy.68.30 src 10.56.183.1
is run on boot from /etc/rc.local


Filesystems on each gateway are mounted on the other other gateway using nfsv4, mounted through the tunnel. That is, the filesystem on Gateway 1 is exported to 10.56.183.1 and is mounted on Gateway 2 from 10.56.182.1. This seems to work fine for the most part. However, periodically I find the following in the UFW firewall log on Gateway 2:

Code:

Jul  5 01:01:02 calvin kernel: [230584.711633] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=106 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:01:03 calvin kernel: [230585.710517] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=107 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:01:05 calvin kernel: [230587.714504] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=108 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:01:09 calvin kernel: [230591.726522] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=109 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:01:17 calvin kernel: [230599.742525] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=110 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:01:33 calvin kernel: [230615.774530] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=111 DF PROTO=TCP SPT=722 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:04:20 calvin kernel: [230782.072824] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
.68.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58454 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:04:21 calvin kernel: [230783.070748] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyyy
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58455 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:23 calvin kernel: [230785.072453] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58456 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:27 calvin kernel: [230789.086472] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58457 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:29 calvin kernel: [230791.452089] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55852 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:30 calvin kernel: [230792.448800] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55853 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:32 calvin kernel: [230794.456101] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55854 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:35 calvin kernel: [230797.102949] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58458 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:36 calvin kernel: [230798.460959] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55855 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:44 calvin kernel: [230806.468807] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55856 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:04:51 calvin kernel: [230813.118755] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58459 DF PROTO=TCP SPT=998 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:05:00 calvin kernel: [230822.501109] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55857 DF PROTO=TCP SPT=948 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:06:44 calvin kernel: [230926.082700] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23222 DF PROTO=TCP SPT=978 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0 URGP=0
Jul  5 01:09:01 calvin kernel: [231063.802816] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57878 DF PROTO=TCP SPT=1003 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:09:02 calvin kernel: [231064.802468] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57879 DF PROTO=TCP SPT=1003 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:09:04 calvin kernel: [231066.806477] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57880 DF PROTO=TCP SPT=1003 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 01:09:32 calvin kernel: [231094.846470] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57883 DF PROTO=TCP SPT=1003 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 07:30:01 calvin kernel: [253923.840688] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37181 DF PROTO=TCP SPT=844 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0
Jul  5 07:30:02 calvin kernel: [253924.838090] [UFW BLOCK] IN=eth0 OUT= MAC=00:13:20:16:69:f6:00:1f:d0:a2:21:aa:08:00 SRC=xxx.yyy.68.11 DST=xxx.yyy.68.30 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37182 DF PROTO=TCP SPT=844 DPT=54320 WINDOW=14600 RES=0x00 SYN URGP=0

It seems to be related to accessing one of the filesystems through nfsv4. I have all access through the tunnels opened and esp, ah, and upd 500 port open between the gateways. On Gateway 2:

$ sudo ufw status
[sudo] password for Artemus:
Status: active

To Action From
-- ------ ----
Anywhere ALLOW 10.56.0.0/16
Anywhere ALLOW xxx.yyy.68.11/esp
Anywhere ALLOW xxx.yyy.68.11/ah
Anywhere ALLOW xxx.yyy.68.11 500/udp



Does anyone have any idea what is being blocked by the firewall?

Artemus 07-08-2012 07:57 AM

Following up my own post, I seem to have stumbled upon the problem. Looking at /etc/mtab, it seems that the NFS filesystems through the IPSEC tunnel were being mounted with clientaddr=xxx.yyy.68.30 (the WAN IP address) instead of clientaddr=10.56.183.1 (the LAN IP address). Adding the option clientaddr=10.58.183.1 to mount in /etc/fstab fixed it.


All times are GMT -5. The time now is 06:24 AM.