LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-19-2004, 01:11 PM   #1
ariebs
LQ Newbie
 
Registered: Aug 2004
Location: Massachusetts, USA
Distribution: Debian, SuSE, Red Hat, Kubuntu, Ubuntu
Posts: 9

Rep: Reputation: 0
Avoid the firewall for outbound traffic on locally-defined virtual IP address?


The situation: We are building a cluster that implements an iptables firewall on every node. The firewall blocks all but a small number of specified ports in the well-known ports range (1-1023) on the INPUT chain of the real IP address.

To handle failover for a vendor's daemon, we allocate a virtual IP address, and correspond through that. That daemon opens a random output port in the range from 512 to 1023.

When the firewall is down, or when we assign the daemon to use the ethernet port's "real" IP address, the vendor's daemon works fine.

However, when the firewall is up and the daemon is using the virtual IP address, the connection is prevented. It appears that traffic outbound on the virtual IP address is winding up on the INPUT chain for the real IP address?

In the following except from tcpdump,
the daemon is running on .46
the daemon is using virtual IP .20
the client is running on .48
"tcpdump -ln -i eth1" (in promiscuous mode) is running on .48
----- snip ---------
11:16:58.703317 172.20.0.48.1023 > 172.20.0.20.6879: udp 16 (DF)
11:16:58.703489 172.20.0.46.6879 > 172.20.0.48.1023: udp 28 (DF)
11:16:58.703523 172.20.0.48 > 172.20.0.46: icmp: host 172.20.0.48 unreachable - admin prohibited [tos 0xc0]
11:17:03.703086 arp who-has 172.20.0.20 tell 172.20.0.48
11:17:03.703152 arp reply 172.20.0.20 is-at 0:30:6e:4a:82:b8
11:17:05.812507 172.20.0.48.35484 > 172.20.0.47.5666: S 1603799250:1603799250(0) win 5840 <mss 1460,sackOK,timestamp 8204997 0,nop,wscale 0> (DF)
11:17:05.812605 172.20.0.47.5666 > 172.20.0.48.35484: S 1615423288:1615423288(0) ack 1603799251 win 5792 <mss 1460,sackOK,timestamp 8191574 8204997,nop,wscale 0> (DF)
----- snip ---------

In any case, how can we allow unfettered outbound access on the virtual IP address while blocking unwanted inputs on the real IP address?

[This hadoriginally been erroneously posted in "Linux networking"]
 
Old 08-21-2004, 06:48 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Does the config work with the firewall down and the daemon using the vitual IP? One would think that it would be problematic that the reply is coming from an entirely different machine than the request was made to. That actually might be the problem with the firewall config. If your basing access on any kind of connection state relationships, then this likely would not match either the RELATED or ESTABLISHED states. Could you post your firewall config? (remove any routable public IPs from it beforehand)
 
Old 09-30-2004, 10:40 AM   #3
ariebs
LQ Newbie
 
Registered: Aug 2004
Location: Massachusetts, USA
Distribution: Debian, SuSE, Red Hat, Kubuntu, Ubuntu
Posts: 9

Original Poster
Rep: Reputation: 0
cockpit error

Stupid error on my part that had nothing to do with the use of a virtual IP address. Thanks for thinking about this.

/andy
 
Old 09-30-2004, 02:49 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Can you enlighten us to what the problem and solution was? Someone might have a similar problem and find your solution helpful. Thanks.
 
Old 09-30-2004, 03:37 PM   #5
ariebs
LQ Newbie
 
Registered: Aug 2004
Location: Massachusetts, USA
Distribution: Debian, SuSE, Red Hat, Kubuntu, Ubuntu
Posts: 9

Original Poster
Rep: Reputation: 0
It turns out that, in addition to the ports we knew about, the vendor's daemon was *also* opening random *outbound* ports in the range 1-1023. Our firewall was configured to disallow all outbound traffic, so the communication failed.

The solution was to persuade the vendor to provide an option to prevent the daemon from opening inappropriate outbound ports.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 03:32 PM
Spike in outbound traffic- where to look? htmlcoder Linux - Security 3 03-19-2005 04:13 PM
Avoid the firewall for outbound traffic on locally-defined virtual IP address? ariebs Linux - Networking 1 08-19-2004 01:05 PM
snort logging all outbound traffic as port-scan? Pcghost Linux - Security 3 04-20-2004 02:12 PM
Force outbound reply traffic to reuse inbound non-gw NIC? Jon- Linux - Networking 2 03-05-2002 05:50 PM


All times are GMT -5. The time now is 03:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration