|
tracerouter & Tracert
Hi Im new this forum
I have a problem with fodora acting as a NAT Gateway, my two XP pc-tracert does not work. but on my other two linux boxes behind the firewall do a traceroute with no problems. Has anyone seen this problem before |
That's because *n*x traceroute uses UDP datagrams, but Win* tracert uses ICMP. Apparently your firewall is blocking all ICMP traffic.
|
I can ping ext Ip Addresses from Win*, can i post my firewall script here
|
Go ahead, it's the quickest way to get an answer ;)
|
# Start rc.local
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max fi if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range # echo -e "0\t61000" > /proc/sys/net/ipv4/ip_local_port_range fi if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "0" > $i; done fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i; done fi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo "1" > /proc/sys/net/ipv4/ip_forward fi #end rc.local #start of rc.firewall #!/bin/sh IPTABLES="/sbin/iptables" ADD="$IPTABLES -A" CREATE="$IPTABLES -N" FLUSH="$IPTABLES -F" MODPROBE="/sbin/modprobe" $MODPROBE ip_tables $MODPROBE ip_nat_ftp $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp # External network interface (BPA) EXT_IF="eth0" EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\ -f1` # Internal network interface (LAN) INT_IF="eth1" INT_NET="192.168.1.0/24" ANY="0.0.0.0/0" # Filename for incoming/outgoing byte counters ACCF=/var/log/TRAFFIC LOCK=/tmp/TRAFFIC.lck start() { # Start firewall rules # Set to default values reset BPA_AUTH_SVR="61.9.208.13" #BPA_AUTH_SVR=`host sm-server | grep address | cut -f4 -d" "` echo "External IP" = $EXT_IP # Get byte counters getcounters # Set default policy $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # [ TRAF ] Accounting chains $IPTABLES -N TRAF-IN $IPTABLES -N TRAF-OUT # # [ INPUT ] # echo "Iptable Input" $IPTABLES -F INPUT # Byte counter for incoming traffic $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1 # Allow BPA heartbeat packets $IPTABLES -A INPUT -s $BPA_AUTH_SVR -i $EXT_IF -p udp --dport 5050 -j ACCEPT # Allow all packets from localhost and internal network $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INT_IF -j ACCEPT # Stateful inspection - Allow packets in from connections already established $IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT #Drop invalid packets $ADD INPUT -m state --state INVALID -j DROP # DROP packets from invalid source $IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP # LOG and DENY everything else $IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: " echo "Iptable Input OK " ## [ FORWARD ] echo "Iptable FORWARD" $IPTABLES -F FORWARD $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -j TRAF-IN -c $X3 $IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -j TRAF-OUT -c $X4 $IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT $IPTABLES -A FORWARD -j LOG --log-prefix "netfilter: " echo "Iptable FORWARD OK " ## [ OUTPUT ] echo "Iptable OUTPUT " # Byte counter for outgoing traffic $IPTABLES -A OUTPUT -o $EXT_IF -j TRAF-OUT -c $X2 echo "Iptable OUTPUT OK " echo "Iptable NAT " ## [ NAT ] $IPTABLES -F -t nat $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j SNAT --to-source $EXT_IP #$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE ## Transparent proxy - Uncomment this to forward HTTP traffic on port 80 to Squid $IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128 echo "Iptable NAT OK " } getcounters() { X1="0 0" X2="0 0" X3="0 0" X4="0 0" if [ -s $ACCF ]; then X1=`grep INPUT $ACCF | cut -d" " -f2,3` X2=`grep OUTPUT $ACCF | cut -d" " -f2,3` X3=`grep FORW-IN $ACCF | cut -d" " -f2,3` X4=`grep FORW-OUT $ACCF | cut -d" " -f2,3` fi } # Save byte counters save() { # Save iptables rules and accounting information lockfile -l300 -r5 $LOCK >/dev/null 2>&1 if [ $? -eq 0 ]; then X=`$IPTABLES -nL | wc -l | sed "s/ //g"` if [ $X -gt "8" ]; then $IPTABLES -nvxL INPUT | grep TRAF-IN | awk '{print "INPUT " $1" "$2}' > $ACCF $IPTABLES -nvxL OUTPUT | grep TRAF-OUT | awk '{print "OUTPUT " $1" "$2}' >>$ACCF $IPTABLES -nvxL FORWARD | grep TRAF-IN | awk '{print "FORW-IN " $1" "$2}' >>$ACCF $IPTABLES -nvxL FORWARD | grep TRAF-OUT | awk '{print "FORW-OUT "$1" "$2}' >>$ACCF fi rm -f $LOCK fi } reset() { # Reset to default values $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X } stop() { save reset } # DROP all packets from external interface, allow from internal network lock() { reset getcounters $IPTABLES -N TRAF-IN $IPTABLES -N TRAF-OUT $IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1 $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INT_IF -j ACCEPT $IPTABLES -A INPUT -j DROP } case "$1" in start) start ;; stop) stop ;; save) save ;; lock) lock ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|save|lock|restart}" esac exit |
Hmmm, it doesn't look like there's anything protocol-specific in there. It could be a few things, possibly that your ISP blocks the ICMP type that Windows is using (I don't think it uses ECHO REQUEST for tracert, but I could be wrong). It could also be that iptables doesn't recognize it as ESTABLISHED or RELATED traffic, but that would be odd.
What happens if you do traceroute -I on Linux (-I should make it use ICMP rather than UDP)? Also, does your Windows trace just show all stars (* * * for every hop), or do you get a response inside your network and then stars outside? If you're familiar with tcpdump, you could run that on your internal interface when trying to do a tracert from Windows and see what traffic you get, then do the same thing only run the tcpdump on the external interface and see if the datagrams are being forwarded by the external interface and see if the responses are coming back. |
had a look at tcpdump could not make heads or talls
With tracert works till ext IPs and replys with ** :) [root@router root]# traceroute -s 192.168.1.254 -I www.telstra.com.au traceroute to www.telstra.com.au (144.135.18.41) from 192.168.1.254, 30 hops max, 38 byte packets 1 10.224.16.1 (10.224.16.1) 7.197 ms 6.309 ms 6.253 ms 2 border-router.qld.bigpond.net.au (61.9.209.3) 9.398 ms 8.588 ms 8.567 ms 3 GigabitEthernet4-2.cha23.telstra.net (139.130.193.117) 12.000 ms 8.476 ms 7.529 ms From the Windows PC Tracing route to www.telstra.com.au [144.135.18.41] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms router.local [192.168.1.254] 2 7 ms 10 ms 7 ms 10.224.16.1 3 * * * Request timed out. 4 * * * Request timed out. |
That's pretty interesting. Are you saying that tracert from Windows worked fine prior to putting in the Linux box firewall? From the results it looks like the traffic is getting past the external interface of the firewall prior to timing out, so it seems like either the broadband router or the first router on your ISP's side is blocking the traffic. The really amusing thing is that they're specifically blocking the type of ICMP traffic that Windows tracert produces, and nothing else. That's really weird.
|
Would the 10.224.16.1 IP be the bridge ip between eth0 and the cable modem becouse it doues not rev lookup
I plug in a bridge/router device and tracert works fine and i think from mem that there is no 10.224.16.1 in the trace route. |
It's probably the external address of your Linux box. Use the ifconfig -a command and see what the results are.
|
eth0 Link encap:Ethernet HWaddr 00:D0:B7:51:BA:78
inet addr:203.45.233.67 Bcast:255.255.255.255 Mask:255.255.252.0 inet6 addr: fe80::2d0:b7ff:fe51:ba78/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8128200 errors:0 dropped:0 overruns:0 frame:0 TX packets:3404310 errors:93 dropped:0 overruns:0 carrier:93 collisions:136180 txqueuelen:1000 RX bytes:1842531721 (1757.1 Mb) TX bytes:236852432 (225.8 Mb) eth1 Link encap:Ethernet HWaddr 00:E0:18:45:62:30 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:18ff:fe45:6230/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3740071 errors:0 dropped:0 overruns:0 frame:0 TX packets:2508208 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:306864325 (292.6 Mb) TX bytes:1582830265 (1509.5 Mb) Interrupt:12 Base address:0xd400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:31558 errors:0 dropped:0 overruns:0 frame:0 TX packets:31558 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9788618 (9.3 Mb) TX bytes:9788618 (9.3 Mb) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
Ahh, you have one of those weird half-bridges. Those things are just creepy. Yes, the 10.224.16.1 IP appears to be that of your bridge, since your external NIC has a real routeable IP address.
|
So were to from here :( Call Ghost Busters ??
|
| All times are GMT -5. The time now is 09:56 AM. |