LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-21-2004, 10:34 AM   #1
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Rep: Reputation: 0
Question tracerouter & Tracert


Hi Im new this forum

I have a problem with fodora acting as a NAT Gateway, my two XP pc-tracert does not work.
but on my other two linux boxes behind the firewall do a traceroute with no problems.

Has anyone seen this problem before
 
Old 09-21-2004, 11:13 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
That's because *n*x traceroute uses UDP datagrams, but Win* tracert uses ICMP. Apparently your firewall is blocking all ICMP traffic.
 
Old 09-21-2004, 05:05 PM   #3
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
I can ping ext Ip Addresses from Win*, can i post my firewall script here
 
Old 09-21-2004, 06:45 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Go ahead, it's the quickest way to get an answer
 
Old 09-21-2004, 06:58 PM   #5
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
# Start rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
# echo -e "0\t61000" > /proc/sys/net/ipv4/ip_local_port_range
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i;
done
fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i;
done
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
fi

#end rc.local

#start of rc.firewall

#!/bin/sh
IPTABLES="/sbin/iptables"
ADD="$IPTABLES -A"
CREATE="$IPTABLES -N"
FLUSH="$IPTABLES -F"
MODPROBE="/sbin/modprobe"

$MODPROBE ip_tables
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp

# External network interface (BPA)
EXT_IF="eth0"
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d\ -f1`

# Internal network interface (LAN)
INT_IF="eth1"
INT_NET="192.168.1.0/24"

ANY="0.0.0.0/0"

# Filename for incoming/outgoing byte counters
ACCF=/var/log/TRAFFIC
LOCK=/tmp/TRAFFIC.lck

start() {
# Start firewall rules
# Set to default values
reset

BPA_AUTH_SVR="61.9.208.13"
#BPA_AUTH_SVR=`host sm-server | grep address | cut -f4 -d" "`
echo "External IP" = $EXT_IP

# Get byte counters
getcounters

# Set default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# [ TRAF ] Accounting chains
$IPTABLES -N TRAF-IN
$IPTABLES -N TRAF-OUT
#
# [ INPUT ]
#
echo "Iptable Input"
$IPTABLES -F INPUT

# Byte counter for incoming traffic
$IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1

# Allow BPA heartbeat packets
$IPTABLES -A INPUT -s $BPA_AUTH_SVR -i $EXT_IF -p udp --dport 5050 -j ACCEPT

# Allow all packets from localhost and internal network
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT

# Stateful inspection - Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

#Drop invalid packets
$ADD INPUT -m state --state INVALID -j DROP

# DROP packets from invalid source
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP

# LOG and DENY everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "netfilter: "

echo "Iptable Input OK "

## [ FORWARD ]
echo "Iptable FORWARD"

$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -j TRAF-IN -c $X3
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -j TRAF-OUT -c $X4
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-prefix "netfilter: "

echo "Iptable FORWARD OK "

## [ OUTPUT ]
echo "Iptable OUTPUT "

# Byte counter for outgoing traffic
$IPTABLES -A OUTPUT -o $EXT_IF -j TRAF-OUT -c $X2

echo "Iptable OUTPUT OK "
echo "Iptable NAT "
## [ NAT ]

$IPTABLES -F -t nat
$IPTABLES -t nat -F POSTROUTING

$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -j SNAT --to-source $EXT_IP
#$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

## Transparent proxy - Uncomment this to forward HTTP traffic on port 80 to Squid
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Iptable NAT OK "

}

getcounters() {
X1="0 0"
X2="0 0"
X3="0 0"
X4="0 0"
if [ -s $ACCF ]; then
X1=`grep INPUT $ACCF | cut -d" " -f2,3`
X2=`grep OUTPUT $ACCF | cut -d" " -f2,3`
X3=`grep FORW-IN $ACCF | cut -d" " -f2,3`
X4=`grep FORW-OUT $ACCF | cut -d" " -f2,3`
fi
}

# Save byte counters
save() {
# Save iptables rules and accounting information
lockfile -l300 -r5 $LOCK >/dev/null 2>&1
if [ $? -eq 0 ]; then
X=`$IPTABLES -nL | wc -l | sed "s/ //g"`
if [ $X -gt "8" ]; then
$IPTABLES -nvxL INPUT | grep TRAF-IN | awk '{print "INPUT " $1" "$2}' > $ACCF
$IPTABLES -nvxL OUTPUT | grep TRAF-OUT | awk '{print "OUTPUT " $1" "$2}' >>$ACCF
$IPTABLES -nvxL FORWARD | grep TRAF-IN | awk '{print "FORW-IN " $1" "$2}' >>$ACCF
$IPTABLES -nvxL FORWARD | grep TRAF-OUT | awk '{print "FORW-OUT "$1" "$2}' >>$ACCF
fi
rm -f $LOCK
fi
}

reset() {
# Reset to default values
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
}

stop() {
save
reset
}

# DROP all packets from external interface, allow from internal network
lock() {
reset
getcounters
$IPTABLES -N TRAF-IN
$IPTABLES -N TRAF-OUT
$IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
$IPTABLES -A INPUT -j DROP
}

case "$1" in
start)
start
;;
stop)
stop
;;
save)
save
;;
lock)
lock
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|save|lock|restart}"
esac
exit
 
Old 09-21-2004, 07:11 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Hmmm, it doesn't look like there's anything protocol-specific in there. It could be a few things, possibly that your ISP blocks the ICMP type that Windows is using (I don't think it uses ECHO REQUEST for tracert, but I could be wrong). It could also be that iptables doesn't recognize it as ESTABLISHED or RELATED traffic, but that would be odd.

What happens if you do traceroute -I on Linux (-I should make it use ICMP rather than UDP)? Also, does your Windows trace just show all stars (* * * for every hop), or do you get a response inside your network and then stars outside?

If you're familiar with tcpdump, you could run that on your internal interface when trying to do a tracert from Windows and see what traffic you get, then do the same thing only run the tcpdump on the external interface and see if the datagrams are being forwarded by the external interface and see if the responses are coming back.
 
Old 09-21-2004, 07:35 PM   #7
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
had a look at tcpdump could not make heads or talls

With tracert works till ext IPs and replys with **

[root@router root]# traceroute -s 192.168.1.254 -I www.telstra.com.au
traceroute to www.telstra.com.au (144.135.18.41) from 192.168.1.254, 30 hops max, 38 byte packets
1 10.224.16.1 (10.224.16.1) 7.197 ms 6.309 ms 6.253 ms
2 border-router.qld.bigpond.net.au (61.9.209.3) 9.398 ms 8.588 ms 8.567 ms
3 GigabitEthernet4-2.cha23.telstra.net (139.130.193.117) 12.000 ms 8.476 ms 7.529 ms

From the Windows PC

Tracing route to www.telstra.com.au [144.135.18.41]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms router.local [192.168.1.254]
2 7 ms 10 ms 7 ms 10.224.16.1
3 * * * Request timed out.
4 * * * Request timed out.
 
Old 09-22-2004, 12:50 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
That's pretty interesting. Are you saying that tracert from Windows worked fine prior to putting in the Linux box firewall? From the results it looks like the traffic is getting past the external interface of the firewall prior to timing out, so it seems like either the broadband router or the first router on your ISP's side is blocking the traffic. The really amusing thing is that they're specifically blocking the type of ICMP traffic that Windows tracert produces, and nothing else. That's really weird.
 
Old 09-22-2004, 02:26 AM   #9
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
Would the 10.224.16.1 IP be the bridge ip between eth0 and the cable modem becouse it doues not rev lookup

I plug in a bridge/router device and tracert works fine and i think from mem that there is no 10.224.16.1 in the trace route.
 
Old 09-22-2004, 03:27 AM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It's probably the external address of your Linux box. Use the ifconfig -a command and see what the results are.
 
Old 09-22-2004, 03:49 AM   #11
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
eth0 Link encap:Ethernet HWaddr 000:B7:51:BA:78
inet addr:203.45.233.67 Bcast:255.255.255.255 Mask:255.255.252.0
inet6 addr: fe80::2d0:b7ff:fe51:ba78/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8128200 errors:0 dropped:0 overruns:0 frame:0
TX packets:3404310 errors:93 dropped:0 overruns:0 carrier:93
collisions:136180 txqueuelen:1000
RX bytes:1842531721 (1757.1 Mb) TX bytes:236852432 (225.8 Mb)

eth1 Link encap:Ethernet HWaddr 00:E0:18:45:62:30
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:18ff:fe45:6230/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3740071 errors:0 dropped:0 overruns:0 frame:0
TX packets:2508208 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:306864325 (292.6 Mb) TX bytes:1582830265 (1509.5 Mb)
Interrupt:12 Base address:0xd400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:31558 errors:0 dropped:0 overruns:0 frame:0
TX packets:31558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9788618 (9.3 Mb) TX bytes:9788618 (9.3 Mb)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
 
Old 09-22-2004, 12:37 PM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Ahh, you have one of those weird half-bridges. Those things are just creepy. Yes, the 10.224.16.1 IP appears to be that of your bridge, since your external NIC has a real routeable IP address.
 
Old 09-22-2004, 05:06 PM   #13
without
LQ Newbie
 
Registered: Sep 2004
Distribution: fedora
Posts: 7

Original Poster
Rep: Reputation: 0
So were to from here Call Ghost Busters ??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set PATH variable for command tracert? princegbenga Linux - Software 2 06-14-2007 07:48 AM
Ph&#7909;c h&#7891;i d&#7919; li&#7879;u b&#7883; m&#7845;t???, c&#7913; pollsite General 1 06-27-2005 12:39 PM
Strange ip from the result of tracert command mrpc_cambodia Linux - Networking 4 01-25-2005 06:49 AM
Traceroute, tracert??? MattLaw Linux - General 9 05-02-2004 07:57 PM
command ifconfig, route, tracert... missing in /bin mae Red Hat 2 09-18-2003 09:08 AM


All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration