LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 12.2, VPN/PPTP problem: Cannot view certain sites (http://www.linuxquestions.org/questions/slackware-14/slackware-12-2-vpn-pptp-problem-cannot-view-certain-sites-777022/)

SigTerm 12-20-2009 05:07 AM

[Abandoned] Slackware 12.2, VPN/PPTP problem: Cannot view certain sites
 
Hello.

I'm using Slackware 12.2 and I'm connected to the internet via VPN/PPTP.
For some weird reason I cannot access certain sites when I'm working under the Slackware system - they respond to ping, but I cannot get any pages (page starts loading, then hangs forever). I can't figure out the pattern, but those sites include help.com, experts-exchange.com, and few others. Sites are online, and can be accessed via anonymous proxy servers. The problem doesn't happen on same machine, when it is running WinXP. This slackware machine has 2 NICs and is used as gateway by another Ubuntu 8.04 machine. Both slackware and ubuntu machines cannot access same range of sites. Problem affects firefox, opera, and wget.

Details:
  • 2.6.27.7 kernel, custom built
  • Problem affects wget, firefox, and opera.
  • Machine has Squid-3.0Stable11 installed, but problem is not related to squid - sites cannot be accessed even if proxy is bypassed (wget --no-proxy).
  • Machine uses pptp-1.7.2-i486-3ga (with pppd) to connect the internet, downloaded from linuxpackages.
  • I'm being regularly portscanned - someone desperately tries to access ports 135, 137, 138 and 445 up to 700 times per day.
  • Machine has custom firewall rules in /etc/rc.d/rc.firewall:
    Code:

    #!/bin/sh
    #firewall script

    FRANKENSTEIN="192.168.0.2/32"
    FIFACE="eth0" #FRANKENSTEIN INTERFACE
    EXTIFACE="ppp0" #EXTERNAL INTERFACE

    LOCAL="127.0.0.1/32"

    iptables --flush
    iptables -X

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    makeDropChain(){
        iptables -N $1
        iptables -A $1 -j LOG --log-prefix "$1: "
        iptables -A $1 -j DROP
    }

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    makeDropChain "input-drop"
    makeDropChain "forward-drop"
    makeDropChain "portscan-drop"
    makeDropChain "xmas-drop"
    makeDropChain "nullscan-drop"
    makeDropChain "badsyn-drop"
    makeDropChain "fragment-drop"
    makeDropChain "ssh-drop"

    iptables -A INPUT -s $LOCAL -d $LOCAL -i lo -j ACCEPT
    iptables -A INPUT -s $FRANKENSTEIN -i eth0 -j ACCEPT

    #frankenstein routing
    echo "1" > /proc/sys/net/ipv4/ip_forward
    iptables -A FORWARD -o $FIFACE -i $EXTIFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $FIFACE -o $EXTIFACE -j ACCEPT
    iptables -t nat -A POSTROUTING -o $EXTIFACE -j MASQUERADE


    #fragments
    iptables -A INPUT -f -j fragment-drop
    #bad syn
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j badsyn-drop
    #xmas
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j xmas-drop
    #nullscan
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j nullscan-drop

    iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 32240 -j ACCEPT
    iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 32240 -j ACCEPT

    #port-scan
    iptables -N portscan
    iptables -A portscan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
    iptables -A portscan -j portscan-drop

    iptables -A INPUT -j portscan

    iptables -A INPUT -s $FRANKENSTEIN -p tcp -m state --state NEW -m multiport --dports ssh,3128 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh: "

    iptables -N syn-drop
    iptables -A syn-drop -j LOG --log-prefix syn-drop
    iptables -A syn-drop -j DROP

    iptables -A INPUT -p tcp --syn -j syn-drop

    iptables -A INPUT -g input-drop

    iptables -A FORWARD -g forward-drop


I think problem may be related to firewall, but I can't figure out what is wrong. I've tried dumping iptable counters (iptables -vnL) to see if incoming connection gets blocked or rejected, but I haven't noticed anything unusual. ISP doesn't provide support for linux computers.

Ideas?

ozanbaba 12-21-2009 07:33 AM

did you run thraceroute? maybe that sites2 connection loops somewhere weird.

SigTerm 12-21-2009 08:45 AM

Quote:

Originally Posted by ozanbaba (Post 3799836)
did you run thraceroute? maybe that sites2 connection loops somewhere weird.

Yes, and there are no obvious problems. In case of help.com traceroute lists all hops, site responds to ping, but I'm not getting any pages from there - pages start loading, but then progress get stuck at 18% (in opera). In case of experts-exchange I do not see all hops (only first 19), site responds to ping, but I have zero loading progress in browser, and eventually I get "connection reset by peer".

Also I can telnet both sites at port 80, but can't get pages from them.
Here is what I get with wget:
Code:

wget --no-proxy www.help.com
--2009-12-21 17:39:18--  http://www.help.com/
Resolving www.help.com... 216.239.116.121
Connecting to www.help.com|216.239.116.121|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://help.com/ [following]
--2009-12-21 17:39:19--  http://help.com/
Resolving help.com... 216.239.116.121
Reusing existing connection to www.help.com:80.
HTTP request sent, awaiting response...

And
Code:

bash-3.1$ wget --no-proxy www.experts-exchange.com
--2009-12-21 17:40:27--  http://www.experts-exchange.com/
Resolving www.experts-exchange.com... 64.156.132.140
Connecting to www.experts-exchange.com|64.156.132.140|:80... connected.
HTTP request sent, awaiting response... ^C

As you can see, it keeps awaiting response (forever, or after a few minutes it may return "connection reset by peer") until I terminate it.

There are few more websites that misbehave in the same way, but don't remember all of them. Everything works under WinXP, on the same machine, with same ISP, so this should be configuration problem.

ozanbaba 12-24-2009 06:45 AM

some more thinking:

connection reset by peer points that other side did not like your packages, and killed the connection. it could happen because of faulty hardware, bug in the network stack, or problems between you and the server.

after looking at the diagnoses you did, it's at high probality firewall problem. maybe it drops things it should not or modifyes something it should not.

did you checked the bug lists?

SigTerm 12-24-2009 09:47 AM

Quote:

Originally Posted by ozanbaba (Post 3803465)
some more thinking:

connection reset by peer points that other side did not like your packages, and killed the connection. it could happen because of faulty hardware, bug in the network stack, or problems between you and the server.

I typically receive "reset by peer" after long period of waiting, so I think I do not receive first reply, server waits for some time, then cuts my connection.

Quote:

Originally Posted by ozanbaba (Post 3803465)
did you checked the bug lists?

Which ones? iptables, kernel, pptpclient or some others?

Quote:

Originally Posted by ozanbaba (Post 3803465)
after looking at the diagnoses you did, it's at high probality firewall problem. maybe it drops things it should not or modifyes something it should not.

I do not have hardware firewall. There is no router between me and ISP - I'm directly plugged into one huge LAN, with pptp server. Are you talking about iptables rules? As you can see, all traffic that is being cut by firewall rules is being logged, and aside from hundreds of daily attempts to connect to ports 135, 137, 138, and 445(?) (which are reported as "portscan-drop"), I do not see any other strange reports in dmesg. The attempts to connect to those ports are legit, I get similar reports in firewall I use on windows (on the same machine).

Also I do not remember having such problems with my ADSL modem, so it doesn't look like some kind of kernel bug. I think that purchasing a router with VPN support would solve my problem, but I cannot do that at the moment.

ozanbaba 12-24-2009 09:54 AM

Quote:

Originally Posted by SigTerm (Post 3803593)
I typically receive "reset by peer" after long period of waiting, so I think I do not receive first reply, server waits for some time, then cuts my connection.


Which ones? iptables, kernel, pptpclient or some others?

i'd start with iptables. for VPN, you may try OpenVPN as it's works on top of tcp/ip.

SigTerm 12-24-2009 10:52 AM

Quote:

Originally Posted by ozanbaba (Post 3803599)
i'd start with iptables.

I'll check it out, then post the result.

Quote:

Originally Posted by ozanbaba (Post 3803599)
may try OpenVPN as it's works on top of tcp/ip.

Unfortunately, OpenVPN doesn't support PPTP or L2TP. Those protocols are the only available options to connect to my ISP's vpn server.

ozanbaba 12-28-2009 04:38 AM

i have an idea about debugging. use wireshark and do time capture for the protocol. maybe you can catch something

SigTerm 12-28-2009 10:14 AM

Quote:

Originally Posted by SigTerm (Post 3803624)
I'll check it out, then post the result.

I was unable to find anything relevant in iptables 1.4.2, pptpclient 1.7.2 and kernel 2.6.27.7 bug lists. PPTPCLient doesn't even have visible buglist.

ozanbaba 01-14-2010 04:57 AM

another possiblity (finally talked to İTÜ sysadmin) is that router acts wrong and drops/damages packeges. then remote web site kills the connection.

debugging this is vrey pain in the ass. only thing comes to mind is that watch packeges in bpth end (client and after the router).

SigTerm 01-14-2010 05:18 AM

Quote:

Originally Posted by ozanbaba (Post 3826145)
another possiblity (finally talked to İTÜ sysadmin) is that router acts wrong and drops/damages packeges. then remote web site kills the connection.

Thanks for the suggestion, but there is no router (no obviously visible router), and as I said, this problem doesn't happen when machine runs windows.
Which might indicate, that problem is somehow related to linux-windows difference. I.e. packets sent by linux system are somehow different from the packets sent by windows system, and the difference triggers a bug somewhere along the way. Or perhaps there is a bug in pptpclient (which is possible, and in this case there won't be a solution - because there is no alternative to pptpclient for linux.


Quote:

Originally Posted by ozanbaba (Post 3826145)
debugging this is vrey pain in the ass. only thing comes to mind is that watch packeges in bpth end (client and after the router).

It would be nice if there was a howto about that, or keywords.

Anyway, I give up.

I'm sure that it is possible to debug|fix this, but I do not have enough time for that, and my computer/programming knowledge isn't related to monitoring packets.

If I ever find the solution/cause, I'll try to post it here.

Question abandoned.

mhzokaii 09-06-2010 08:24 AM

I just figured out the solution after a very long night!

The default maximum transmission unit (MTU) is set to be 1396, while in XP it is 1400.

ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.5.1 P-t-P:192.168.5.234 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1

use this to change that:
ifconfig ppp0 mtu 1400

:)


All times are GMT -5. The time now is 11:58 AM.