[Abandoned] Slackware 12.2, VPN/PPTP problem: Cannot view certain sites
 

Hello.

I'm using Slackware 12.2 and I'm connected to the internet via VPN/PPTP.
For some weird reason I cannot access certain sites when I'm working under the Slackware system - they respond to ping, but I cannot get any pages (page starts loading, then hangs forever). I can't figure out the pattern, but those sites include help.com, experts-exchange.com, and few others. Sites are online, and can be accessed via anonymous proxy servers. The problem doesn't happen on same machine, when it is running WinXP. This slackware machine has 2 NICs and is used as gateway by another Ubuntu 8.04 machine. Both slackware and ubuntu machines cannot access same range of sites. Problem affects firefox, opera, and wget.

Details:

• 2.6.27.7 kernel, custom built
• Problem affects wget, firefox, and opera.
• Machine has Squid-3.0Stable11 installed, but problem is not related to squid - sites cannot be accessed even if proxy is bypassed (wget --no-proxy).
• Machine uses pptp-1.7.2-i486-3ga (with pppd) to connect the internet, downloaded from linuxpackages.
• I'm being regularly portscanned - someone desperately tries to access ports 135, 137, 138 and 445 up to 700 times per day.
• Machine has custom firewall rules in /etc/rc.d/rc.firewall:
  
  Code:

  ---

  #!/bin/sh
#firewall script

FRANKENSTEIN="192.168.0.2/32"
FIFACE="eth0" #FRANKENSTEIN INTERFACE
EXTIFACE="ppp0" #EXTERNAL INTERFACE

LOCAL="127.0.0.1/32"

iptables --flush
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

makeDropChain(){
    iptables -N $1
    iptables -A $1 -j LOG --log-prefix "$1: "
    iptables -A $1 -j DROP
}

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

makeDropChain "input-drop"
makeDropChain "forward-drop"
makeDropChain "portscan-drop"
makeDropChain "xmas-drop"
makeDropChain "nullscan-drop"
makeDropChain "badsyn-drop"
makeDropChain "fragment-drop"
makeDropChain "ssh-drop"

iptables -A INPUT -s $LOCAL -d $LOCAL -i lo -j ACCEPT
iptables -A INPUT -s $FRANKENSTEIN -i eth0 -j ACCEPT

#frankenstein routing
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -o $FIFACE -i $EXTIFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $FIFACE -o $EXTIFACE -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIFACE -j MASQUERADE


#fragments
iptables -A INPUT -f -j fragment-drop
#bad syn
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j badsyn-drop
#xmas
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j xmas-drop
#nullscan
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j nullscan-drop

iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 32240 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 32240 -j ACCEPT

#port-scan
iptables -N portscan
iptables -A portscan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A portscan -j portscan-drop

iptables -A INPUT -j portscan

iptables -A INPUT -s $FRANKENSTEIN -p tcp -m state --state NEW -m multiport --dports ssh,3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh: "

iptables -N syn-drop
iptables -A syn-drop -j LOG --log-prefix syn-drop
iptables -A syn-drop -j DROP

iptables -A INPUT -p tcp --syn -j syn-drop

iptables -A INPUT -g input-drop

iptables -A FORWARD -g forward-drop

  ---

I think problem may be related to firewall, but I can't figure out what is wrong. I've tried dumping iptable counters (iptables -vnL) to see if incoming connection gets blocked or rejected, but I haven't noticed anything unusual. ISP doesn't provide support for linux computers.

Ideas?

did you run thraceroute? maybe that sites2 connection loops somewhere weird.

Yes, and there are no obvious problems. In case of help.com traceroute lists all hops, site responds to ping, but I'm not getting any pages from there - pages start loading, but then progress get stuck at 18% (in opera). In case of experts-exchange I do not see all hops (only first 19), site responds to ping, but I have zero loading progress in browser, and eventually I get "connection reset by peer".

Also I can telnet both sites at port 80, but can't get pages from them.
Here is what I get with wget:
And
As you can see, it keeps awaiting response (forever, or after a few minutes it may return "connection reset by peer") until I terminate it.

There are few more websites that misbehave in the same way, but don't remember all of them. Everything works under WinXP, on the same machine, with same ISP, so this should be configuration problem.

some more thinking:

connection reset by peer points that other side did not like your packages, and killed the connection. it could happen because of faulty hardware, bug in the network stack, or problems between you and the server.

after looking at the diagnoses you did, it's at high probality firewall problem. maybe it drops things it should not or modifyes something it should not.

did you checked the bug lists?

I typically receive "reset by peer" after long period of waiting, so I think I do not receive first reply, server waits for some time, then cuts my connection.

Which ones? iptables, kernel, pptpclient or some others?

I do not have hardware firewall. There is no router between me and ISP - I'm directly plugged into one huge LAN, with pptp server. Are you talking about iptables rules? As you can see, all traffic that is being cut by firewall rules is being logged, and aside from hundreds of daily attempts to connect to ports 135, 137, 138, and 445(?) (which are reported as "portscan-drop"), I do not see any other strange reports in dmesg. The attempts to connect to those ports are legit, I get similar reports in firewall I use on windows (on the same machine).

Also I do not remember having such problems with my ADSL modem, so it doesn't look like some kind of kernel bug. I think that purchasing a router with VPN support would solve my problem, but I cannot do that at the moment.

i'd start with iptables. for VPN, you may try OpenVPN as it's works on top of tcp/ip.

I'll check it out, then post the result.

Unfortunately, OpenVPN doesn't support PPTP or L2TP. Those protocols are the only available options to connect to my ISP's vpn server.

i have an idea about debugging. use wireshark and do time capture for the protocol. maybe you can catch something

I was unable to find anything relevant in iptables 1.4.2, pptpclient 1.7.2 and kernel 2.6.27.7 bug lists. PPTPCLient doesn't even have visible buglist.

another possiblity (finally talked to İTÜ sysadmin) is that router acts wrong and drops/damages packeges. then remote web site kills the connection.

debugging this is vrey pain in the ass. only thing comes to mind is that watch packeges in bpth end (client and after the router).

Thanks for the suggestion, but there is no router (no obviously visible router), and as I said, this problem doesn't happen when machine runs windows.
Which might indicate, that problem is somehow related to linux-windows difference. I.e. packets sent by linux system are somehow different from the packets sent by windows system, and the difference triggers a bug somewhere along the way. Or perhaps there is a bug in pptpclient (which is possible, and in this case there won't be a solution - because there is no alternative to pptpclient for linux.


It would be nice if there was a howto about that, or keywords.

Anyway, I give up.

I'm sure that it is possible to debug|fix this, but I do not have enough time for that, and my computer/programming knowledge isn't related to monitoring packets.

If I ever find the solution/cause, I'll try to post it here.

Question abandoned.

I just figured out the solution after a very long night!

The default maximum transmission unit (MTU) is set to be 1396, while in XP it is 1400.

ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.5.1 P-t-P:192.168.5.234 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1

use this to change that:
ifconfig ppp0 mtu 1400

:)