SuSEfirewall2 (?) and advanced routing problem.
Hi All... 1 - problem 1-st: I have following problem that can not solve under SuSE 7.3 with SuSEfirewall2 - kernel 2.4.16, iptables 1.2.2. Problem is that I have 2 public interfaces (eth1 - default and eth2) with 2 public IP addresses and 1 internal interface (eth0) with 192.168.0.x private class. On that last interface I have small private network which is MASUQREDED on my Linux box. Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1). I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 : iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1 My rule table looks like: #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253 #ip route ls table ic.out default via y.y.y.97 dev eth2 - but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly! What I have realized is that during testing this connection packets try to goes via eth2 - I could see it on tcpdump - but only packets with S (SYN ?) flag set appears there... And nothing else. What I have also realized is that I could see some (strange for me) lines in firewall log file like: Jan 21 11:24:01 linux kernel: martian source 192.168.0.22 from z.z.z.z, on dev eth2 Jan 21 11:24:01 linux kernel: ll header: 00:00:c0:6a:65:d3:00:c0:df:b0:c2:a8:08:00 192.168.0.22 - is my comp in my private net., z.z.z.z is my proxy server IP address (what in fact I've just realized after the whole day yesterday looking at it). Is there anybody who can help me with that? What should I turn on or off in firewall setting (or maybe somewhere else) to make it run (at the bottom there is more details about my system). As I mentioned before I have had it working perfectly on 6.3 box with ipchains. Anyway - this does not looks like firewall problem as I could not force it to run also with SuSEfirewall2 stopped. 2. problem 2-nd. I thing it is more to SuSEfirewall2 developers. I was just looking at the settings made by SuSEfirewall2 scripts based on my settings and I could realize that there are quite big section for dmz, when I have no DMZ set in SuSEfirewall2 rc.config at all. And also it is mentioned in iptabels -L that there is no references to forward_dmz and input_dmz section at all. So the question is what is it for. I thing it is quite easy to check if there is any DMZ set up or not and do not set all this not needed chains in iptables in "no" case. Just a small tip... Thanx in advance for any help.. Best regards Marcin Gryszczuk Some info about my settings: ifconfig: eth0 Link encap:Ethernet HWaddr ... inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ... eth1 Link encap:Ethernet HWaddr ... inet addr:x.x.x.x Bcast:x.x.x.191 Mask:255.255.255.192 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ... eth2 Link encap:Ethernet HWaddr ... inet addr:y.y.y.y Bcast:y.y.y.127 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ... lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 ... # ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253 # ip route ls table ic.out default via y.y.y.97 dev eth2 # ip route ls table main y.y.y.96/27 dev eth2 proto kernel scope link src y.y.y.y x.x.x.128/26 dev eth1 proto kernel scope link src x.x.x.x 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.100.100 default via x.x.x.129 dev eth1 SuSEfirewall2 settings: FW_DEV_EXT="eth1 eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="smtp domain www ntp https" FW_SERVICES_EXT_UDP="domain ntp" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ftp-data:telnet smtp domain www pop3 ntp 139 https" FW_SERVICES_INT_UDP="domain syslog ntp" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="192.168.0.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_FORWARD="" # Beware to use this! FW_FORWARD_MASQ="" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" SuSE 7.3 kernel 2.4.16 iptables 1.2.2 If anything else is needed to help me - please let me know...
Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:
1 - problem 1-st: I have following problem that can not solve under SuSE 7.3 with SuSEfirewall2 - kernel 2.4.16, iptables 1.2.2. Problem is that I have 2 public interfaces (eth1 - default and eth2) with 2 public IP addresses and 1 internal interface (eth0) with 192.168.0.x private class. On that last interface I have small private network which is MASUQREDED on my Linux box.
What I have also realized is that I could see some (strange for me) lines in firewall log file like:
Jan 21 11:24:01 linux kernel: martian source 192.168.0.22 from z.z.z.z, on dev eth2 Jan 21 11:24:01 linux kernel: ll header: 00:00:c0:6a:65:d3:00:c0:df:b0:c2:a8:08:00
This contains the MAC address of the offending network interface card. You'll able to see that under "Hardware address" in ifconfigs output. Is this card in the proxy?
192.168.0.22 - is my comp in my private net., z.z.z.z is my proxy server IP address (what in fact I've just realized after the whole day yesterday looking at it).
This is your kernel which tells you that you have made an mistake: It says: I got an IP-Packet from eth2 which could not originate from there if I look it up in my routing table. Check if your network connection is functional. It seems your proxy is not only able to talk to you via eth0, but also (and falsely) talking to you via eth2.
Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1). I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 :
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1
My rule table looks like: #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253
#ip route ls table ic.out default via y.y.y.97 dev eth2
- but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly!
What I have realized is that during testing this connection packets try to goes via eth2 - I could see it on tcpdump - but only packets with S (SYN ?) flag set appears there... And nothing else.
1) What was your ipchains-line which enabled you to make your set up functional? 2) Are you sure that your proxy host has the right routing table? 3) Have you tried an host-route to your proxy via eth0? Peter ------------------------------------------------------- My scheme for your network: /---------\ --eth1 +---------+ | INTERNET | | router | eth0 --- Internal LAN \---------/ --eth2 +---------+ | | Proxy \--------<---------<-------------<------/ (From what you told me and from what your kernel told me and, of course, my own conclusions.)
Hi...
Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:
1 - problem 1-st: I have following problem that can not solve under SuSE 7.3 with SuSEfirewall2 - kernel 2.4.16, iptables 1.2.2. Problem is that I have 2 public interfaces (eth1 - default and eth2) with 2 public IP addresses and 1 internal interface (eth0) with 192.168.0.x private class. On that last interface I have small private network which is MASUQREDED on my Linux box.
What I have also realized is that I could see some (strange for me) lines in firewall log file like:
Jan 21 11:24:01 linux kernel: martian source 192.168.0.22 from z.z.z.z, on dev eth2 Jan 21 11:24:01 linux kernel: ll header: 00:00:c0:6a:65:d3:00:c0:df:b0:c2:a8:08:00
This contains the MAC address of the offending network interface card. You'll able to see that under "Hardware address" in ifconfigs output. Is this card in the proxy?
00:00:c0:6a:65:d3 is my eth2 card HAddr. Clear... Proxy card HAddr is: 00:d0:b7:9a:38:00 - so it is not visible here (in that log)
192.168.0.22 - is my comp in my private net., z.z.z.z is my proxy server IP address (what in fact I've just realized after the whole day yesterday looking at it).
This is your kernel which tells you that you have made an mistake: It says: I got an IP-Packet from eth2 which could not originate from there if I look it up in my routing table.
That sounds OK - but is that message concerning IP 192.168.0.22 (private - this one is configured on my other pc connected to eth0 !) or z.z.z.z (which is PUBLIC IP of my proxy server staying in different city! even)
Check if your network connection is functional. It seems your proxy is not only able to talk to you via eth0, but also (and falsely) talking to you via eth2.
Missunderstanding I thing. My proxy server is z.z.z.z which is PUBLIC IP - server is even in different city.. It can not send any packet fdirest to eth0 as eth0 is private net only (192.160.0.1)
Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1). I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 :
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1
My rule table looks like: #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253
#ip route ls table ic.out default via y.y.y.97 dev eth2
- but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly!
What I have realized is that during testing this connection packets try to goes via eth2 - I could see it on tcpdump - but only packets with S (SYN ?) flag set appears there... And nothing else.
1) What was your ipchains-line which enabled you to make your set up functional?
Oh - very similar in fact to exampled one for iptables: ipchains -A input -i eth0 --dport 3128 -p tcp -j ACCEPT -m 1 (making packets comming from eth0 and destined to any addr to 3128 (SQUID proxy server standard port) to be marked with 1)
2) Are you sure that your proxy host has the right routing table?
Of course - everything was working 3 days ago (before I have made changing to 7.3 on my box). Proxy server is just another linux box.
3) Have you tried an host-route to your proxy via eth0?
As I mentioned above I can not route to my proxy server via eth0 - this is only for private net use. I can reach proxy via eth1 and eth2 if I configure default gateway to be on eth1 or eth2 . My problem is that I can not force SuSE 7.3 to send part of the packet with not standard gateway (so if standard is on eth1 then I want to send part of the traffic on eth2 with marked packets). Scheme is little different - shame on me that I did not made it earlier: /---------\ --eth1 +---------+ /-----\ | | | | |Proxy|----|INTERNET | | SuSE 7.3| eth0 --- Internal LAN \-----/ | | | | \---------/ --eth2 +---------+ Maybe now it will be more clear... to help me... Regards Marcin
Am Dienstag, 22. Januar 2002 17:11 schrieb Marcin Gryszczuk:
Peter Wiersig:
Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:
Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1). I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 :
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1
My rule table looks like: #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253
#ip route ls table ic.out default via y.y.y.97 dev eth2
- but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly!
1) What was your ipchains-line which enabled you to make your set up functional?
Oh - very similar in fact to exampled one for iptables: ipchains -A input -i eth0 --dport 3128 -p tcp -j ACCEPT -m 1 (making packets comming from eth0 and destined to any addr to 3128 (SQUID proxy server standard port) to be marked with 1)
2) Are you sure that your proxy host has the right routing table?
Of course - everything was working 3 days ago (before I have made changing to 7.3 on my box). Proxy server is just another linux box.
I have another suspicion: Your setup works for the first time ever. But now you have the problem that your mangleling (or mangling?) strikes before the masquerading works. You seem to send out packets with source address 192.168.0.22 and the proxy responds to this IP, but your kernel thinks that someone attacks your network with spoofed ip-addresses and logs them as martian-sources. Like I said, this is my suspicion and I cannot confirm that. It's my idea of how your networking problem
My problem is that I can not force SuSE 7.3 to send part of the packet with not standard gateway (so if standard is on eth1 then I want to send part of the traffic on eth2 with marked packets).
Scheme is little different - shame on me that I did not made it earlier:
/---------\ --eth1 +---------+ /-----\ | | | | |Proxy|----|INTERNET | | SuSE 7.3| eth0 --- Internal LAN \-----/ | | | | \---------/ --eth2 +---------+
I would recommend that you don't mangle your packets, but that you masquerade your packets the right way: iptables -s 192.168.0.0/24 -d 0/0 -j MASQ and add an host route to the proxy (z.z.z.z) via eth2 with metric 2 and change the default routes metric to 10. route add -net 0.0.0.0 gw (IP <eth1>) metric 10 route del -net 0.0.0.0 gw (IP <eth1>) metric 0 route add -host z.z.z.z gw (IP <eth2>) metric 2 The goal is to have now the default gw pointing to the end of eth1 but with an increased metric and another route to the proxy with a cheaper metric. Please try this. I tried it and it seemed to work. The difference in this setup and your setup is that all packets to z.z.z.z will traverse eth2. Peter
Hi
I have another suspicion: Your setup works for the first time ever.
But now you have the problem that your mangleling (or mangling?) strikes before the masquerading works.
That was it. I suspected it since yesterday. All I have had to force my configuration working was to make: echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter I even did not turn SuSEfirewall2 off. And now: 1. Marked packets goes via eth2. 2. No more logs in firewall about martian-sources. The strangest thing now is: 1. First I have checked what was in /proc/sys/net/ipv4/conf/eth2/rp_filter. Was 1 ! 2. I have set up mark rule as : iptables -I PREROUTING 1 -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1 The rest of PREROUTING was set up by SuSEfirewall2 script.... And there was a lot of rules anyway. 3. I have set up /proc/sys/net/ipv4/conf/eth2/rp_filter to 0 with echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter 4. I have checked with tcpdump -i eth2 if the connection to my proxy server is working. It was!! - Supper.. but: 5. Then I have change /proc/sys/net/ipv4/conf/eth2/rp_filter to 2 (it is mentioned in that way in Adv-routing HOWTO). 6. My connection via eth2 to proxy server still works !! Rather strange, but maybe... I have checked before that all connection that was established during rp_filter set to 0 was ended of course... 7. Then I have change /proc/sys/net/ipv4/conf/eth2/rp_filter back to 1 (as it was before I have changed it to 0). Also waited long enough that all connection to my proxy server established when rp_filter = 2 was ended... 8. My connection to proxy server still works !! This is VERY STRANGE in my opinion. At the beginning it does not worked - and now after setting rp_filter to 0 and back to 1 it is. Nothing else was done in the different way I have done it on Monday. All other /proc/sys/net/ipv4/conf/*/rp_filter was all the time set to 1. And what is interesting I can see in firewall log some other martian-sources logs with eth2. With this eth2 I am connected to local ISP (in my building) which has a lot of mess in his net. But at the end it is working. Maybe somebody from SuSE or rather Linux kernel team can answer it.. As is mentioned by Adv-routing HOWTO it is kernel thing. Best regards to all.. Marcin.
You seem to send out packets with source address 192.168.0.22 and the proxy responds to this IP, but your kernel thinks that someone attacks your network with spoofed ip-addresses and logs them as martian-sources.
Like I said, this is my suspicion and I cannot confirm that. It's my idea of how your networking problem
My problem is that I can not force SuSE 7.3 to send part of the packet with not standard gateway (so if standard is on eth1 then I want to send part of the traffic on eth2 with marked packets).
Scheme is little different - shame on me that I did not made it earlier:
/---------\ --eth1 +---------+ /-----\ | | | | |Proxy|----|INTERNET | | SuSE 7.3| eth0 --- Internal LAN \-----/ | | | | \---------/ --eth2 +---------+
I would recommend that you don't mangle your packets, but that you masquerade your packets the right way:
iptables -s 192.168.0.0/24 -d 0/0 -j MASQ
and add an host route to the proxy (z.z.z.z) via eth2 with metric 2 and change the default routes metric to 10.
route add -net 0.0.0.0 gw (IP <eth1>) metric 10 route del -net 0.0.0.0 gw (IP <eth1>) metric 0 route add -host z.z.z.z gw (IP <eth2>) metric 2
The goal is to have now the default gw pointing to the end of eth1 but with an increased metric and another route to the proxy with a cheaper metric.
Please try this. I tried it and it seemed to work. The difference in this setup and your setup is that all packets to z.z.z.z will traverse eth2.
Peter
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Marcin Gryszczuk
-
Peter Wiersig