Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] packets still seem to be dropped not routed despiterp_filter=0
  • From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
  • Date: Thu, 11 Sep 2003 23:54:02 +0200
  • Message-id: <3F60EEF9.C2F2D385@xxxxxxxxxxxx>
JJ, now I found my info-links to VPN resources again:

have a look at:

http://www.nadmm.com/show.php?story=articles/vpn.inc

(the author also states that ipsec0 has to be added to EXT -interface)

and a very good source for SuSE-specific FreeS/WAN infos:

http://www.suse.de/~garloff/linux/FreeSWAN/

with specific rpm-packages for the variuos SuSE versions.

HTH, Philipp

J J schrieb:

> Are you sure?
>
> According to the /etc/protocols file there is no protocol 500 - the IP
> protocols go no higher than 255.
>
> That makes sense really seeing as the protocol field in IPV4 is only 8 bits
> long!
> (http://www.ietf.org/rfc/rfc0791.txt)
>
> This is an extract from my current /etc/sysconfig/SuSEfirewall2...
>
> FW_QUICKMODE="no"
> FW_DEV_EXT="ppp0"
> FW_DEV_INT="eth0 ipsec0"
> FW_DEV_DMZ=""
> FW_ROUTE="no"
> FW_MASQUERADE="no"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS=""
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="smtp ssh"
> FW_SERVICES_EXT_UDP="isakmp"
> FW_SERVICES_EXT_IP="esp ah"
>
> Anyway I made a small amount of extra progress, at least in the way of
> ruling out problems. I decided to try connecting from the "jellybean"
> gateway itself to the "Bookman" LAN by creating adjusted entries in
> ipsec.conf and succeeded. Basically it worked right out of the box, I just
> removed the leftsubnet declarations on both sides - now the gateway can ping
> all the servers on the "Bookman" LAN and vice versa. This isn't the long
> term solution but does at least show that the boxes will talk to each other
> and send ipsec traffic correctly.
>
> Plus I toyed with the latest rdesktop and maybe I can persuade people to use
> that instead of Win 2k boxes with MSTSC client anyway! :) (ha!)
>
> But I'm still not sure why the SuSE 8.2 box is misbehaving and dropping my
> packets. Do you have any idea how I switch on debugging on the kernel
> routing code??
>
> >From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
> >To: J J <c_peto@xxxxxxxxxxx>
> >CC: "suse-security@xxxxxxxx" <suse-security@xxxxxxxx>
> >Subject: Re: [suse-security] packets still seem to be dropped not routed
> >despite rp_filter=0
> >Date: Thu, 11 Sep 2003 20:05:34 +0200
> >
> >Hi Carl,
> >You are victim of a very common misunderstanding concerning IPSEC
> >and the setup of the firewall .... ;-)
> >
> >Not PORT 500 is needed to setup the tunnel (after negotiation of SA has
> >been
> >done), but PROTOCOL (!!!) 500, which you have to put in the firewall
> >to be allowed through interface ipsec0 (add this to FW_DEV_EXT).
> >Since I do not use SuSE firewall anymore (there are better scripts for
> >iptables)
> >I am not a 100% sure, but I remember that you have to set this in
> >SuSEfirewall2-file as variable FW_SERVICES_EXT_IP = 500.
> >
> >HTH, Philipp
> >
> >J J schrieb:
> >
> > > I'm trying to set up a VPN from "home" LAN to "bookman" LAN.
> > > I've set up Freeswan successfully and it *appears* to be doing it's job
> >but
> > > still packets aren't getting through. I suspect that routing isn't
> >working
> > > for
> > > some reason and I've reached the limit of my security knowledge.
> > >
> > > Can anyone help?
> > >
> > > The set up is this:
> > > "Bookman" LAN is subnet 192.168.0.0/24 with Ipsec gateway "flanger" on
> > > IP address 192.168.0.127. "Bookman" LAN connects to internet via ADSL
> > > ("Vigor")
> > > router that has "Ipsec passthru". In terms of configuration this means
> >that
> > > I've switched off the "Vigor" router's built-in Ipsec processing and set
> >UDP
> > > on port 500 to forward direct to "flanger" on 192.168.0.127. The
> >router's
> > > software is set to recognize this combination as a signal to switch on
> >Ipsec
> > > passthru so that protocols 50 and 51 are also forwarded to the same
> >internal
> > > box.
> > >
> > > (We've successfully set up and used an SA to a "Fortigate" router based
> >on
> > > this
> > > through to another company "SGPM" and we use that VPN for production
> > > purposes.
> > > It's fast and stable and has impressed management!)
> > >
> > > "Home" LAN is subnet 192.168.10.0/24 with Ipsec gateway "jellybean" on
> > > external
> > > IP address 217.... (hidden for privacy - if that's me being silly I'm
> >happy
> > > to
> > > reveal it!). The "home" gateway has an ethernet card on 192.168.10.1
> >with a
> > > hub connected to that and (at present) one test laptop connected to the
> >hub
> > > running Win 2k.
> > >
> > > Ipsec gateway on "Bookman" LAN ("flanger") is running SuSE 7.2 and our
> > > gateway
> > > here ("jellybean") is running SuSE 8.2 (these seem to be Freeswan 1.91
> >and
> > > 1.99
> > > respectively).
> > >
> > > The idea is to have a VPN connecting PCs and laptops on the "home" LAN
> >to
> > > the
> > > servers on the "Bookman" LAN in production.
> > >
> > > Progress so far:
> > > With a small amount of tinkering I managed to get the two pluto daemons
> >to
> > > talk
> > > and agree an SA but was unable to ping servers on the "Bookman" LAN from
> > > either our gateway or our test laptop. After help from Rob Maurizzi on
> >this
> > > mailing list I managed to get KLIPS debugging and found that, rather
> > > boringly,
> > > the gateway was unable to ping Bookman servers because packets were
> >being
> > > seen
> > > by KLIPS as coming from the WAN address of the router (217....) and so
> >had
> > > no
> > > eroute and were dropped - this was clearly visible in the stats on
> >ifconfig,
> > > which helped.
> > >
> > > Problem:
> > > However this didn't explain why the laptop couldn't reach the Bookman
> >LAN.
> > > My
> > > initial thought was that routing needed to be switched on. The box is
> > > configured as a firewall with a SQUID proxy so the "home" LAN can access
> >the
> > > www. SuSEfirewall2 is running to prevent malicious attacks but allow
> >Ipsec
> > > traffic. Config is basically - allow external TCP service "ssh" plus
> > > external
> > > UDP service "isakmp" plus external IP protocols "ah" and "esp", do not
> > > protect
> > > from internal network, reject rather than drop packets (temporary for
> >debug)
> > > and log all dropped packets (temporary for debug).
> > >
> > > When I ping from the Win 2k laptop to a Bookman server I see nothing in
> >the
> > > firewall logs, nothing in KLIPS debug. I see packets arriving on eth0
> >but
> > > nothing on ipsec0 or ppp0 (the WAN interface).
> > >
> > > echo "1" > /proc/sys/net/ipv4/ip_forward makes no difference
> > >
> > > cat /proc/sys/net/ipv4/conf/*/forwarding gives "1"s for all devices and
> > > worse
> > >
> > > cat /proc/sys/net/ipv4/conf/*/rp_filter gives "0"s for all devices!
> > >
> > > Outputs:jellybean:~ # rcipsec start
> > > ipsec_setup: Starting FreeS/WAN IPsec 1.99...
> > > ipsec_setup: ipsec
> > > ipsec_setup:
> > > done
> > > jellybean:~ # ipsec auto --up jellybean-bookman
> > > 104 "jellybean-bookman" #1: STATE_MAIN_I1: initiate
> > > 106 "jellybean-bookman" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > > 108 "jellybean-bookman" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > > 004 "jellybean-bookman" #1: STATE_MAIN_I4: ISAKMP SA established
> > > 112 "jellybean-bookman" #2: STATE_QUICK_I1: initiate
> > > 004 "jellybean-bookman" #2: STATE_QUICK_I2: sent QI2, IPsec SA
> >established
> > > jellybean:~ # ip route ls
> > > 213.123.101.97 dev ppp0 proto kernel scope link src 217.24.128.146
> > > 213.123.101.97 dev ipsec0 proto kernel scope link src 217.24.128.146
> > > 192.168.0.0/24 via 213.123.101.97 dev ipsec0
> > > 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1
> > > default via 213.123.101.97 dev ppp0
> > > jellybean:~ # ip rule ls
> > > 0: from all lookup local
> > > 32766: from all lookup main
> > > 32767: from all lookup default
> > > jellybean:~ # route -n
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags Metric Ref Use
> > > Iface
> > > 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0
> >ppp0
> > > 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0
> > > ipsec0
> > > 192.168.0.0 213.123.101.97 255.255.255.0 UG 0 0 0
> > > ipsec0
> > > 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
> >eth0
> > > 0.0.0.0 213.123.101.97 0.0.0.0 UG 0 0 0
> >ppp0
> > > jellybean:~ #
> > > jellybean:~ # ifconfig
> > > eth0 Link encap:Ethernet HWaddr 00:40:95:30:5C:79
> > > inet addr:192.168.10.1 Bcast:192.168.10.255
> >Mask:255.255.255.0
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:100
> > > RX bytes:0 (0.0 b) TX bytes:8692 (8.4 Kb)
> > > Interrupt:5 Base address:0xc000
> > >
> > > ipsec0 Link encap:IPIP Tunnel HWaddr
> > > inet addr:217.24.128.146 Mask:255.255.255.255
> > > UP RUNNING NOARP MTU:16260 Metric:1
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:10
> > > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> > >
> > > lo Link encap:Local Loopback
> > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:2056 (2.0 Kb) TX bytes:2056 (2.0 Kb)
> > >
> > > ppp0 Link encap:Point-to-Point Protocol
> > > inet addr:217.24.128.146 P-t-P:213.123.101.97
> > > Mask:255.255.255.255
> > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> > > RX packets:886 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:957 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:3
> > > RX bytes:375562 (366.7 Kb) TX bytes:107243 (104.7 Kb)
> > >
> > > jellybean:~ #
> > >
> > > (OK so I capitulated - u can see my wan address - hey, I trust
> >SuSEfirewall2
> > > !! :) )
> > > (Note eth0 stats aren't accurate at the moment, i just created this
> >quickly
> > > before
> > > rushing to a meeting.)
> > >
> > > Does anyone know what happened to my packets?!?
> > >
> > > Regards,
> > > Carl
> > >
> > > _________________________________________________________________
> > > Tired of 56k? Get a FREE BT Broadband connection
> > > http://www.msn.co.uk/specials/btbroadband
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > > Security-related bug reports go to security@xxxxxxx, not here
> >
>
> _________________________________________________________________
> Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
References