Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
RES: [suse-security] packets still seem to be dropped not routed despite rp_filter=0
  • From: "Valter Rehn" <valter@xxxxxxxxxxxx>
  • Date: Thu, 11 Sep 2003 17:36:40 -0300
  • Message-id: <0D086E7B59DF094499DC97A31891C7AE99D102@xxxxxxxxxxxxxxxxx>
Just my 2 cents...

IPSEC uses
UDP port 500 AND ( PROTOCOL 50 OR PROTOCOL 51 )

[]s
Valter Rehn

-----Mensagem original-----
De: J J [mailto:c_peto@xxxxxxxxxxx]
Enviada em: Thursday, September 11, 2003 17:26
Para: Philipp.Rusch@xxxxxxxxxxxx
Cc: suse-security@xxxxxxxx
Assunto: Re: [suse-security] packets still seem to be dropped not routed
despite rp_filter=0


Are you sure?

According to the /etc/protocols file there is no protocol 500 - the IP
protocols go no higher than 255.

That makes sense really seeing as the protocol field in IPV4 is only 8 bits
long!
(http://www.ietf.org/rfc/rfc0791.txt)

This is an extract from my current /etc/sysconfig/SuSEfirewall2...

FW_QUICKMODE="no"
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 ipsec0"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="smtp ssh"
FW_SERVICES_EXT_UDP="isakmp"
FW_SERVICES_EXT_IP="esp ah"





Anyway I made a small amount of extra progress, at least in the way of
ruling out problems. I decided to try connecting from the "jellybean"
gateway itself to the "Bookman" LAN by creating adjusted entries in
ipsec.conf and succeeded. Basically it worked right out of the box, I just
removed the leftsubnet declarations on both sides - now the gateway can ping
all the servers on the "Bookman" LAN and vice versa. This isn't the long
term solution but does at least show that the boxes will talk to each other
and send ipsec traffic correctly.



Plus I toyed with the latest rdesktop and maybe I can persuade people to use
that instead of Win 2k boxes with MSTSC client anyway! :) (ha!)




But I'm still not sure why the SuSE 8.2 box is misbehaving and dropping my
packets. Do you have any idea how I switch on debugging on the kernel
routing code??


>From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
>To: J J <c_peto@xxxxxxxxxxx>
>CC: "suse-security@xxxxxxxx" <suse-security@xxxxxxxx>
>Subject: Re: [suse-security] packets still seem to be dropped not routed
>despite rp_filter=0
>Date: Thu, 11 Sep 2003 20:05:34 +0200
>
>Hi Carl,
>You are victim of a very common misunderstanding concerning IPSEC
>and the setup of the firewall .... ;-)
>
>Not PORT 500 is needed to setup the tunnel (after negotiation of SA has
>been
>done), but PROTOCOL (!!!) 500, which you have to put in the firewall
>to be allowed through interface ipsec0 (add this to FW_DEV_EXT).
>Since I do not use SuSE firewall anymore (there are better scripts for
>iptables)
>I am not a 100% sure, but I remember that you have to set this in
>SuSEfirewall2-file as variable FW_SERVICES_EXT_IP = 500.
>
>HTH, Philipp
>
>J J schrieb:
>
> > I'm trying to set up a VPN from "home" LAN to "bookman" LAN.
> > I've set up Freeswan successfully and it *appears* to be doing it's job
>but
> > still packets aren't getting through. I suspect that routing isn't
>working
> > for
> > some reason and I've reached the limit of my security knowledge.
> >
> > Can anyone help?
> >
> > The set up is this:
> > "Bookman" LAN is subnet 192.168.0.0/24 with Ipsec gateway "flanger" on
> > IP address 192.168.0.127. "Bookman" LAN connects to internet via ADSL
> > ("Vigor")
> > router that has "Ipsec passthru". In terms of configuration this means
>that
> > I've switched off the "Vigor" router's built-in Ipsec processing and set
>UDP
> > on port 500 to forward direct to "flanger" on 192.168.0.127. The
>router's
> > software is set to recognize this combination as a signal to switch on
>Ipsec
> > passthru so that protocols 50 and 51 are also forwarded to the same
>internal
> > box.
> >
> > (We've successfully set up and used an SA to a "Fortigate" router based
>on
> > this
> > through to another company "SGPM" and we use that VPN for production
> > purposes.
> > It's fast and stable and has impressed management!)
> >
> > "Home" LAN is subnet 192.168.10.0/24 with Ipsec gateway "jellybean" on
> > external
> > IP address 217.... (hidden for privacy - if that's me being silly I'm
>happy
> > to
> > reveal it!). The "home" gateway has an ethernet card on 192.168.10.1
>with a
> > hub connected to that and (at present) one test laptop connected to the
>hub
> > running Win 2k.
> >
> > Ipsec gateway on "Bookman" LAN ("flanger") is running SuSE 7.2 and our
> > gateway
> > here ("jellybean") is running SuSE 8.2 (these seem to be Freeswan 1.91
>and
> > 1.99
> > respectively).
> >
> > The idea is to have a VPN connecting PCs and laptops on the "home" LAN
>to
> > the
> > servers on the "Bookman" LAN in production.
> >
> > Progress so far:
> > With a small amount of tinkering I managed to get the two pluto daemons
>to
> > talk
> > and agree an SA but was unable to ping servers on the "Bookman" LAN from
> > either our gateway or our test laptop. After help from Rob Maurizzi on
>this
> > mailing list I managed to get KLIPS debugging and found that, rather
> > boringly,
> > the gateway was unable to ping Bookman servers because packets were
>being
> > seen
> > by KLIPS as coming from the WAN address of the router (217....) and so
>had
> > no
> > eroute and were dropped - this was clearly visible in the stats on
>ifconfig,
> > which helped.
> >
> > Problem:
> > However this didn't explain why the laptop couldn't reach the Bookman
>LAN.
> > My
> > initial thought was that routing needed to be switched on. The box is
> > configured as a firewall with a SQUID proxy so the "home" LAN can access
>the
> > www. SuSEfirewall2 is running to prevent malicious attacks but allow
>Ipsec
> > traffic. Config is basically - allow external TCP service "ssh" plus
> > external
> > UDP service "isakmp" plus external IP protocols "ah" and "esp", do not
> > protect
> > from internal network, reject rather than drop packets (temporary for
>debug)
> > and log all dropped packets (temporary for debug).
> >
> > When I ping from the Win 2k laptop to a Bookman server I see nothing in
>the
> > firewall logs, nothing in KLIPS debug. I see packets arriving on eth0
>but
> > nothing on ipsec0 or ppp0 (the WAN interface).
> >
> > echo "1" > /proc/sys/net/ipv4/ip_forward makes no difference
> >
> > cat /proc/sys/net/ipv4/conf/*/forwarding gives "1"s for all devices and
> > worse
> >
> > cat /proc/sys/net/ipv4/conf/*/rp_filter gives "0"s for all devices!
> >
> > Outputs:jellybean:~ # rcipsec start
> > ipsec_setup: Starting FreeS/WAN IPsec 1.99...
> > ipsec_setup: ipsec
> > ipsec_setup:
> > done
> > jellybean:~ # ipsec auto --up jellybean-bookman
> > 104 "jellybean-bookman" #1: STATE_MAIN_I1: initiate
> > 106 "jellybean-bookman" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > 108 "jellybean-bookman" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > 004 "jellybean-bookman" #1: STATE_MAIN_I4: ISAKMP SA established
> > 112 "jellybean-bookman" #2: STATE_QUICK_I1: initiate
> > 004 "jellybean-bookman" #2: STATE_QUICK_I2: sent QI2, IPsec SA
>established
> > jellybean:~ # ip route ls
> > 213.123.101.97 dev ppp0 proto kernel scope link src 217.24.128.146
> > 213.123.101.97 dev ipsec0 proto kernel scope link src 217.24.128.146
> > 192.168.0.0/24 via 213.123.101.97 dev ipsec0
> > 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1
> > default via 213.123.101.97 dev ppp0
> > jellybean:~ # ip rule ls
> > 0: from all lookup local
> > 32766: from all lookup main
> > 32767: from all lookup default
> > jellybean:~ # route -n
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> > Iface
> > 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0
>ppp0
> > 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0
> > ipsec0
> > 192.168.0.0 213.123.101.97 255.255.255.0 UG 0 0 0
> > ipsec0
> > 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
>eth0
> > 0.0.0.0 213.123.101.97 0.0.0.0 UG 0 0 0
>ppp0
> > jellybean:~ #
> > jellybean:~ # ifconfig
> > eth0 Link encap:Ethernet HWaddr 00:40:95:30:5C:79
> > inet addr:192.168.10.1 Bcast:192.168.10.255
>Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > RX bytes:0 (0.0 b) TX bytes:8692 (8.4 Kb)
> > Interrupt:5 Base address:0xc000
> >
> > ipsec0 Link encap:IPIP Tunnel HWaddr
> > inet addr:217.24.128.146 Mask:255.255.255.255
> > UP RUNNING NOARP MTU:16260 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:2056 (2.0 Kb) TX bytes:2056 (2.0 Kb)
> >
> > ppp0 Link encap:Point-to-Point Protocol
> > inet addr:217.24.128.146 P-t-P:213.123.101.97
> > Mask:255.255.255.255
> > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> > RX packets:886 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:957 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:3
> > RX bytes:375562 (366.7 Kb) TX bytes:107243 (104.7 Kb)
> >
> > jellybean:~ #
> >
> > (OK so I capitulated - u can see my wan address - hey, I trust
>SuSEfirewall2
> > !! :) )
> > (Note eth0 stats aren't accurate at the moment, i just created this
>quickly
> > before
> > rushing to a meeting.)
> >
> > Does anyone know what happened to my packets?!?
> >
> > Regards,
> > Carl
> >
> > _________________________________________________________________
> > Tired of 56k? Get a FREE BT Broadband connection
> > http://www.msn.co.uk/specials/btbroadband
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
>

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
This Thread
  • No further messages