Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] SFW2-IN-ILL-TARGET IN=vmnet1 prevents my RDP Nat from working
  • From: peter.burkard@xxxxxxxxxx
  • Date: Thu, 3 Jul 2008 10:38:19 +0200
  • Message-id: <OFC14B0082.7C3D61C5-ONC125747B.002CD207-C125747B.002F741A@xxxxxxxxxx>
Hi again!

Philippe Vogel <filiaap@xxxxxxxxxx> wrote on 07/02/2008 06:32:50 PM:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

peter.burkard@xxxxxxxxxx schrieb:
| Hi there.
|
| My environment:
|
| * SLES 10.1 with patches
|
| * VMWare Server 1.05
|
| * some virtual XP's
|
| * SuseFirewall2 with iptables/nat for rdp session
|
|
| My config:
|
| # ifconfig
|
| eth0 Link encap:Ethernet HWaddr 00:E0:81:44:89:82
| inet addr:10.193.28.1 Bcast:10.193.28.127 Mask:255.255.255.128
| UP BROADCAST MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
| Interrupt:169
|
| eth1 Link encap:Ethernet HWaddr 00:E0:81:44:89:83
| inet addr:192.168.73.1 Bcast:192.168.73.255 Mask:255.255.255.0
| UP BROADCAST MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
| Interrupt:169
|
| eth2 Link encap:Ethernet HWaddr 00:0E:0C:AA:AC:32
| inet addr:10.49.26.82 Bcast:10.49.27.255 Mask:255.255.252.0
| UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
| RX packets:82197 errors:0 dropped:0 overruns:0 frame:0
| TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:6646116 (6.3 Mb) TX bytes:10600143 (10.1 Mb)
|
| lo Link encap:Local Loopback
| inet addr:127.0.0.1 Mask:255.0.0.0
| UP LOOPBACK RUNNING MTU:16436 Metric:1
| RX packets:15972 errors:0 dropped:0 overruns:0 frame:0
| TX packets:15972 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:0
| RX bytes:8837810 (8.4 Mb) TX bytes:8837810 (8.4 Mb)
|
| vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
| inet addr:192.168.74.1 Bcast:192.168.74.255 Mask:255.255.255.0
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
| # iptables -L -t nat
|
| Chain PREROUTING (policy ACCEPT)
| target prot opt source destination
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:mrt
| to:192.168.74.100:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50001
| to:192.168.74.101:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50002
| to:192.168.74.102:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50003
| to:192.168.74.103:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50004
| to:192.168.74.104:3389
|
| Chain POSTROUTING (policy ACCEPT)
| target prot opt source destination
| MASQUERADE all -- anywhere anywhere
|
| Chain OUTPUT (policy ACCEPT)
| target prot opt source destination
|
| Some settings of my firewall:
|
| * FW_DEV_EXT="eth2"
| * FW_DEV_INT="vmnet1"
| * FW_ROUTE="yes"
| * FW_MASQUERADE="yes"
| * FW_MASQ_DEV="$FW_DEV_EXT"
| * FW_MASQ_NETS="0/0"
| * FW_PROTECT_FROM_INT="no"
| * FW_SERVICES_REJECT_EXT="0/0,tcp,113"
| * FW_SERVICES_EXT_TCP="8080 8222 8333 904 5801 5901 http https
ssh"
| * FW_FORWARD_MASQ="0/0,192.168.74.100,tcp,50000,3389,10.49.26.181
| 0/0,192.168.74.101,tcp,50001,3389,10.49.26.181
| 0/0,192.168.74.102,tcp,50002,3389,10.49.26.181
| 0/0,192.168.74.103,tcp,50003,3389,10.49.26.181
| 0/0,192.168.74.104,tcp,50004,3389,10.49.26.181"
|
| My problem:
|
| Can 't connect to the vXP's via RDP over NAT because of this error
message
| from SuseFirewall:
|
| Jul 2 11:08:24 baust-vmsrv01 kernel: SFW2-IN-ILL-TARGET IN=vmnet1 OUT=
| MAC=ff:ff:ff:ff:ff:ff:00:0c:29:1f:32:b3:08:00 SRC=192.168.74.100
| DST=192.168.74.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=130 PROTO=UDP
| SPT=138 DPT=138 LEN=209
BTW: The "SFW2-IN-ILL-TARGET" is a broadcast to the network (.255) from
your server on DEV_INT.
|
| Any ideas out there to fix this?!
Don't underestimate the power of google! searchwords "remote desktop
iptables" gives me 3rd result:

http://www.linuxforums.org/forum/linux-networking/51774-remote-
desktop-ip-tables-problem.html

This will hopefully be a solution for you.

Following command with maybe additional grep's will help finding the
other problems:

less /var/log/SuSEfirewall2.log | grep DROP

Hi Phillipe.

I'm just a little confused :-(

My NAT rules are as above and my FORWARD chain looks like:
LOG tcp -- anywhere 192.168.74.100 limit: avg
3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning
tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere 192.168.74.100 tcp
dpt:ms-wbt-server
ACCEPT tcp -- 192.168.74.100 anywhere state
RELATED,ESTABLISHED
LOG tcp -- anywhere 192.168.74.101 limit: avg
3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning
tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere 192.168.74.101 tcp
dpt:ms-wbt-server
ACCEPT tcp -- 192.168.74.101 anywhere state
RELATED,ESTABLISHED
LOG tcp -- anywhere 192.168.74.102 limit: avg
3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning
tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere 192.168.74.102 tcp
dpt:ms-wbt-server
ACCEPT tcp -- 192.168.74.102 anywhere state
RELATED,ESTABLISHED
LOG tcp -- anywhere 192.168.74.103 limit: avg
3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning
tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere 192.168.74.103 tcp
dpt:ms-wbt-server
ACCEPT tcp -- 192.168.74.103 anywhere state
RELATED,ESTABLISHED
LOG tcp -- anywhere 192.168.74.104 limit: avg
3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning
tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere 192.168.74.104 tcp
dpt:ms-wbt-server
ACCEPT tcp -- 192.168.74.104 anywhere state
RELATED,ESTABLISHED

But SWF2 told me the following:

Jul 3 09:29:31 baust-vmsrv01 kernel: SFW2-INext-DROP-DEFLT IN=eth2 OUT=
MAC=00:0e:0c:aa:ac:32:00:03:e3:8d:d1:20:08:00 SRC=10.49.82.141
DST=10.49.26.82 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=27042 DF PROTO=TCP
SPT=1284 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402)

- IN and OUT are the same (hä..), the SRC is my desktop, DST the external
IP of my VMWare host.

I don't know why my rdp requests will be redirected from eht2 to eth2 and
then dropped?

HELP!

Thanks in advance
Peter

If you wanna have a log or something else use COMMAND > outputfile to
write it to a file.

Best regards

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSGutskNg1DRVIGjBAQLfqQb/cRCeDX3bXUDmhC4+H93VyLS9eFScevhA
4sZUxWJAGRp6UDfhgOTdLb7otJy4QJZOfbvTeYow8iIbAquFHL+dIIo+dJ7e1pqk
5viPQHMl3R3/fDzAvbZidn3U/umS3u5e7yo2GWkPVObEVXV2nj2/eGdi+jEwbyhn
7vuI7R+Bsl/N09nWUcSXKb7a4OJbdR6F+BXd7UILbEjzdNs3BnqOd+u1rE3HI2Gl
6WsTAAJw/QMO80D1vqOEBJCqglagQBXw2wyz3xNMo+yVtr9YarjfCNpvRw0GgXPe
1FR14CnFtWU=
=umVN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
References