Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th August 2008, 00:33
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Question Howto analyse a IPTables firewall issue?

Dear All,

I have a firewall related question:
I did install a passthrough kind of set up, as described in this other thread in this forum. It all worked well until I wanted to extend the facility to some more ports. I extended the script below, restarted the firewall, and now nothing works anymore. No access to any of the routers, even the ones that previously worked fine. VPN access works fine though, so my best guess is that there were some manual configurations outside of Bastille, which were whipped through the Bastille firewall restart. But which one?

Here is my problem: I do not know how to analyse the IPTables firewall (Bastille driven or otherwise). I can see with TCPdump that some packets reach my server, they have the correct IP address and port and are TCP type packets. All good. And then what? How can I analyse what is going wrong, and why the packets are being blocked from further processing and prevented to passthrough to my external routers, which are connected to my server vai a VPN connection? It is the analysis process I am struggling with. IPTables seems like a black box and I cannot find where the packets get dropped and why.

Any hints as to ho to analyse the IPTables firewall???

any hints welcome.

Cheers



PS: Attached are the config file /etc/Bastille/firewall.d/pre-chain-split.sh and the output of IPTables.

Code:
#vi /etc/Bastille/firewall.d/pre-chain-split.sh
#!/bin/sh
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT

/sbin/iptables -t nat -F
#requires one for every router you want to connect to
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8008 -j DNAT --to-destination 10.8.0.8:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8009 -j DNAT --to-destination 10.8.0.9:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8010 -j DNAT --to-destination 10.8.0.10:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8011 -j DNAT --to-destination 10.8.0.11:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8012 -j DNAT --to-destination 10.8.0.12:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8013 -j DNAT --to-destination 10.8.0.13:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8014 -j DNAT --to-destination 10.8.0.14:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8015 -j DNAT --to-destination 10.8.0.15:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8016 -j DNAT --to-destination 10.8.0.16:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8017 -j DNAT --to-destination 10.8.0.17:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8018 -j DNAT --to-destination 10.8.0.18:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8019 -j DNAT --to-destination 10.8.0.19:8080
/sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8020 -j DNAT --to-destination 10.8.0.20:8080


/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8008 -j DNAT --to-destination 10.8.0.8:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8009 -j DNAT --to-destination 10.8.0.9:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8010 -j DNAT --to-destination 10.8.0.10:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8011 -j DNAT --to-destination 10.8.0.11:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8012 -j DNAT --to-destination 10.8.0.12:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8013 -j DNAT --to-destination 10.8.0.13:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8014 -j DNAT --to-destination 10.8.0.14:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8015 -j DNAT --to-destination 10.8.0.15:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8016 -j DNAT --to-destination 10.8.0.16:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8017 -j DNAT --to-destination 10.8.0.17:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8018 -j DNAT --to-destination 10.8.0.18:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8019 -j DNAT --to-destination 10.8.0.19:8080
/sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8020 -j DNAT --to-destination 10.8.0.20:8080

/sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
Code:
#iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 632K packets, 31M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             server.chillifire.net tcp dpt:8004 to:10.8.0.4:8080
    0     0 DNAT       tcp  --  any    any     anywhere             server.chillifire.net tcp dpt:8005 to:10.8.0.5:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080
   12   576 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080
    6   288 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080
   12   576 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080
    6   288 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080
    3   144 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080

Chain POSTROUTING (policy ACCEPT 40397 packets, 2575K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   252 MASQUERADE  all  --  any    tun+    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 40440 packets, 2578K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8004 to:10.8.0.4:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8005 to:10.8.0.5:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080
    0     0 DNAT       tcp  --  any    any     anywhere             blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080
Code:
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   21  2560 DROP       all  --  any    any     189.51.255.168.static.nqt.com.br  anywhere
    0     0 DROP       tcp  --  !lo    any     anywhere             127.0.0.0/8
 346K   46M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 7447  405K ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere
    0     0 PUB_IN     all  --  tun+   any     anywhere             anywhere
 8641  543K PUB_IN     all  --  eth+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
    0     0 PUB_IN     all  --  venet+ any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     189.51.255.168.static.nqt.com.br  anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    tun+    anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 57197 packets, 5912K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   252 PUB_OUT    all  --  any    tun+    anywhere             anywhere
 418K   97M PUB_OUT    all  --  any    eth+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    ppp+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    slip+   anywhere             anywhere
    0     0 PUB_OUT    all  --  any    venet+  anywhere             anywhere

Chain INT_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain INT_OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PAROLE (17 references)
 pkts bytes target     prot opt in     out     source               destination
 6111  320K ACCEPT     all  --  any    any     anywhere             anywhere

Chain PUB_IN (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded
   78  4758 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
   45  2724 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
   46  3324 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    7   420 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain
 4717  246K PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:81
   66  3168 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
  838 41116 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:webmin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius-acct
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:openvpn
  392 23520 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:munin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:2812
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:4960
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpts:8000:8199
  626 49136 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
 1068 83219 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:openvpn
  339 17628 DROP       icmp --  any    any     anywhere             anywhere
  419 68552 DROP       all  --  any    any     anywhere             anywhere

Chain PUB_OUT (5 references)
 pkts bytes target     prot opt in     out     source               destination
 418K   97M ACCEPT     all  --  any    any     anywhere             anywhere
Reply With Quote
Sponsored Links
  #2  
Old 26th August 2008, 18:56
chipsafts chipsafts is offline
Senior Member
 
Join Date: Nov 2007
Posts: 184
Thanks: 2
Thanked 6 Times in 6 Posts
Default

I think you are going to need to explicitly log for each section you need to inspect.
pseudo example from our iptables:
-A droplist -s 1.0.0.0 -j LOG --log-prefix "DROP Block"
Reply With Quote
  #3  
Old 27th August 2008, 07:23
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
 
Default

Mystery resolved: The reboot caused the loss of a fundametal setting in a LINUX configuration file. Entering the following command into the command line resolves the issue - until the next reboot, so better work it into your start-up scripts if you want to use port forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
RedHat AS 4 firewall iptables question. fbifido Installation/Configuration 2 9th November 2007 22:13
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
iptables issue with xen perfect setup - debian alexnz HOWTO-Related Questions 3 25th November 2006 13:49


All times are GMT +2. The time now is 16:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.