Solved

Unable to traceroute behind and from server running Linux Firewall

Posted on 2006-06-26
8
492 Views
Last Modified: 2012-08-13
Cheers,

 Ok here is my setup. I am running a CentOS 4 server with 3 Nics:

eth0      Link encap:Ethernet  HWaddr 00:13:20:EC:9A:21
          inet addr:192.168.1.62  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:20ff:feec:9a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26805419 (25.5 MiB)  TX bytes:9087449 (8.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:08:54:D8:39:D0
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fed8:39d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129352 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12276407 (11.7 MiB)  TX bytes:131825811 (125.7 MiB)
          Interrupt:193 Base address:0x1100

eth2      Link encap:Ethernet  HWaddr 00:08:54:DE:22:10
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fede:2210/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:201 Base address:0x1000

eth0 is hooked to a wireless and is our incoming Internet connection. I run 2 subnets off the box the .200 and .44 The box is running DHCP for both nets. I have no problems pinging any address from behind the firewall, When I  run traceroute from the server:
[user@psd ~]# traceroute www.experts-exchange.com
traceroute to experts-exchange.com (64.156.132.140), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 when I run traceroute from a machine behind the server:

C:\Documents and Settings\user\tracert www.experts-exchange.com

traceing route  to experts-exchange.com (64.156.132.140)
over a maximum of  30 hops:
 1  <1 ms   <1 ms   < 1ms
 2  * * *
 3  * * *
 4  * * *
 |
 |
13 707 ms    930 ms   741 mx    www-level13.experts-exchange.com  [64.156.132.140]

Trace complete.

I have the firewall filtering connections by MAC address on eth2

here is my iptables from /etc/sysconfig/

 Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*nat
:PREROUTING DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:09:21:B0:2F -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:F5:17:01:10 -j ACCEPT
--------------------**  8<       cut out a lot of other MAC accept lines for Brevity       >8  **------------------------------------------------A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -j ACCEPT
-A POSTROUTING -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*mangle
:PREROUTING ACCEPT [78:8830]
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
:POSTROUTING ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*filter
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006


I am using Webmin 1.250 to set things up. I am by no means a guru, learning as I go reading as much as I can. I was unable to get things to work by setting eth0 to a static IP so I settled for using DHCP on eth0. I'll worry about that one after I fix this one. Thanks in advance.

Steve


0
Comment
Question by:psd_steve
  • 4
  • 3
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16983513
M$'s tracert uses SMB not ICMP. Don't know if it can be tweaked to use a reliable protocol, I guess it cannot ...
0
 

Author Comment

by:psd_steve
ID: 16987123
I suppose this is a bit harder than I thought.  I can log onto the actual server that is connected and am unable to traceroute. If I plug directly into the line that is coming in with a laptop or any machine, I can traceroute. I have some setting somewhere int he firewall frametsed and am unsure of what to change. I understand what your saying that a M$ and Linux machine use different protocals to retrive the information, however neither of the OSes can trace route when routed thru the firewall server machine.

Thanks

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987266
does the firewall allow inbound and forwarded ICMP ?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:psd_steve
ID: 16987785
I have added this:
-A PREROUTING -p icmp -m icmp --icmp-type any -j ACCEPT
-A POSTROUTING -p icmp -m icmp --icmp-type any -j ACCEPT

to my iptables

Dosn't seem to have any effect. Hints?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987878
the PREROUTING and POSTROUTING chains are useless for your aproach, you need rules for FORWARD  chain (INPUT/OUTPUT if your want to detect your firewall too)
0
 

Author Comment

by:psd_steve
ID: 16988056
-A PREROUTING -p icmp -m icmp -i eth1 --icmp-type any -j REDIRECT
-A POSTROUTING -p icmp -m icmp -o eth0 --icmp-type any -j ACCEPT

Not sure about the forwarding rules, let me see if I can find an example. I have forward defaulted to accept"

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT

Tried this no results. Hint?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16988204
> -A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
this allows ICMP in one direction only (not sure if iptables is statefull for such ICMP too)
try:
-A FORWARD -p icmp  -j ACCEPT

then use tcpdump on eth1 to see if the packets even arrive
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 17085438
There are several flavours of traceroute:
ICMP based (used by windows), or unix on request
UDP based (used by unix) it starts out at UDP port 33400 and increments the port number for every packet,
    with 3 attempts per HOP.

tcptraceroute uses tcp SYN packet to do a traceroute, it uses port 80 by default, but it can be specified.

To allow access to the fire wall you need to allow packets on INPUT/OUTPUT  rules of the firewall,
to allow access through a firewall you need to FORWARD packets.

AFAICT from your example you have no firewall in a sense, you just allow everything (in filter).
You don't filter packets, you allow routing through a NAT rule from a few systems named by MAC address.
Do you include a rules in PREROUTING for your own server???.

IMHO a better approach would be to restrict the nat rules to just a MASQUERADE (better would be a SNAT rule),
and allow access through your system by filtering in either forward and/or input & output.

Filtering on MAC address has limited value as most ethernet cards can spoof the MAX address if needed.


0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OpenLDAP set password to expire 7 629
snort EXTERNAL_NET variable not working 4 413
IPA - change main server? 3 130
bad ownership or modes for chroot directory 6 110
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question