?
Solved

Unable to traceroute behind and from server running Linux Firewall

Posted on 2006-06-26
8
Medium Priority
?
499 Views
Last Modified: 2012-08-13
Cheers,

 Ok here is my setup. I am running a CentOS 4 server with 3 Nics:

eth0      Link encap:Ethernet  HWaddr 00:13:20:EC:9A:21
          inet addr:192.168.1.62  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:20ff:feec:9a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26805419 (25.5 MiB)  TX bytes:9087449 (8.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:08:54:D8:39:D0
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fed8:39d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129352 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12276407 (11.7 MiB)  TX bytes:131825811 (125.7 MiB)
          Interrupt:193 Base address:0x1100

eth2      Link encap:Ethernet  HWaddr 00:08:54:DE:22:10
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fede:2210/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:201 Base address:0x1000

eth0 is hooked to a wireless and is our incoming Internet connection. I run 2 subnets off the box the .200 and .44 The box is running DHCP for both nets. I have no problems pinging any address from behind the firewall, When I  run traceroute from the server:
[user@psd ~]# traceroute www.experts-exchange.com
traceroute to experts-exchange.com (64.156.132.140), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 when I run traceroute from a machine behind the server:

C:\Documents and Settings\user\tracert www.experts-exchange.com

traceing route  to experts-exchange.com (64.156.132.140)
over a maximum of  30 hops:
 1  <1 ms   <1 ms   < 1ms
 2  * * *
 3  * * *
 4  * * *
 |
 |
13 707 ms    930 ms   741 mx    www-level13.experts-exchange.com  [64.156.132.140]

Trace complete.

I have the firewall filtering connections by MAC address on eth2

here is my iptables from /etc/sysconfig/

 Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*nat
:PREROUTING DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:09:21:B0:2F -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:F5:17:01:10 -j ACCEPT
--------------------**  8<       cut out a lot of other MAC accept lines for Brevity       >8  **------------------------------------------------A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -j ACCEPT
-A POSTROUTING -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*mangle
:PREROUTING ACCEPT [78:8830]
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
:POSTROUTING ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*filter
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006


I am using Webmin 1.250 to set things up. I am by no means a guru, learning as I go reading as much as I can. I was unable to get things to work by setting eth0 to a static IP so I settled for using DHCP on eth0. I'll worry about that one after I fix this one. Thanks in advance.

Steve


0
Comment
Question by:psd_steve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16983513
M$'s tracert uses SMB not ICMP. Don't know if it can be tweaked to use a reliable protocol, I guess it cannot ...
0
 

Author Comment

by:psd_steve
ID: 16987123
I suppose this is a bit harder than I thought.  I can log onto the actual server that is connected and am unable to traceroute. If I plug directly into the line that is coming in with a laptop or any machine, I can traceroute. I have some setting somewhere int he firewall frametsed and am unsure of what to change. I understand what your saying that a M$ and Linux machine use different protocals to retrive the information, however neither of the OSes can trace route when routed thru the firewall server machine.

Thanks

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987266
does the firewall allow inbound and forwarded ICMP ?
0
Quiz: What Do These Organizations Have In Common?

Hint: Their teams ended up taking quizzes, too.

 

Author Comment

by:psd_steve
ID: 16987785
I have added this:
-A PREROUTING -p icmp -m icmp --icmp-type any -j ACCEPT
-A POSTROUTING -p icmp -m icmp --icmp-type any -j ACCEPT

to my iptables

Dosn't seem to have any effect. Hints?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987878
the PREROUTING and POSTROUTING chains are useless for your aproach, you need rules for FORWARD  chain (INPUT/OUTPUT if your want to detect your firewall too)
0
 

Author Comment

by:psd_steve
ID: 16988056
-A PREROUTING -p icmp -m icmp -i eth1 --icmp-type any -j REDIRECT
-A POSTROUTING -p icmp -m icmp -o eth0 --icmp-type any -j ACCEPT

Not sure about the forwarding rules, let me see if I can find an example. I have forward defaulted to accept"

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT

Tried this no results. Hint?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16988204
> -A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
this allows ICMP in one direction only (not sure if iptables is statefull for such ICMP too)
try:
-A FORWARD -p icmp  -j ACCEPT

then use tcpdump on eth1 to see if the packets even arrive
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 17085438
There are several flavours of traceroute:
ICMP based (used by windows), or unix on request
UDP based (used by unix) it starts out at UDP port 33400 and increments the port number for every packet,
    with 3 attempts per HOP.

tcptraceroute uses tcp SYN packet to do a traceroute, it uses port 80 by default, but it can be specified.

To allow access to the fire wall you need to allow packets on INPUT/OUTPUT  rules of the firewall,
to allow access through a firewall you need to FORWARD packets.

AFAICT from your example you have no firewall in a sense, you just allow everything (in filter).
You don't filter packets, you allow routing through a NAT rule from a few systems named by MAC address.
Do you include a rules in PREROUTING for your own server???.

IMHO a better approach would be to restrict the nat rules to just a MASQUERADE (better would be a SNAT rule),
and allow access through your system by filtering in either forward and/or input & output.

Filtering on MAC address has limited value as most ethernet cards can spoof the MAX address if needed.


0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month9 days, 13 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question