Solved

Unable to traceroute behind and from server running Linux Firewall

Posted on 2006-06-26
8
490 Views
Last Modified: 2012-08-13
Cheers,

 Ok here is my setup. I am running a CentOS 4 server with 3 Nics:

eth0      Link encap:Ethernet  HWaddr 00:13:20:EC:9A:21
          inet addr:192.168.1.62  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:20ff:feec:9a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26805419 (25.5 MiB)  TX bytes:9087449 (8.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:08:54:D8:39:D0
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fed8:39d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129352 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12276407 (11.7 MiB)  TX bytes:131825811 (125.7 MiB)
          Interrupt:193 Base address:0x1100

eth2      Link encap:Ethernet  HWaddr 00:08:54:DE:22:10
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fede:2210/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:201 Base address:0x1000

eth0 is hooked to a wireless and is our incoming Internet connection. I run 2 subnets off the box the .200 and .44 The box is running DHCP for both nets. I have no problems pinging any address from behind the firewall, When I  run traceroute from the server:
[user@psd ~]# traceroute www.experts-exchange.com
traceroute to experts-exchange.com (64.156.132.140), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 when I run traceroute from a machine behind the server:

C:\Documents and Settings\user\tracert www.experts-exchange.com

traceing route  to experts-exchange.com (64.156.132.140)
over a maximum of  30 hops:
 1  <1 ms   <1 ms   < 1ms
 2  * * *
 3  * * *
 4  * * *
 |
 |
13 707 ms    930 ms   741 mx    www-level13.experts-exchange.com  [64.156.132.140]

Trace complete.

I have the firewall filtering connections by MAC address on eth2

here is my iptables from /etc/sysconfig/

 Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*nat
:PREROUTING DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:09:21:B0:2F -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:F5:17:01:10 -j ACCEPT
--------------------**  8<       cut out a lot of other MAC accept lines for Brevity       >8  **------------------------------------------------A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -j ACCEPT
-A POSTROUTING -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*mangle
:PREROUTING ACCEPT [78:8830]
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
:POSTROUTING ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*filter
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006


I am using Webmin 1.250 to set things up. I am by no means a guru, learning as I go reading as much as I can. I was unable to get things to work by setting eth0 to a static IP so I settled for using DHCP on eth0. I'll worry about that one after I fix this one. Thanks in advance.

Steve


0
Comment
Question by:psd_steve
  • 4
  • 3
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16983513
M$'s tracert uses SMB not ICMP. Don't know if it can be tweaked to use a reliable protocol, I guess it cannot ...
0
 

Author Comment

by:psd_steve
ID: 16987123
I suppose this is a bit harder than I thought.  I can log onto the actual server that is connected and am unable to traceroute. If I plug directly into the line that is coming in with a laptop or any machine, I can traceroute. I have some setting somewhere int he firewall frametsed and am unsure of what to change. I understand what your saying that a M$ and Linux machine use different protocals to retrive the information, however neither of the OSes can trace route when routed thru the firewall server machine.

Thanks

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987266
does the firewall allow inbound and forwarded ICMP ?
0
 

Author Comment

by:psd_steve
ID: 16987785
I have added this:
-A PREROUTING -p icmp -m icmp --icmp-type any -j ACCEPT
-A POSTROUTING -p icmp -m icmp --icmp-type any -j ACCEPT

to my iptables

Dosn't seem to have any effect. Hints?

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987878
the PREROUTING and POSTROUTING chains are useless for your aproach, you need rules for FORWARD  chain (INPUT/OUTPUT if your want to detect your firewall too)
0
 

Author Comment

by:psd_steve
ID: 16988056
-A PREROUTING -p icmp -m icmp -i eth1 --icmp-type any -j REDIRECT
-A POSTROUTING -p icmp -m icmp -o eth0 --icmp-type any -j ACCEPT

Not sure about the forwarding rules, let me see if I can find an example. I have forward defaulted to accept"

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT

Tried this no results. Hint?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16988204
> -A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
this allows ICMP in one direction only (not sure if iptables is statefull for such ICMP too)
try:
-A FORWARD -p icmp  -j ACCEPT

then use tcpdump on eth1 to see if the packets even arrive
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 17085438
There are several flavours of traceroute:
ICMP based (used by windows), or unix on request
UDP based (used by unix) it starts out at UDP port 33400 and increments the port number for every packet,
    with 3 attempts per HOP.

tcptraceroute uses tcp SYN packet to do a traceroute, it uses port 80 by default, but it can be specified.

To allow access to the fire wall you need to allow packets on INPUT/OUTPUT  rules of the firewall,
to allow access through a firewall you need to FORWARD packets.

AFAICT from your example you have no firewall in a sense, you just allow everything (in filter).
You don't filter packets, you allow routing through a NAT rule from a few systems named by MAC address.
Do you include a rules in PREROUTING for your own server???.

IMHO a better approach would be to restrict the nat rules to just a MASQUERADE (better would be a SNAT rule),
and allow access through your system by filtering in either forward and/or input & output.

Filtering on MAC address has limited value as most ethernet cards can spoof the MAX address if needed.


0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now