• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

Unable to traceroute behind and from server running Linux Firewall

Cheers,

 Ok here is my setup. I am running a CentOS 4 server with 3 Nics:

eth0      Link encap:Ethernet  HWaddr 00:13:20:EC:9A:21
          inet addr:192.168.1.62  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:20ff:feec:9a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26805419 (25.5 MiB)  TX bytes:9087449 (8.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:08:54:D8:39:D0
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fed8:39d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129352 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12276407 (11.7 MiB)  TX bytes:131825811 (125.7 MiB)
          Interrupt:193 Base address:0x1100

eth2      Link encap:Ethernet  HWaddr 00:08:54:DE:22:10
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fede:2210/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:201 Base address:0x1000

eth0 is hooked to a wireless and is our incoming Internet connection. I run 2 subnets off the box the .200 and .44 The box is running DHCP for both nets. I have no problems pinging any address from behind the firewall, When I  run traceroute from the server:
[user@psd ~]# traceroute www.experts-exchange.com
traceroute to experts-exchange.com (64.156.132.140), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 when I run traceroute from a machine behind the server:

C:\Documents and Settings\user\tracert www.experts-exchange.com

traceing route  to experts-exchange.com (64.156.132.140)
over a maximum of  30 hops:
 1  <1 ms   <1 ms   < 1ms
 2  * * *
 3  * * *
 4  * * *
 |
 |
13 707 ms    930 ms   741 mx    www-level13.experts-exchange.com  [64.156.132.140]

Trace complete.

I have the firewall filtering connections by MAC address on eth2

here is my iptables from /etc/sysconfig/

 Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*nat
:PREROUTING DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:09:21:B0:2F -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:F5:17:01:10 -j ACCEPT
--------------------**  8<       cut out a lot of other MAC accept lines for Brevity       >8  **------------------------------------------------A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -j ACCEPT
-A POSTROUTING -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*mangle
:PREROUTING ACCEPT [78:8830]
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
:POSTROUTING ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*filter
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006


I am using Webmin 1.250 to set things up. I am by no means a guru, learning as I go reading as much as I can. I was unable to get things to work by setting eth0 to a static IP so I settled for using DHCP on eth0. I'll worry about that one after I fix this one. Thanks in advance.

Steve


0
psd_steve
Asked:
psd_steve
  • 4
  • 3
1 Solution
 
ahoffmannCommented:
M$'s tracert uses SMB not ICMP. Don't know if it can be tweaked to use a reliable protocol, I guess it cannot ...
0
 
psd_steveAuthor Commented:
I suppose this is a bit harder than I thought.  I can log onto the actual server that is connected and am unable to traceroute. If I plug directly into the line that is coming in with a laptop or any machine, I can traceroute. I have some setting somewhere int he firewall frametsed and am unsure of what to change. I understand what your saying that a M$ and Linux machine use different protocals to retrive the information, however neither of the OSes can trace route when routed thru the firewall server machine.

Thanks

Steve
0
 
ahoffmannCommented:
does the firewall allow inbound and forwarded ICMP ?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
psd_steveAuthor Commented:
I have added this:
-A PREROUTING -p icmp -m icmp --icmp-type any -j ACCEPT
-A POSTROUTING -p icmp -m icmp --icmp-type any -j ACCEPT

to my iptables

Dosn't seem to have any effect. Hints?

0
 
ahoffmannCommented:
the PREROUTING and POSTROUTING chains are useless for your aproach, you need rules for FORWARD  chain (INPUT/OUTPUT if your want to detect your firewall too)
0
 
psd_steveAuthor Commented:
-A PREROUTING -p icmp -m icmp -i eth1 --icmp-type any -j REDIRECT
-A POSTROUTING -p icmp -m icmp -o eth0 --icmp-type any -j ACCEPT

Not sure about the forwarding rules, let me see if I can find an example. I have forward defaulted to accept"

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT

Tried this no results. Hint?
0
 
ahoffmannCommented:
> -A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
this allows ICMP in one direction only (not sure if iptables is statefull for such ICMP too)
try:
-A FORWARD -p icmp  -j ACCEPT

then use tcpdump on eth1 to see if the packets even arrive
0
 
nociSoftware EngineerCommented:
There are several flavours of traceroute:
ICMP based (used by windows), or unix on request
UDP based (used by unix) it starts out at UDP port 33400 and increments the port number for every packet,
    with 3 attempts per HOP.

tcptraceroute uses tcp SYN packet to do a traceroute, it uses port 80 by default, but it can be specified.

To allow access to the fire wall you need to allow packets on INPUT/OUTPUT  rules of the firewall,
to allow access through a firewall you need to FORWARD packets.

AFAICT from your example you have no firewall in a sense, you just allow everything (in filter).
You don't filter packets, you allow routing through a NAT rule from a few systems named by MAC address.
Do you include a rules in PREROUTING for your own server???.

IMHO a better approach would be to restrict the nat rules to just a MASQUERADE (better would be a SNAT rule),
and allow access through your system by filtering in either forward and/or input & output.

Filtering on MAC address has limited value as most ethernet cards can spoof the MAX address if needed.


0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now