[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unable to traceroute behind and from server running Linux Firewall

Posted on 2006-06-26
8
Medium Priority
?
503 Views
Last Modified: 2012-08-13
Cheers,

 Ok here is my setup. I am running a CentOS 4 server with 3 Nics:

eth0      Link encap:Ethernet  HWaddr 00:13:20:EC:9A:21
          inet addr:192.168.1.62  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:20ff:feec:9a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26805419 (25.5 MiB)  TX bytes:9087449 (8.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:08:54:D8:39:D0
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fed8:39d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129352 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12276407 (11.7 MiB)  TX bytes:131825811 (125.7 MiB)
          Interrupt:193 Base address:0x1100

eth2      Link encap:Ethernet  HWaddr 00:08:54:DE:22:10
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::208:54ff:fede:2210/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:201 Base address:0x1000

eth0 is hooked to a wireless and is our incoming Internet connection. I run 2 subnets off the box the .200 and .44 The box is running DHCP for both nets. I have no problems pinging any address from behind the firewall, When I  run traceroute from the server:
[user@psd ~]# traceroute www.experts-exchange.com
traceroute to experts-exchange.com (64.156.132.140), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 when I run traceroute from a machine behind the server:

C:\Documents and Settings\user\tracert www.experts-exchange.com

traceing route  to experts-exchange.com (64.156.132.140)
over a maximum of  30 hops:
 1  <1 ms   <1 ms   < 1ms
 2  * * *
 3  * * *
 4  * * *
 |
 |
13 707 ms    930 ms   741 mx    www-level13.experts-exchange.com  [64.156.132.140]

Trace complete.

I have the firewall filtering connections by MAC address on eth2

here is my iptables from /etc/sysconfig/

 Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*nat
:PREROUTING DROP [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:09:21:B0:2F -j ACCEPT
-A PREROUTING -m mac -i eth2 --mac-source 00:11:F5:17:01:10 -j ACCEPT
--------------------**  8<       cut out a lot of other MAC accept lines for Brevity       >8  **------------------------------------------------A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth1 -j ACCEPT
-A POSTROUTING -o eth1 -j ACCEPT
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*mangle
:PREROUTING ACCEPT [78:8830]
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
:POSTROUTING ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006
# Generated by iptables-save v1.2.11 on Fri Jun  2 10:56:49 2006
*filter
:INPUT ACCEPT [56:7598]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:6368]
COMMIT
# Completed on Fri Jun  2 10:56:49 2006


I am using Webmin 1.250 to set things up. I am by no means a guru, learning as I go reading as much as I can. I was unable to get things to work by setting eth0 to a static IP so I settled for using DHCP on eth0. I'll worry about that one after I fix this one. Thanks in advance.

Steve


0
Comment
Question by:psd_steve
  • 4
  • 3
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16983513
M$'s tracert uses SMB not ICMP. Don't know if it can be tweaked to use a reliable protocol, I guess it cannot ...
0
 

Author Comment

by:psd_steve
ID: 16987123
I suppose this is a bit harder than I thought.  I can log onto the actual server that is connected and am unable to traceroute. If I plug directly into the line that is coming in with a laptop or any machine, I can traceroute. I have some setting somewhere int he firewall frametsed and am unsure of what to change. I understand what your saying that a M$ and Linux machine use different protocals to retrive the information, however neither of the OSes can trace route when routed thru the firewall server machine.

Thanks

Steve
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987266
does the firewall allow inbound and forwarded ICMP ?
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 

Author Comment

by:psd_steve
ID: 16987785
I have added this:
-A PREROUTING -p icmp -m icmp --icmp-type any -j ACCEPT
-A POSTROUTING -p icmp -m icmp --icmp-type any -j ACCEPT

to my iptables

Dosn't seem to have any effect. Hints?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16987878
the PREROUTING and POSTROUTING chains are useless for your aproach, you need rules for FORWARD  chain (INPUT/OUTPUT if your want to detect your firewall too)
0
 

Author Comment

by:psd_steve
ID: 16988056
-A PREROUTING -p icmp -m icmp -i eth1 --icmp-type any -j REDIRECT
-A POSTROUTING -p icmp -m icmp -o eth0 --icmp-type any -j ACCEPT

Not sure about the forwarding rules, let me see if I can find an example. I have forward defaulted to accept"

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT

Tried this no results. Hint?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16988204
> -A FORWARD -p icmp -m icmp -i eth1 -o eth0 --icmp-type any -j ACCEPT
this allows ICMP in one direction only (not sure if iptables is statefull for such ICMP too)
try:
-A FORWARD -p icmp  -j ACCEPT

then use tcpdump on eth1 to see if the packets even arrive
0
 
LVL 41

Accepted Solution

by:
noci earned 2000 total points
ID: 17085438
There are several flavours of traceroute:
ICMP based (used by windows), or unix on request
UDP based (used by unix) it starts out at UDP port 33400 and increments the port number for every packet,
    with 3 attempts per HOP.

tcptraceroute uses tcp SYN packet to do a traceroute, it uses port 80 by default, but it can be specified.

To allow access to the fire wall you need to allow packets on INPUT/OUTPUT  rules of the firewall,
to allow access through a firewall you need to FORWARD packets.

AFAICT from your example you have no firewall in a sense, you just allow everything (in filter).
You don't filter packets, you allow routing through a NAT rule from a few systems named by MAC address.
Do you include a rules in PREROUTING for your own server???.

IMHO a better approach would be to restrict the nat rules to just a MASQUERADE (better would be a SNAT rule),
and allow access through your system by filtering in either forward and/or input & output.

Filtering on MAC address has limited value as most ethernet cards can spoof the MAX address if needed.


0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month19 days, 9 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question