Problems with connection

Problems with connection

[Giancarlo Boaron]

Hello!

I have a client in my LAN that must access a server on
the Internet listening for requests on 3456 port.

Using the FORWARD chain (default police = DROP) I have
the following lines:

iptables -A FORWARD -m state ESTABLISHED,RELATED -j
ACCEPT

<... my rules ...>

iptables -A FORWARD -d X.Y.0.0/16 -p tcp --dport 3456
-j ACCEPT

(the IP_server is inside the X.Y.0.0/16 IP range)

However, my client application can access the server
on Internet but it can't send the desired data, since
the application returns some error messages.

I logged the traffic with "tcpdump -i eth1 src or dst
IP_client" (where eth1 is my LAN interface) and that
was the result:

11:22:09.252058 IP_client.2611 > IP_server.3456: S
9014409:9014409(0) win 8192 <mss 1460,nop,nop,sackOK>
(DF)
11:22:09.327363 IP_server.3456 > IP_client.2611: S
1138155720:1138155720(0) ack 9014410 win 65535 <mss
1460,nop,nop,sackOK> (DF)
11:22:09.327650 IP_client.2611 > IP_server.3456: . ack
1 win 8760 (DF)
11:22:09.410734 IP_server.3456 > IP_client.2611: P
1:140(139) ack 1 win 65535 (DF)
11:22:09.559431 IP_client.2611 > IP_server.3456: . ack
140 win 8621 (DF)
11:22:09.565804 IP_client.2611 > IP_server.3456: P
1:140(139) ack 140 win 8621 (DF)
11:22:09.656090 IP_server.3456 > IP_client.2611: P
140:154(14) ack 140 win 65396 (DF)
11:22:09.656516 IP_client.2611 > IP_server.3456: F
140:140(0) ack 154 win 8607 (DF)
11:22:09.737150 IP_server.3456 > IP_client.2611: . ack
141 win 65396 (DF)
11:22:09.737357 IP_server.3456 > IP_client.2611: F
154:154(0) ack 141 win 65396 (DF)
11:22:09.737471 IP_client.2611 > IP_server.3456: . ack
155 win 8607 (DF)

It means that my client can reach the server, a
connection is established, they send some data but
they close the connection very fast.
Besides, it repeats this traffic about 10 times, with
the client application changing its source port
number, and then it returns the error messages.

Does it mean that the server is trying to start a new
back connection to the client and my DROP policy is
applied? (since I don't permit new incoming
connections?)

I read the application documents and it only says that
I must allow outgoing traffic to and from
X.Y.0.0/16:3456 using TCP protocol.

So, what do you think about some HELP!!!!!!!! :)

See ya 
Giancarlo


	
	
		
_______________________________________________________
Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora!
http://br.download.yahoo.com/messenger/

Re: Problems with connection

[Aleksandar Milivojevic]

Giancarlo Boaron wrote:
> Hello!
> 
> I have a client in my LAN that must access a server on
> the Internet listening for requests on 3456 port.
> 
> Using the FORWARD chain (default police = DROP) I have
> the following lines:
> 
> iptables -A FORWARD -m state ESTABLISHED,RELATED -j
> ACCEPT
> 
> <... my rules ...>
> 
> iptables -A FORWARD -d X.Y.0.0/16 -p tcp --dport 3456
> -j ACCEPT

[snip]

> Does it mean that the server is trying to start a new
> back connection to the client and my DROP policy is
> applied? (since I don't permit new incoming
> connections?)
> 
> I read the application documents and it only says that
> I must allow outgoing traffic to and from
> X.Y.0.0/16:3456 using TCP protocol.

The easiest way to see if your firewall is dropping anything is to add 
something like this to the end of your firewall rules (provided you 
don't have any DROP targets beforehand):

iptables -A FORWARD -s X.Y.0.0/16 -j LOG --log-prefix "FWD_FRM_X_Y "
iptables -A FORWARD -d X.Y.0.0/16 -j LOG --log-prefix "FWD_TO_X_Y "

If there is any callback connection, it will show in kernel log (on Red 
Hatish systems /var/log/messages).  It will also show if your firewall 
is blocking any other packets between your network and X.Y.0.0/16.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Problems with connection

[Jason Opperisano]

On Mon, 2004-09-13 at 17:01, Giancarlo Boaron wrote:
> 11:22:09.252058 IP_client.2611 > IP_server.3456: S
> 9014409:9014409(0) win 8192 <mss 1460,nop,nop,sackOK>
> (DF)
> 11:22:09.327363 IP_server.3456 > IP_client.2611: S
> 1138155720:1138155720(0) ack 9014410 win 65535 <mss
> 1460,nop,nop,sackOK> (DF)
> 11:22:09.327650 IP_client.2611 > IP_server.3456: . ack
> 1 win 8760 (DF)
> 11:22:09.410734 IP_server.3456 > IP_client.2611: P
> 1:140(139) ack 1 win 65535 (DF)
> 11:22:09.559431 IP_client.2611 > IP_server.3456: . ack
> 140 win 8621 (DF)
> 11:22:09.565804 IP_client.2611 > IP_server.3456: P
> 1:140(139) ack 140 win 8621 (DF)
> 11:22:09.656090 IP_server.3456 > IP_client.2611: P
> 140:154(14) ack 140 win 65396 (DF)
> 11:22:09.656516 IP_client.2611 > IP_server.3456: F
> 140:140(0) ack 154 win 8607 (DF)

note:  the client machine is the one initiating the closing of the
connection here.

> 11:22:09.737150 IP_server.3456 > IP_client.2611: . ack
> 141 win 65396 (DF)
> 11:22:09.737357 IP_server.3456 > IP_client.2611: F
> 154:154(0) ack 141 win 65396 (DF)
> 11:22:09.737471 IP_client.2611 > IP_server.3456: . ack
> 155 win 8607 (DF)
> 
> It means that my client can reach the server, a
> connection is established, they send some data but
> they close the connection very fast.
> Besides, it repeats this traffic about 10 times, with
> the client application changing its source port
> number, and then it returns the error messages.
> 
> Does it mean that the server is trying to start a new
> back connection to the client and my DROP policy is
> applied? (since I don't permit new incoming
> connections?)

well--if you're logging those DROP-ed packets--the logs will tell the
tale...

  iptables -A INPUT -j LOG --log-prefix "FW DROP IN: "
  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUT: "
  iptables -A FORWARD -j LOG --log-prefix "FW DROP FWD: "

(make sure those are the *last* rules in each chain)

> I read the application documents and it only says that
> I must allow outgoing traffic to and from
> X.Y.0.0/16:3456 using TCP protocol.
> 
> So, what do you think about some HELP!!!!!!!! :)

1)  log the packets you drop--it's the only way to know if you are the
problem...

2)  try doing a tcpdump on the outside interface and capture the packet
data as well:

  tcpdump -i $OUTSIDE -s 1500 -w output.cap host $SERVER_MACHINE

then open that capture file (output.cap) in something (ethereal is
nice), and if the protocol exchanges data in clear text--you may gain a
better grasp of what's going on...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Problems with connection

[Aleksandar Milivojevic]

Jason Opperisano wrote:
> 2)  try doing a tcpdump on the outside interface and capture the packet
> data as well:
> 
>   tcpdump -i $OUTSIDE -s 1500 -w output.cap host $SERVER_MACHINE
> 
> then open that capture file (output.cap) in something (ethereal is
> nice), and if the protocol exchanges data in clear text--you may gain a
> better grasp of what's going on...

I second that one.  Looking only at the inside interface tells only one 
half of the story.  Ethereal also have nice feature, if one packet of 
the connection is selected (say first), and than Analyze -> Follow TCP 
Stream, you'll get complete data exchange (coloured as input and output).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7