Tracking down the source of proxy problem

Tracking down the source of proxy problem

[David Leangen]

Hello!

I have a network with an iptables-based firewall/proxy. Behind the proxy is
a machine running Postgres. Recently, many changes were made to the
installation.

Connecting to the Postgres DB works from within the network, but not from
without. I've run out of ideas for tracking down the error...

Could anybody kindly pass on some wise advice?


firewall iptables (in port number edited):

  *nat
  :PREROUTING ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  -A PREROUTING -p tcp --dport ##INPORT## -j DNAT --to 192.168.2.10:5432
  -A PREROUTING -p udp --dport ##INPORT## -j DNAT --to 192.168.2.10:5432
  -A POSTROUTING -o ppp0 -j MASQUERADE
  COMMIT


db machine iptables:

  *filter
  :INPUT DROP [1:242]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [0:0]
  :LOG_DROP - [0:0]
  :LOG_ACCEPT - [0:0]
  :icmp_packets - [0:0]
  -A INPUT -p tcp -s 192.168.0.0/16 -m tcp --dport 5432 -j ACCEPT
  -A INPUT -j DROP


Thank you!!

RE: Tracking down the source of proxy problem

[Rob Sterenborg]

> Hello!
> 
> I have a network with an iptables-based firewall/proxy.
> Behind the proxy is a machine running Postgres. Recently, many
> changes were made to the installation. 
> 
> Connecting to the Postgres DB works from within the network, but not
> from without.

From "the outside", I guess.. Without a network it'll be hard to get it
working. ;-)

> I've run out of ideas for tracking down the error...
> 
> Could anybody kindly pass on some wise advice?
> 
> 
> firewall iptables (in port number edited):
> 
>   *nat
>   :PREROUTING ACCEPT [0:0]
>   :POSTROUTING ACCEPT [0:0]
>   :OUTPUT ACCEPT [0:0]
>   -A PREROUTING -p tcp --dport ##INPORT## -j DNAT --to
> 192.168.2.10:5432 
>   -A PREROUTING -p udp --dport ##INPORT## -j DNAT --to
> 192.168.2.10:5432 
>   -A POSTROUTING -o ppp0 -j MASQUERADE
>   COMMIT

These are only NAT rules. What about the FORWARD rules ?

> db machine iptables:
> 
>   *filter
>   :INPUT DROP [1:242]
>   :FORWARD DROP [0:0]
>   :OUTPUT ACCEPT [0:0]
>   :LOG_DROP - [0:0]
>   :LOG_ACCEPT - [0:0]
>   :icmp_packets - [0:0]
>   -A INPUT -p tcp -s 192.168.0.0/16 -m tcp --dport 5432 -j ACCEPT
>   -A INPUT -j DROP

This looks okay to me: the machine should accept packets.


Gr,
Rob

RE: Tracking down the source of proxy problem

[David Leangen]

Hello, Rob,

> > firewall iptables (in port number edited):
> >
> >   *nat
> >   :PREROUTING ACCEPT [0:0]
> >   :POSTROUTING ACCEPT [0:0]
> >   :OUTPUT ACCEPT [0:0]
> >   -A PREROUTING -p tcp --dport ##INPORT## -j DNAT --to
> > 192.168.2.10:5432
> >   -A PREROUTING -p udp --dport ##INPORT## -j DNAT --to
> > 192.168.2.10:5432
> >   -A POSTROUTING -o ppp0 -j MASQUERADE
> >   COMMIT
>
> These are only NAT rules. What about the FORWARD rules ?

Sorry, left them out because I didn't think they were relevant... here they
are (SOME_PORT means that there are similar lines for various ports... but
none are 5432 or related to Postgres, since this proxy machine does not host
the DB):

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BLACKLIST - [0:0]
:LOG_ACCEPT - [0:0]
:LOG_DROP - [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport ##SOME_PORT## -j LOG_ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] :
" --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] :
" --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP
COMMIT

Thanks!
Dave

RE: Tracking down the source of proxy problem

[Rob Sterenborg]

>>> firewall iptables (in port number edited):
>>> 
>>>   *nat
>>>   :PREROUTING ACCEPT [0:0]
>>>   :POSTROUTING ACCEPT [0:0]
>>>   :OUTPUT ACCEPT [0:0]
>>>   -A PREROUTING -p tcp --dport ##INPORT## -j DNAT --to
>>> 192.168.2.10:5432 
>>>   -A PREROUTING -p udp --dport ##INPORT## -j DNAT --to
>>> 192.168.2.10:5432 
>>>   -A POSTROUTING -o ppp0 -j MASQUERADE
>>>   COMMIT
>> 
>> These are only NAT rules. What about the FORWARD rules ?
> 
> Sorry, left them out because I didn't think they were relevant...
> here they are (SOME_PORT means that there are similar lines for
> various ports... but none are 5432 or related to Postgres, since this
> proxy machine does not host the DB):
> 
> *filter
>> INPUT DROP [0:0]
>> FORWARD ACCEPT [0:0]

So you have policy ACCEPT and no rules in the FORWARD chain. The
Postgres box should be receiving the NAT-ed packets.
- Have you enabled forwarding ?
  (echo 1 > /proc/sys/net/ipv4/ip_forward)
- Did you check routing on both boxes ?
  (Are packets routed to the Postgres box and are reply packets routed
back to the firewall.)
- Maybe you can add some LOG rules on both boxes to see something in
syslog.
  (Firewall: FORWARD chain, Postgress: INPUT chain)
- Check with tcpdump (et al) on the Postgres box if any packets that you
expect actually arrive.


Gr,
Rob

RE: Tracking down the source of proxy problem

[David Leangen]

Rob,

Thank you!

Your ideas helped me find the source of the problem.

Many, many thanks!!
Dave



> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Rob Sterenborg
> Sent: 1 May 2006 21:22
> To: netfilter@lists.netfilter.org
> Subject: RE: Tracking down the source of proxy problem
> 
> 
> >>> firewall iptables (in port number edited):
> >>> 
> >>>   *nat
> >>>   :PREROUTING ACCEPT [0:0]
> >>>   :POSTROUTING ACCEPT [0:0]
> >>>   :OUTPUT ACCEPT [0:0]
> >>>   -A PREROUTING -p tcp --dport ##INPORT## -j DNAT --to
> >>> 192.168.2.10:5432 
> >>>   -A PREROUTING -p udp --dport ##INPORT## -j DNAT --to
> >>> 192.168.2.10:5432 
> >>>   -A POSTROUTING -o ppp0 -j MASQUERADE
> >>>   COMMIT
> >> 
> >> These are only NAT rules. What about the FORWARD rules ?
> > 
> > Sorry, left them out because I didn't think they were relevant...
> > here they are (SOME_PORT means that there are similar lines for
> > various ports... but none are 5432 or related to Postgres, since this
> > proxy machine does not host the DB):
> > 
> > *filter
> >> INPUT DROP [0:0]
> >> FORWARD ACCEPT [0:0]
> 
> So you have policy ACCEPT and no rules in the FORWARD chain. The
> Postgres box should be receiving the NAT-ed packets.
> - Have you enabled forwarding ?
>   (echo 1 > /proc/sys/net/ipv4/ip_forward)
> - Did you check routing on both boxes ?
>   (Are packets routed to the Postgres box and are reply packets routed
> back to the firewall.)
> - Maybe you can add some LOG rules on both boxes to see something in
> syslog.
>   (Firewall: FORWARD chain, Postgress: INPUT chain)
> - Check with tcpdump (et al) on the Postgres box if any packets that you
> expect actually arrive.
> 
> 
> Gr,
> Rob
> 
> 
>