MASQUERADE: Route sent us somewhere else.

MASQUERADE: Route sent us somewhere else.

[Tim Evans]

Since upgrading to RedHat Enterprise Version 4, I've been having goofy routing 
problems and iptables has been logging this message regularly:

Apr  3 04:15:01 kestrel kernel: MASQUERADE: Route sent us somewhere else.

My immediate ISP is Comcast, but my main domain is hosted at another ISP.

By "goofy routing problems," I mean I have trouble accessing my *own domain* at 
my ISP for POP-ing down e-mail and *all* other connections.  There are periods 
of anywhere from a few minutes to an hour or longer where all connections to the 
domain simply time out.  At the same time, I *can* connect to other domains, 
including others that belong to me on the same ISP.

During these incidents, traceroutes to my main domain hang at the very first hop 
(Comcast's first router); if I run a traceroute to any other site in a different 
window at the very same time, it proceeds all the way to its destination 
virtually instantly.

The above error consistently corresponds with a cron job that runs fetchmail to 
POP my e-mail down from the ISP.

I have the following lines in my iptables script that reference masquerading:

/sbin/modprobe ipt_MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

I have not changed the iptables script since upgrading to RHEL 4; I did not see 
any such problems with RHEL 3.

What's doubly goofy about these problems is they're intermittent.  After a spell 
of being unable to connect (again, ranging from just a few minutes to an hour or 
more), it'll suddenly begin working.

And, to repeat, this only affects my primary domain; no other connections to any 
other domain I try see these failures. 
--
Tim Evans, TKEvans.com, Inc.	|    5 Chestnut Court
tkevans@tkevans.com		|    Owings Mills, MD 21117
http://www.tkevans.com/		|    443-394-3864
http://www.come-here.com/News/	|    

IPTables & HTTPD Conflict

[J A]

Hello All,

We're using Redhat 9
We've been running a Web Server (Apache & Tomcat), and were told to
run a firewall, in this case IPTables.  When we enabled IPTables, many
of our web sites (BUT not all) could no longer be browsed from the
Internet.

Could you tell us which specific IPTables parameter is doing this, so
we could disable only the specific parameter?
Or is it not advisable to run IPTables side-by-side with Web services?

Thanks, appreciate your ideas.

---jake

Re: IPTables & HTTPD Conflict

[Askar]

how should we suggest something without watchen your iptables rules set?

regards


On Apr 4, 2005 8:11 AM, J A <jake.lists@gmail.com> wrote:
> Hello All,
> 
> We're using Redhat 9
> We've been running a Web Server (Apache & Tomcat), and were told to
> run a firewall, in this case IPTables.  When we enabled IPTables, many
> of our web sites (BUT not all) could no longer be browsed from the
> Internet.
> 
> Could you tell us which specific IPTables parameter is doing this, so
> we could disable only the specific parameter?
> Or is it not advisable to run IPTables side-by-side with Web services?
> 
> Thanks, appreciate your ideas.
> 
> ---jake
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: IPTables & HTTPD Conflict

[J A]

Sorry, when i replied to the thread, i seemed to have copied only
guido, here's a re-send:

Here are our rules (pls refer to the thread for the problem
description), hope you could share us your vasluable insight.
--------------------------------------------------------------------------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
--------------------------------------------------------------------------



On Apr 4, 2005 5:40 PM, Askar <askarali@gmail.com> wrote:
> how should we suggest something without watchen your iptables rules set?
> 
> regards
> 
> 
> On Apr 4, 2005 8:11 AM, J A <jake.lists@gmail.com> wrote:
> > Hello All,
> >
> > We're using Redhat 9
> > We've been running a Web Server (Apache & Tomcat), and were told to
> > run a firewall, in this case IPTables.  When we enabled IPTables, many
> > of our web sites (BUT not all) could no longer be browsed from the
> > Internet.
> >
> > Could you tell us which specific IPTables parameter is doing this, so
> > we could disable only the specific parameter?
> > Or is it not advisable to run IPTables side-by-side with Web services?
> >
> > Thanks, appreciate your ideas.
> >
> > ---jake
> >
> >
> 
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>

Re: IPTables & HTTPD Conflict

[Askar]

On Apr 4, 2005 3:59 PM, J A <jake.lists@gmail.com> wrote:
> Sorry, when i replied to the thread, i seemed to have copied only
> guido, here's a re-send:
> 
> Here are our rules (pls refer to the thread for the problem
> description), hope you could share us your vasluable insight.
> --------------------------------------------------------------------------
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
> --------------------------------------------------------------------------
> 
> 
> On Apr 4, 2005 5:40 PM, Askar <askarali@gmail.com> wrote:
> > how should we suggest something without watchen your iptables rules set?
> >
> > regards
> >
> >
> > On Apr 4, 2005 8:11 AM, J A <jake.lists@gmail.com> wrote:
> > > Hello All,
> > >
> > > We're using Redhat 9
> > > We've been running a Web Server (Apache & Tomcat), and were told to
> > > run a firewall, in this case IPTables.  When we enabled IPTables, many
> > > of our web sites (BUT not all) could no longer be browsed from the
> > > Internet.
> > >
> > > Could you tell us which specific IPTables parameter is doing this, so
> > > we could disable only the specific parameter?
> > > Or is it not advisable to run IPTables side-by-side with Web services?
> > >
> > > Thanks, appreciate your ideas.
> > >
> > > ---jake
> > >
> > >
> >
> > --
> > I love deadlines. I like the whooshing sound they make as they fly by.
> > Douglas Adams
> >
> 
okay try these iptables rules as starting point, 

# Load the FTP connection state helper module.
#Clear \ Flush all the rules from the different chains and tables
for table in mangle nat filter; do
   iptables -t $table -F
   iptables -t $table -X
done
# Set the default filter table policy
iptables --policy INPUT   DROP
iptables --policy OUTPUT  ACCEPT
iptables --policy FORWARD DROP

# Using Connection State to By-pass Rule Checking
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 25,80,21,22,23 -m state
--state NEW -j ACCEPT

Note: save these rules to a file, then chmod +x the file and then
execute it with ./filename :)

regards


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: IPTables & HTTPD Conflict

[J A]

Hello Askar/A.Dreyer,

Thank you very much for your insights,  now i see how badly our
IPTables is setup.  Will re-configure along your recommended settings,
and see how system goes.

I will post whatever our final rules will look like.

Best regards!

---jake

On Apr 4, 2005 7:32 PM, Askar <askarali@gmail.com> wrote:
> On Apr 4, 2005 3:59 PM, J A <jake.lists@gmail.com> wrote:
> > Sorry, when i replied to the thread, i seemed to have copied only
> > guido, here's a re-send:
> >
> > Here are our rules (pls refer to the thread for the problem
> > description), hope you could share us your vasluable insight.
> > --------------------------------------------------------------------------
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :RH-Lokkit-0-50-INPUT - [0:0]
> > -A INPUT -j RH-Lokkit-0-50-INPUT
> > -A FORWARD -j RH-Lokkit-0-50-INPUT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> > COMMIT
> > --------------------------------------------------------------------------
> >
> >
> > On Apr 4, 2005 5:40 PM, Askar <askarali@gmail.com> wrote:
> > > how should we suggest something without watchen your iptables rules set?
> > >
> > > regards
> > >
> > >
> > > On Apr 4, 2005 8:11 AM, J A <jake.lists@gmail.com> wrote:
> > > > Hello All,
> > > >
> > > > We're using Redhat 9
> > > > We've been running a Web Server (Apache & Tomcat), and were told to
> > > > run a firewall, in this case IPTables.  When we enabled IPTables, many
> > > > of our web sites (BUT not all) could no longer be browsed from the
> > > > Internet.
> > > >
> > > > Could you tell us which specific IPTables parameter is doing this, so
> > > > we could disable only the specific parameter?
> > > > Or is it not advisable to run IPTables side-by-side with Web services?
> > > >
> > > > Thanks, appreciate your ideas.
> > > >
> > > > ---jake
> > > >
> > > >
> > >
> > > --
> > > I love deadlines. I like the whooshing sound they make as they fly by.
> > > Douglas Adams
> > >
> >
> okay try these iptables rules as starting point,
> 
> # Load the FTP connection state helper module.
> #Clear \ Flush all the rules from the different chains and tables
> for table in mangle nat filter; do
>   iptables -t $table -F
>   iptables -t $table -X
> done
> # Set the default filter table policy
> iptables --policy INPUT   DROP
> iptables --policy OUTPUT  ACCEPT
> iptables --policy FORWARD DROP
> 
> # Using Connection State to By-pass Rule Checking
> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -m multiport --dport 25,80,21,22,23 -m state
> --state NEW -j ACCEPT
> 
> Note: save these rules to a file, then chmod +x the file and then
> execute it with ./filename :)
> 
> regards
> 
> 
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>