Re: n00b question..... How to get details on active connections

Re: n00b question..... How to get details on active connections

[Stack Buffer]

Hi Nox

Well I did manage to get the kernel compiled (Redhat
9.0)
kernel 2.4.20-8,
and it booted the system fine, although I think it is
pretty large.
I was not sure of the following though and I hope u
can help clearify thing for me:

1) IP:Multicasting.

2) IP:Policy Routing.

3) IP:Use netfilter mark value as router.

4) IP:TCP syncookie support.

Plus also I compiled in everything under the netfilter
configuration and also everything under Qos and/or
Fair queueing. Is that over kill to compile all those
otions in?. What are the trade off of compiling
(netfilter stuff) things as modules,rather than
directly into the kernel, will I lose any
functionality.
I will be very thankful for any help.
Thanks
Cheers


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: n00b question..... How to get details on active connections

[Nox]

Good mourning Stack.
1 - 4 of those modules, I dont have installed into my filter,
but I am not doing te same as you, so Im not sure if youll need them or
not.

The best way would be to compile them as modules,
the reason being that they are loaded during boot up, rather than
directly into your kernel, making things boot faster.

I dont have anything from under QOS either, so you may not need that

Item 1 & 2, 

1) IP:Multicasting.
> 
> 2) IP:Policy Routing.

those you may need, but the others I think you can get rid of.
the file that contains the modules is:
/etc/modules & /etc/modules.conf

I think adding all those are a little bit overkill,
I dont think youll ever use most of the 

Qos and/or
Fair queueing

stuff, so try it without that

Ip Multicast is for,
One host sending a packet to all nodes on a multicast network.
(Ive never used it)
The reason for this is, save bandwidth.
Instead of sending one single packet to 10 machines, which results in 10
packets on the network, you send one packet to 10 hosts,
at once.

Policy Routing
Is exactly what it sounds like,
instead of having routes in your routing table, you can create rules in
your Iptables, for routing connections
Much more control of where those routes go, logging on the routing
of those connections, etc. I think you should leave this, as it comes in
handy



Use netfilter as mark:(from manpage)
The MARK target is used to set Netfilter mark values that are associated
with specific packets. This target is only valid in the mangle table,
and will not work outside there. The MARK values may be used in
conjunction with the advanced routing capabilities in Linux to send
different packets through different routes and to tell them to use
different queue disciplines (qdisc), etc. For more information on
advanced routing, check out the Linux Advanced Routing and Traffic
Control HOW-TO. Note that the mark value is not set within the actual
package, but is an value that is associated within the kernel with the
packet. In other words, you can not set a MARK for a packet and then
expect the MARK still to be there on another host. If this is what you
want, you will be better off with the TOS target which will mangle the
TOS value in the IP header. 

TCP_syncookies.

Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
could come in handy   
     

Good job with your first Kernel compile.

Let me know how the rest goes.

Nox
GenMicro Systems

On Tue, 2003-09-23 at 10:40, Stack Buffer wrote:
> Hi Nox
> 
> Well I did manage to get the kernel compiled (Redhat
> 9.0)
> kernel 2.4.20-8,
> and it booted the system fine, although I think it is
> pretty large.
> I was not sure of the following though and I hope u
> can help clearify thing for me:
> 
> 1) IP:Multicasting.
> 
> 2) IP:Policy Routing.
> 
> 3) IP:Use netfilter mark value as router.
> 
> 4) IP:TCP syncookie support.
> 
> Plus also I compiled in everything under the netfilter
> configuration and also everything under Qos and/or
> Fair queueing. Is that over kill to compile all those
> otions in?. What are the trade off of compiling
> (netfilter stuff) things as modules,rather than
> directly into the kernel, will I lose any
> functionality.
> I will be very thankful for any help.
> Thanks
> Cheers
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 

NAT and MTU issues

[Nigel Metheringham]

I have a somewhat complex setup where I am using a box running both
source and destination NAT as a demarcation point between 2 disparately
addressed networks [specifically this allows a customer to access a
service on our network, even through other customers that we connect to
may have networks with otherlapping address spaces - not always
"private" space]

So from the customer's point of view, they connect to 192.168.50.119
port 1500.
Our kit wants to see a connection from 10.0.1.0/24 to 10.0.2.2 port
2502.

In theory this works fine... but theres a wrinkle.  Our box is remote
from our data centre and connects to it using an IPSec link using
FreeSWAN.  The ipsec0 interface has an MTU on it of 1450 - this prevents
us fragmenting 1500 byte packets when they hit the ipsec engine (which
expands the packets up).  A 1450 MTU has historically worked well for
us.

What appears to be happening is that everything works while packets are
short, however when long packets come in they bounce off the lower MTU
interface, and the returned ICMP packet is not getting back to the
originator in a sane form.   So the connection freezes.

Having looked closer at this I find there is an ICMP dest unreach packet
emitted from my box back to the originator.  However inside the packet
the SNAT has been undone, but the DNAT is still in place.

Any ideas how I can fix this...?
This is all on a 2.4.21 kernel.

NAT rules I have in place are:-
  [root@t003 admin]# /sbin/iptables -t nat -n -L 
  Chain PREROUTING (policy ACCEPT)
  target     prot opt source         destination
  DNAT       tcp  --  0.0.0.0/0      192.168.50.119  tcp dpt:1500 to:10.0.2.2:2502
 
  Chain POSTROUTING (policy ACCEPT)
  target     prot opt source         destination
  SNAT       tcp  --  0.0.0.0/0      10.0.2.2        tcp dpt:2502 to:10.0.1.239-10.0.1.254

The ICMP packet I get back looks like this:-
 Frame 229 (590 bytes on wire, 590 bytes captured)
    Arrival Time: Sep 19, 2003 15:21:31.728906000
    Time delta from previous packet: 0.000019000 seconds
    Time relative to first packet: 70.396568000 seconds
    Frame Number: 229
    Packet Length: 590 bytes
    Capture Length: 590 bytes
 Ethernet II, Src: 00:02:a5:da:5f:7b, Dst: 00:10:db:ff:20:70
    Destination: 00:10:db:ff:20:70 (00:10:db:ff:20:70)
    Source: 00:02:a5:da:5f:7b (00:02:a5:da:5f:7b)
    Type: IP (0x0800)
 Internet Protocol, Src Addr: 192.168.50.119 (192.168.50.119), Dst Addr: 172.16.28.5 (172.16.28.5)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 576
    Identification: 0x8d00 (36096)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: ICMP (0x01)
    Header checksum: 0x2fc8 (correct)
    Source: 192.168.50.119 (192.168.50.119)
    Destination: 172.16.28.5 (172.16.28.5)
 Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 4 (Fragmentation needed)
    Checksum: 0x8479 (correct)
    MTU of next hop: 1450
    Internet Protocol, Src Addr: 172.16.28.5 (172.16.28.5), Dst Addr: 10.0.2.2 (10.0.2.2)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 1500
        Identification: 0x7749 (30537)
        Flags: 0x04
            .1.. = Don't fragment: Set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 62
        Protocol: TCP (0x06)
        Header checksum: 0xcda0 (correct)
        Source: 172.16.28.5 (172.16.28.5)
        Destination: 10.0.2.2 (10.0.2.2)
    Transmission Control Protocol, Src Port: 50794 (50794), Dst Port: 2502 (2502), Seq: 3025715234, Ack: 3268150508
        Source port: 50794 (50794)
        Destination port: 2502 (2502)
        Sequence number: 3025715234
        Acknowledgement number: 3268150508
        Header length: 32 bytes
        Flags: 0x0010 (ACK)
            0... .... = Congestion Window Reduced (CWR): Not set
            .0.. .... = ECN-Echo: Not set
            ..0. .... = Urgent: Not set
            ...1 .... = Acknowledgment: Set
            .... 0... = Push: Not set
            .... .0.. = Reset: Not set
            .... ..0. = Syn: Not set
            .... ...0 = Fin: Not set
        Window size: 6432
        Checksum: 0xb25c (incorrect, should be 0x4b3b)
        Options: (12 bytes)
            NOP
            NOP
            Time stamp: tsval 19647219, tsecr 1709539721
    Data (496 bytes)


Cheers
	Nigel.

-- 
[ Nigel Metheringham           Nigel.Metheringham@InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]

________________________________________________________________________
This message has been checked for all known viruses by the 
CitC Virus Scanning Service powered by SkyLabs. For further information visit
http://www.citc.it

___

n00b question..... How to get details on active connections

[Paul Gibson]

Hello,

	I know this is a n00b question but how can I get details of active
connections, eg what inside address/pc is connected to what outside address
???


TIA

Re: n00b question..... How to get details on active connections

[Nox]

On Sat, 2003-09-20 at 05:15, Paul Gibson wrote:
> Hello,
> 
> 	I know this is a n00b question but how can I get details of active
> connections, eg what inside address/pc is connected to what outside address
> ???

Do you mean connections through the Firewall?
Something like /proc/net/ip_conntrack will tell you the active
connections. (might be /proc/net/ipv4/ip_conntrack on your box)

If you mean just the box your on, something like a netstat will do that

Hope that helps

Nox
GenMicro Systems