Help me... please

Help me... please

[linuxmc]

Hi to all,
i'm a problem with an iptables firewall working on OpenSuse 10.3 - Kernel 2.6.22. I have created the firewall using FirewallBuilder 2.0.13.
The problem is this. On my firewall i have these two rules

echo "Rule 9 (global)"
# 
# 
# 
$IPTABLES -N RULE_9
$IPTABLES -A INPUT -m mac --mac-source 00:1B:38:B1:9A:57 -m state --state NEW -j RULE_9 
$IPTABLES -A INPUT -m mac --mac-source 00:0E:A6:C1:4E:18 -m state --state NEW -j RULE_9 
$IPTABLES -A FORWARD -m mac --mac-source 00:1B:38:B1:9A:57 -m state --state NEW -j RULE_9 
$IPTABLES -A FORWARD -m mac --mac-source 00:0E:A6:C1:4E:18 -m state --state NEW -j RULE_9 
$IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- ACCEPT "
$IPTABLES -A RULE_9 -j ACCEPT 

...that allow to go everywhere for the hosts with mac-address
00:1B:38:B1:9A:57 and 00:0E:A6:C1:4E:18....

and this rule (the last rule on the firewall)

# Rule 39 (global)
# 
echo "Rule 39 (global)"
# 
# 
# 
$IPTABLES -N RULE_39
$IPTABLES -A OUTPUT -j RULE_39 
$IPTABLES -A INPUT -j RULE_39 
$IPTABLES -A FORWARD -j RULE_39 
$IPTABLES -A RULE_39 -j LOG --log-level info --log-prefix "RULE 39 -- DENY "
$IPTABLES -A RULE_39 -j DROP 
#
that block all packet don't match the rule before.

When i try to navigate with these two host i experience very sloow speed and when i have investigated the log file of firewall i have discovered that some time the packets destinated to any web server (http://.... port 80) match the rule 9 (CORRECTLY).... and some time match rule 39 ( :(((( )

All the other hosts /networks defined in the firewall with ip-address instead mac-address works fine with internet.

Some ideas :))) Thank's to all.

Marco

Re: Help me... please

[Anatoly Muliarski]

Hi,

You should remove -m state --state NEW statements because they track
only START of connections.

2008/8/1, linuxmc@libero.it <linuxmc@libero.it>:
> echo "Rule 9 (global)"
> $IPTABLES -N RULE_9
> $IPTABLES -A INPUT -m mac --mac-source 00:1B:38:B1:9A:57 -m state --state NEW -j RULE_9
> $IPTABLES -A INPUT -m mac --mac-source 00:0E:A6:C1:4E:18 -m state --state NEW -j RULE_9
> $IPTABLES -A FORWARD -m mac --mac-source 00:1B:38:B1:9A:57 -m state --state NEW -j RULE_9
> $IPTABLES -A FORWARD -m mac --mac-source 00:0E:A6:C1:4E:18 -m state --state NEW -j RULE_9
> $IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- ACCEPT "
> $IPTABLES -A RULE_9 -j ACCEPT


-- 
Best regards
Anatoly Muliarski

Re: Help me... please

[Michele Petrazzo - Unipex srl]

Anatoly Muliarski wrote:
> Hi,
> 
> You should remove -m state --state NEW statements because they track 
> only START of connections.
> 


Or you can accept the established and related _before_ to the other rules.

$IPTABLES -I INPUT 1 [FORWARD] -m state --state RELATED,ESTABLISHED -j 
ACCEPT

However, can you send us the log that drop the traffic on the rule_39 ?

Michele

Re: Help me... please

[linuxmc]

[-- Attachment #1: Type: text/plain, Size: 1113 bytes --]

I have tried to remove de "-m state --state" but nothing change.
I have attached the section of the firewall log file with the defect. Look to the first and to the last line.....


thank. Marco


---------- Initial Header -----------

From      : netfilter-owner@vger.kernel.org
To          : "Anatoly Muliarski" x86ever@gmail.com
Cc          : "netfilter" netfilter@vger.kernel.org
Date      : Sat, 02 Aug 2008 10:10:45 +0200
Subject : Re: Help me... please







> Anatoly Muliarski wrote:
> > Hi,
> >
> > You should remove -m state --state NEW statements because they track 
> > only START of connections.
> >
>
>
> Or you can accept the established and related _before_ to the other rules.
>
> $IPTABLES -I INPUT 1 [FORWARD] -m state --state RELATED,ESTABLISHED -j 
> ACCEPT
>
> However, can you send us the log that drop the traffic on the rule_39 ?
>
> Michele
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[-- Attachment #2: firewall log file --]
[-- Type: text/plain, Size: 3657 bytes --]

Aug  2 10:54:01 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.1.54 DST=209.62.179.57 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=21164 DF PROTO=TCP SPT=1617 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Aug  2 10:54:01 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.25 DST=151.99.125.3 LEN=72 TOS=0x00 PREC=0x00 TTL=124 ID=54181 PROTO=UDP SPT=1076 DPT=53 LEN=52
Aug  2 10:54:03 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.25 DST=151.99.125.2 LEN=72 TOS=0x00 PREC=0x00 TTL=124 ID=54182 PROTO=UDP SPT=1076 DPT=53 LEN=52
Aug  2 10:54:03 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.25 DST=151.99.125.3 LEN=72 TOS=0x00 PREC=0x00 TTL=124 ID=54183 PROTO=UDP SPT=1076 DPT=53 LEN=52
Aug  2 10:54:04 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.30 DST=151.99.125.2 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=6672 PROTO=UDP SPT=1026 DPT=53 LEN=42
Aug  2 10:54:04 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.1.54 DST=209.62.179.57 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=21230 DF PROTO=TCP SPT=1617 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Aug  2 10:54:04 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.100 DST=151.99.125.2 LEN=84 TOS=0x00 PREC=0x00 TTL=60 ID=65453 PROTO=ICMP TYPE=8 CODE=0 ID=456 SEQ=0
Aug  2 10:54:05 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.30 DST=151.99.125.3 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=6673 PROTO=UDP SPT=1026 DPT=53 LEN=42
Aug  2 10:54:05 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.100 DST=151.99.125.2 LEN=84 TOS=0x00 PREC=0x00 TTL=60 ID=65458 PROTO=ICMP TYPE=8 CODE=0 ID=456 SEQ=1
Aug  2 10:54:06 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.30 DST=151.99.125.2 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=6687 PROTO=UDP SPT=1026 DPT=53 LEN=42
Aug  2 10:54:06 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.100 DST=151.99.125.3 LEN=84 TOS=0x00 PREC=0x00 TTL=60 ID=65463 PROTO=ICMP TYPE=8 CODE=0 ID=456 SEQ=0
Aug  2 10:54:07 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.100 DST=151.99.125.3 LEN=84 TOS=0x00 PREC=0x00 TTL=60 ID=65468 PROTO=ICMP TYPE=8 CODE=0 ID=456 SEQ=1
Aug  2 10:54:07 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.25 DST=151.99.125.2 LEN=72 TOS=0x00 PREC=0x00 TTL=124 ID=54184 PROTO=UDP SPT=1076 DPT=53 LEN=52
Aug  2 10:54:07 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.25 DST=151.99.125.3 LEN=72 TOS=0x00 PREC=0x00 TTL=124 ID=54185 PROTO=UDP SPT=1076 DPT=53 LEN=52
Aug  2 10:54:08 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.30 DST=151.99.125.2 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=6688 PROTO=UDP SPT=1026 DPT=53 LEN=42
Aug  2 10:54:08 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.30 DST=151.99.125.3 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=6689 PROTO=UDP SPT=1026 DPT=53 LEN=42
Aug  2 10:54:09 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.34 DST=151.99.125.3 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=9984 PROTO=UDP SPT=4911 DPT=53 LEN=42
Aug  2 10:54:10 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:20:1a:21:a2:21:08:00 SRC=192.168.1.65 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=7895 PROTO=2
Aug  2 10:54:10 fwlbsede kernel: RULE 39 -- DENY IN=eth1 OUT=eth0 SRC=192.168.2.34 DST=151.99.125.3 LEN=62 TOS=0x00 PREC=0x00 TTL=124 ID=9999 PROTO=UDP SPT=4911 DPT=53 LEN=42
Aug  2 10:54:10 fwlbsede kernel: RULE 8 -- ACCEPT IN=eth1 OUT=eth0 SRC=192.168.1.54 DST=209.62.179.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=21338 DF PROTO=TCP SPT=1617 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Re: Help me... please

[Michele Petrazzo - Unipex srl]

linuxmc@libero.it wrote:
> I have tried to remove de "-m state --state" but nothing change. I 
> have attached the section of the firewall log file with the defect. 
> Look to the first and to the last line.....
> 
> 

Would be better if you say us your ethernet flow: incoming ports and
outgoing, ip, etc...
Little suggestion (seem the same problem that happen to me): are you
trying to filter also the incoming data (the return one? If yes and if
that is dropped, pay attention that you cannot filter by mac address
since the firewall don't know which is the mac client to forward to the
data on the forward state, but only on the postrouting one. (but there is no
mac-destination on the mac match target!)

Michele

Re: Help me... please

[linuxmc]

I have verified but the mac address is the same.


---------- Initial Header -----------

From      : "Anatoly Muliarski" x86ever@gmail.com
To          : "linuxmc@libero.it" linuxmc@libero.it
Cc          : 
Date      : Sun, 3 Aug 2008 10:19:38 +0300
Subject : Re: Help me... please







> 2008/8/2, linuxmc@libero.it <linuxmc@libero.it>:
> > I have tried to remove de "-m state --state" but nothing change.
> > I have attached the section of the firewall log file with the defect. Look to the first and to the last line.....
> >
> 
> Try to check the correspondence between ARP addresses stated in your
> RULE_9 and the desired IPs to pass through. Hint: arp -a -n on the
> router. Possibly 192.168.1.54's MAC is DIFFERENT than those in your
> RULE_9.
> 
> -- 
> Best regards
> Anatoly Muliarski
> 

Re: Help me... please

[linuxmc]

The strange thing is that this problem occurs only with the rule where hosts are defined with mac address.... the hosts defined with ip address works correctly.
And another very strange thing is that until few days ago, works correctly also the rules defined with mac address. 
Next, i have installed squid proxy server and modified the firewall script in order to grant direct access to outgoing http connection only for 3 hosts (those defined with mac address)...... and boom.... i have this problem.





---------- Initial Header -----------

From      : netfilter-owner@vger.kernel.org
To          : "x86ever" x86ever@gmail.com
Cc          : "netfilter" netfilter@vger.kernel.org
Date      : Sun,  3 Aug 2008 13:55:49 +0200
Subject : Re: Help me... please







> I have verified but the mac address is the same.
> 
> 
> ---------- Initial Header -----------
> 
> From      : "Anatoly Muliarski" x86ever@gmail.com
> To          : "linuxmc@libero.it" linuxmc@libero.it
> Cc          : 
> Date      : Sun, 3 Aug 2008 10:19:38 +0300
> Subject : Re: Help me... please
> 
> 
> 
> 
> 
> 
> 
> > 2008/8/2, linuxmc@libero.it <linuxmc@libero.it>:
> > > I have tried to remove de "-m state --state" but nothing change.
> > > I have attached the section of the firewall log file with the defect. Look to the first and to the last line.....
> > >
> > 
> > Try to check the correspondence between ARP addresses stated in your
> > RULE_9 and the desired IPs to pass through. Hint: arp -a -n on the
> > router. Possibly 192.168.1.54's MAC is DIFFERENT than those in your
> > RULE_9.
> > 
> > -- 
> > Best regards
> > Anatoly Muliarski
> > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Help me... please

[Anatoly Muliarski]

2008/8/3, linuxmc@libero.it <linuxmc@libero.it>:
> The strange thing is that this problem occurs only with the rule where hosts are defined with mac address.... the hosts defined with ip address works correctly.
> And another very strange thing is that until few days ago, works correctly also the rules defined with mac address.
> Next, i have installed squid proxy server and modified the firewall script in order to grant direct access to outgoing http connection only for 3 hosts (those defined with mac address)...... and boom.... i have this problem.
>

The problem must be in order of your firewall rules.
Send iptables -L -n output.


-- 
Best regards
Anatoly Muliarski