/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hello all,
Since I upgraded to kernel 2.2.18(no fancy stuff except firewall and
masquerading included) I've noticed the following behaviour/bug with
ipchains/ipmasq
After the system has been rebooted there's is no problem. After having run
for about a day and depending on how much data has been transfered from the
inside, I get lots of denied packets where it says that both src and dst
port are 65535.
Here's what a typical message looks like(reconstructed as I do not have
access to my exact logs)
messages:Jan 3 16:16:21 server kernel: Packet log: output DENY eth0 PROTO=6
x.x.x.x:65535 x.x.x.x:65535 L=48 S=0x00 I=38264 F=0x40B2 T=127 SYN (#?)
I also get these messages on my input chain, which are also being denied.
Depending on the direction either source or destination ip is my external ip
which is a ppp interface, connection via pppoe(adsl). The other ip is the
server ip which can be a webserver, ftp server ...
It's normal that these packet are denied as I do not allow access on those
ports, but I do not understand who is sending these packets. I assume it
are masq packets from inside, but when ipmasq reaches the highest port and
has to start using the first available ports again it does not seem to do so
very well.
Has anybody seen the same behaviour or can give me any inside on what the
problem could be ?
Here are the important part of my rules(reconstructed as I do not have
access to my exact rules)
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# Enable anti-spoof protection
echo "1" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
EXTERNAL="ppp+"
INTERNAL="eth1"
LOCALNET="10.0.1.0/24"
ANY="0.0.0.0/0"
# Default DENY on everything
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -F
# Allow all packets not going into the external interface
/sbin/ipchains -A input -s $ANY -d $ANY -i ! $EXTERNAL -j ACCEPT
# Disallow incoming ICMP type 5(redirect), 8(echo-request) and 13(timestamp
request)
/sbin/ipchains -A input -p icmp -s $ANY 5 -d $ANY -i $EXTERNAL -j DENY -l
/sbin/ipchains -A input -p icmp -s $ANY 8 -d $ANY -i $EXTERNAL -j DENY -l
/sbin/ipchains -A input -p icmp -s $ANY 13 -d $ANY -i $EXTERNAL -j DENY -l
# But allow other types of ICMP
/sbin/ipchains -A input -p icmp -s $ANY -d $ANY -i $EXTERNAL -j ACCEPT
# Allow UDP
/sbin/ipchains -A output -p udp -s $ANY -d $ANY -i $EXTERNAL -j ACCEPT
# Allow IRC on port 113 in
/sbin/ipchains -A input -p tcp -s $ANY -d $ANY 113 -i $EXTERNAL -j ACCEPT
# Allow all packets without syn
/sbin/ipchains -A input -p tcp -s $ANY -d $ANY -i $EXTERNAL -j ACCEPT ! -y
# Deny the rest
/sbin/ipchains -A input -s $ANY -d $ANY -i $EXTERNAL -j DENY -l
echo "input ok"
################
# output rules #
################
# Allow all packets not going out the external interface
/sbin/ipchains -A output -s $ANY -d $ANY -i ! $EXTERNAL -j ACCEPT
# Allow UDP
/sbin/ipchains -A output -p udp -s $ANY -d $ANY 27000:28000 -i $EXTERNAL -j
ACCEPT
# Allow basic services
/sbin/ipchains -A output -p tcp -s $ANY -d $ANY 80 -i $EXTERNAL -j ACCEPT
/sbin/ipchains -A output -p tcp -s $ANY -d $ANY 8080 -i $EXTERNAL -j ACCEPT
/sbin/ipchains -A output -p tcp -s $ANY -d $ANY 6667 -i $EXTERNAL -j ACCEPT
/sbin/ipchains -A output -p tcp -s $ANY -d $ANY 119 -i $EXTERNAL -j ACCEPT
# MASQ timeouts
/sbin/ipchains -M -S 7200 10 160
echo "output ok"
#################
# Forward rules #
#################
# Masquerade everything coming from 10.0.1.0 network
/sbin/ipchains -A forward -i $EXTERNAL -s 10.0.1.0/24 -j MASQ
echo "forward ok"
Regards,
Werner Brockhoven
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
