Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 1 of 2 1 2 >
Topic Options
#269059 - 08/11/2005 14:04 Help: Is my site accessible?
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Hi,

I'm in the process of shifting DSL providers, and the IP address of rtr.ca. is changing (will take a few days..).

So.. is my webserver accessible today?

I just need a couple of people to point their browsers at the Home Docks page, and then post back here as to whether or not it worked.

Thanks.

Top
#269060 - 08/11/2005 14:08 Re: Help: Is my site accessible? [Re: mlord]
cushman
veteran

Registered: 21/01/2002
Posts: 1380
Loc: Erie, CO
Not from here, DNS returns:

Name: rtr.ca
Address: 207.236.110.166
_________________________
Mark Cushman

Top
#269061 - 08/11/2005 14:08 Re: Help: Is my site accessible? [Re: mlord]
BartDG
carpal tunnel

Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
Not working at the moment for me. Connection is timing out.
Using Scarlet ISP in Belgium.

I'll try again in a few hours.
_________________________
Riocar 80gig S/N : 010101580 red
Riocar 80gig (010102106) - backup

Top
#269062 - 08/11/2005 14:09 Re: Help: Is my site accessible? [Re: mlord]
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
Not working for me.

I'm on Verizon DSL in NY.
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#269063 - 08/11/2005 14:13 Re: Help: Is my site accessible? [Re: mlord]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Quote:
So.. is my webserver accessible today?


Not from here. nslookup gives:

Non-authoritative answer:
Name: rtr.ca
Address: 207.236.110.166
_________________________
-- roger

Top
#269064 - 08/11/2005 14:18 Re: Help: Is my site accessible? [Re: mlord]
petteri
addict

Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
Not working from Miami, FL via Earthlink DSL. Timed out.

Top
#269065 - 08/11/2005 14:24 Re: Help: Is my site accessible? [Re: Roger]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
Quote:
So.. is my webserver accessible today?


Non-authoritative answer:
Name: rtr.ca
Address: 207.236.110.166


Yeah, that's the original IP address, and it is still connected, but I see no incoming traffic on it now. I can still use it to connect to the outside no problem, though. Weird.

Still broken now?

Top
#269066 - 08/11/2005 14:28 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Still broken, Mark.

Trying to connect from Rome. ISP: Fastweb.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269067 - 08/11/2005 14:32 Re: Help: Is my site accessible? [Re: Taym]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
This is just too weird.

I can see the incoming connection attempts with "tcpdump". But my machine never replies.

Looking at my hand crafted firewall rules, they are supposed to LOG any TCP syn packets, before filtering stuff. NO logs. ARrrrrG!

Just for fun, try hitting my new IP address:

http://64.26.128.89/docks/

That probably works, or at least gets a reply from apache.

Mmm..

Top
#269068 - 08/11/2005 14:35 Re: Help: Is my site accessible? [Re: mlord]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
Not from here (FL)

DNS stuff reports some DNS errors some servers are timing out, others don't have an a record.
http://www.dnsstuff.com/tools/dnstime.ch?name=rtr.ca&type=A
_________________________
Chad

Top
#269069 - 08/11/2005 14:35 Re: Help: Is my site accessible? [Re: mlord]
BartDG
carpal tunnel

Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
Nope, that doesn't work either for me.
_________________________
Riocar 80gig S/N : 010101580 red
Riocar 80gig (010102106) - backup

Top
#269070 - 08/11/2005 14:39 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Mark, new IP address works, but

the requeste URL /docks/ was not found on it .

http://64.26.128.89, instead, returns access denied. Both clearly mean the server is there, anyway.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269071 - 08/11/2005 14:41 Re: Help: Is my site accessible? [Re: Taym]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Yeah, thanks.

Some kind of dumb routing issue.

For now, I'ved turned off the new IP, so it's probably all working again.

-ml

Top
#269072 - 08/11/2005 14:43 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
It is
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269073 - 08/11/2005 15:02 Re: Help: Is my site accessible? [Re: mlord]
Cybjorg
addict

Registered: 23/12/2002
Posts: 652
Loc: Winston Salem, NC
It's working from the Middle East.

Top
#269074 - 08/11/2005 15:12 Re: Help: Is my site accessible? [Re: mlord]
crazymelki
enthusiast

Registered: 16/02/2001
Posts: 373
Loc: Switzerland
it works form Switzerland!

bye
_________________________
crazymelki.com

Top
#269075 - 08/11/2005 15:27 Re: Help: Is my site accessible? [Re: crazymelki]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Okay, thanks.

I've undone my changes from last night, so things are fine for the moment.

But I'll ask for more help in a bit, once I read up some on routing with multiple upstream links.

Thanks.

Top
#269076 - 08/11/2005 16:23 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
How about now: what does this do:

http://rtr.ca/ <-- probably is fine

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks

Top
#269077 - 08/11/2005 16:27 Re: Help: Is my site accessible? [Re: mlord]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
Quote:
How about now: what does this do:

http://rtr.ca/ <-- probably is fine



This is fine

Quote:

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks


Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server.
_________________________
Chad

Top
#269078 - 08/11/2005 16:28 Re: Help: Is my site accessible? [Re: Attack]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:

Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server.


Oh, good! That might mean I've actually fixed things (apart from apache itself).

Thanks.

Top
#269079 - 08/11/2005 19:34 Re: Help: Is my site accessible? [Re: mlord]
petteri
addict

Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
Quote:
How about now: what does this do:

http://rtr.ca/ <-- probably is fine

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks


I'm getting

"Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server."

to both of the above links.

Top
#269080 - 08/11/2005 19:49 Re: Help: Is my site accessible? [Re: petteri]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).

Web access direct to either address should give an apache error ("access denied"), rather than a simple timeout..

Web access directly to rtr.ca, via a nameserver that knows about it, should work. But that will take a day or so to propagate. Meanwhile, I might try to fix my apache config to work regardless..

Can you folks ping me? What does a hostname lookup resolve to for "rtr.ca" ?

Thanks again!

Top
#269081 - 08/11/2005 20:02 Re: Help: Is my site accessible? [Re: mlord]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
Code:

# host rtr.ca 206.13.31.12
Using domain server:
Name: 206.13.31.12
Address: 206.13.31.12#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 206.13.28.12
Using domain server:
Name: 206.13.28.12
Address: 206.13.28.12#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 4.2.2.1
Using domain server:
Name: 4.2.2.1
Address: 4.2.2.1#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 216.231.41.2
Using domain server:
Name: 216.231.41.2
Address: 216.231.41.2#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 64.81.79.2
Using domain server:
Name: 64.81.79.2
Address: 64.81.79.2#53
Aliases:

rtr.ca has address 207.236.110.166

_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#269082 - 08/11/2005 20:19 Re: Help: Is my site accessible? [Re: ricin]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.
_________________________
~ John

Top
#269083 - 08/11/2005 20:28 Re: Help: Is my site accessible? [Re: JBjorgen]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.


Cool. Does it work now?

Thanks

Top
#269084 - 08/11/2005 20:49 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Here's a question for Bitt, or anyone else versed in ip routing..

So my new setup is temporarily using BOTH xDSL lines. One of the lines hosts my domain at the new address, the other still responds to the old address for the time being.

The same firewall machine provides NAT for the internal network, and hosts a webserver (rtr.ca).

None of my internal machines can even ping (let along surf) the webserver using either external address. This means that I get NOTHING when I click on the "Home Docks" link at the top of this page. Pinging/surfing the internal address (third NIC) works okay. This is not a firewall config issue (no logs), but rather a routing issue of some kind.

What must I do to make this work?

Current routing table is below, where 10.0.0.2 is the firewall machine, eth1 (10.0.0.2) is the internal NIC, and eth0 and ppp0 are the external interfaces, and
Code:
[zippy:/] ip route

64.26.128.1 dev ppp0 scope link src 64.26.128.89
207.236.110.0/24 dev eth0 scope link src 207.236.110.166
10.0.0.0/8 dev eth1 scope link src 10.0.0.2
default
nexthop via 207.236.110.1 dev eth0 weight 1
nexthop via 64.26.128.1 dev ppp0 weight 1



Edited by mlord (08/11/2005 20:53)

Top
#269085 - 08/11/2005 20:56 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?

Yeah, that's not going to work.

There's no good reason for it not to work beyond "people who write NATs don't bother to implement that case". You'll need to run two DNS servers, one for your internal clients so that they can get the internal IP addresses for your hostnames and one for the rest of the world.

Alternately, you could look for NAT software that implements that case properly, but they're few and far between, if they exist at all, and if they do, I don't know which they are.

Or is the firewall and the webserver the same machine? If that's the case, it should work, but you may be hitting on the problem above. If so, you should be able to reconfigure your firewall to not NAT when going to the globally routed addresses that are on the NAT machine.


Edited by wfaulk (08/11/2005 21:00)
_________________________
Bitt Faulk

Top
#269086 - 08/11/2005 20:58 Re: Help: Is my site accessible? [Re: mlord]
Mataglap
enthusiast

Registered: 11/06/2003
Posts: 384
Many, possibly it's even fair to say most, NAT implementations behave the way you describe: traffic from behind the NAT to a public IP address in the same subnet as the NAT address simply doesn't work.

It's almost always not a routing issue but rather a limitation of the firewall implementation that really should have been addressed a long time ago, but many implementatins -- even "enterprise" class gear -- still don't work around it.

--Nathan

Top
#269087 - 08/11/2005 21:05 Re: Help: Is my site accessible? [Re: mlord]
Mataglap
enthusiast

Registered: 11/06/2003
Posts: 384
Quote:
Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).


Code:
[nathan@heorot nathan]$ dig rtr.ca

; <<>> DiG 9.2.1 <<>> rtr.ca
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28501
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2

;; QUESTION SECTION:
;rtr.ca. IN A

;; ANSWER SECTION:
rtr.ca. 23604 IN A 207.236.110.166

;; AUTHORITY SECTION:
rtr.ca. 23604 IN NS ns2.granitecanyon.com.
rtr.ca. 23604 IN NS ns1.rtr.ca.
rtr.ca. 23604 IN NS ns1.granitecanyon.com.

;; ADDITIONAL SECTION:
ns1.granitecanyon.com. 153208 IN A 205.166.226.38
ns2.granitecanyon.com. 153208 IN A 69.67.108.10

;; Query time: 27 msec
;; SERVER: 192.168.168.2#53(192.168.168.2)
;; WHEN: Tue Nov 8 15:00:37 2005
;; MSG SIZE rcvd: 143

[nathan@heorot nathan]$



So the new address is out there, but because of the TTL for the record anyone who did a lookup and got the old address is going to have to wait ~23604 seconds before that lookup expires from their local cache. (Or get their DNS server flushed, but most operators won't do that.)

So the folks who have been helpful before aren't going to be able to be of much help until that TTL expires.

--Nathan

Top
#269088 - 08/11/2005 21:23 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?


My gateway machine has 2 external addresses, and one internal address. The internal address connects to our internal LAN. Clients on the internal LAN would like to be able to access the external IP addresses of the gateway machine.

This actually worked, until I modified the routing tables to accept traffic from both external interfaces, but now it does not work. It had been working for years.

Once the nameservers finally update and everyone stops using the old external address, I can disconnect that link, restore the original very simple routing table, and my inside clients should again be able to access the external IP addresses of the gateway. But I'd like to have it working regardless, in case I decide to keep both external IP connections..

Cheers

Top
#269089 - 08/11/2005 21:31 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
To be honest, you're not providing quite enough information. The important thing here is whether the external IP addresses are doing incoming NAT for a web server that exists on the private network or if the web server is actually on the machine that has those external IP addresses.

I think my initial assumption was incorrect (that it was NATting the web server), but I added another possibility with an edit. Maybe you read my post before I finished the edit. Go back and see if it makes any sense to you: the unintentional and unneeded NAT of the internal machines to the web server addresses.


Edited by wfaulk (08/11/2005 21:32)
_________________________
Bitt Faulk

Top
#269090 - 08/11/2005 21:45 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
To be honest, you're not providing quite enough information. The important thing here is whether the external IP addresses are doing incoming NAT for a web server that exists on the private network or if the web server is actually on the machine that has those external IP addresses.


The web server is actually on the machine that has those external IP addresses, and normally responds to requests from any addresses.

This is different from how "the masses" do it, because "the masses" would be using a little internet gateway/router to do it all, and they would have no choice but to DNAT their servers. Here, we have a full fledged Linux box, so it can self-host whatever.

Thanks Bitt!

Top
#269091 - 08/11/2005 23:40 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Did that help? Nothing else pops into my head about why it wouldn't work, but the fact that the only thing you did to make it break was add an interface doesn't really help my hypothesis.

If that's not it, you could try a network snoop and see what packets happen. The router might be getting confused and sending it out of the wrong interface for some reason, or maybe it doesn't want to generate traffic from external addresses pointed to the internal interface, despite that being a perfectly valid thing to do.
_________________________
Bitt Faulk

Top
#269092 - 08/11/2005 23:54 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
It's pretty weird.

The same firewall rules work when I deconfigure the second external interface. So I think the firewall is okay.

tcpdump shows the packets arriving at the gateway on the LAN interface, but they appear to die there, even before the Linux iptables firewall gets to see them (it NEVER sees them).

So, a routing problem.

Cheers

Top
#269093 - 09/11/2005 00:17 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Huh? You see the packets enter the machine that's intended to receive the packets, but no one answers them? That's not a routing problem. If the packet reaches the machine that it's destined for, routing is done.

Reasons the packet is not being processed could be that the IP stack doesn't think it's destined for that machine or the firewall could be dropping the packet. Sometimes there are rules that drop packets that come in on the "wrong" interface in order to prevent an attacker from sending a packet to your public interface with a private address on it. You might want to look into that.
_________________________
Bitt Faulk

Top
#269094 - 09/11/2005 00:45 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
Huh? You see the packets enter the machine that's intended to receive the packets, but no one answers them? That's not a routing problem. If the packet reaches the machine that it's destined for, routing is done.


Not quite. The packet arrives on the LAN interface of the gateway machine, but is not targeted to the LAN IP address, rather it is destined for one of the external IP addresses. As a result, the kernel might think it needs to forward it, or it might be killing it off due to low-level IP filtering. Or at least I think so.

When I first setup the twin interfaces, I had the same issue with packets coming in from the outside --> all incoming connection attempts were being dropped on the floor, and the firewall could NOT see them arriving, even though tcpdump could see them.

I fixed the routing tables (left the firewall config as-was), and that problem went away.

I really don't understand routing, or perhaps it just doesn't happen the way I think it should.

Cheers


Edited by mlord (09/11/2005 00:47)

Top
#269095 - 09/11/2005 01:25 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Well, I think you're including kernel IP stack filtering in with routing. I'm not really all that familiar with the Linux IP stack, and whatever they're calling the NAT/firewall module these days changes it a lot anyway. On most OSes I know of, the kernel doesn't care what interface a packet came in on when it receives it; it either deals with it if it's an IP it has, forwards it if not and forwarding is enabled, and otherwise it drops it. Firewalls change that a lot, and not knowing the ins and outs of the firewall you're using, I can't tell you exactly what. Of course, firewalls also modify the OS's normal routing, and it's certainly possible that modifying the firewall routing also modifies other parts of the stack, too. Basically what I'm saying at this point is that all normal, established IP knowhow is thrown out of the window when you're dealing with a firewall and you have to know the ins and outs of the firewall itself.

Nothing you've described is wrong. It's just that the Linux firewall doesn't like it for some reason. I've had virtually the same setup with OpenBSD and not had this problem at all. It's just quirky.
_________________________
Bitt Faulk

Top
#269096 - 09/11/2005 10:39 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Okay, this is WAAAAYYYY too weird now.

It all works today, after a mere good night's sleep, with no changes made.

Cheers

Top
#269097 - 09/11/2005 10:53 Re: Help: Is my site accessible? [Re: mlord]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:

It all works today, after a mere good night's sleep, with no changes made.



That would be the Routing Fairy at work. You did leave a cross-over cable under your pillow as payment didn't you ?
_________________________
Remind me to change my signature to something more interesting someday

Top
#269098 - 09/11/2005 11:04 Re: Help: Is my site accessible? [Re: andy]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
I guess "ip route flush" doesn't do what I thought it should do, eh! Now I really don't understand routing..

Quote:
That would be the Routing Fairy at work. You did leave a cross-over cable under your pillow as payment didn't you ?

Yes, of course! One of my super special cross-over cables, too!



Attachments
269114-xover.jpg (132 downloads)



Edited by mlord (09/11/2005 11:08)

Top
#269099 - 09/11/2005 11:19 Re: Help: Is my site accessible? [Re: mlord]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
Quote:
Cool. Does it work now?


Yes.
_________________________
~ John

Top
#269100 - 11/11/2005 02:29 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Okay, today rebooted the server (kernel upgrade), and rebooted my notebook computer too (also a kernel change).

Now, my notebook can no longer ping/access rtr.ca again!

Maybe it will cure itself overnight again.. ?

Top
#269101 - 11/11/2005 05:41 Re: Help: Is my site accessible? [Re: mlord]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:

Maybe it will cure itself overnight again.. ?


Now your Routing Fairy has its own cross-over cable you will need to leave out an alternative offering...
_________________________
Remind me to change my signature to something more interesting someday

Top
#269102 - 11/11/2005 05:57 Re: Help: Is my site accessible? [Re: mlord]
bonzi
pooh-bah

Registered: 13/09/1999
Posts: 2401
Loc: Croatia
Works for me...
_________________________
Dragi "Bonzi" Raos Q#5196 MkII #080000376, 18GB green MkIIa #040103247, 60GB blue

Top
#269103 - 11/11/2005 14:47 Re: Help: Is my site accessible? [Re: andy]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Hehh

Okay, my education in routing continues.. I just discovered the multiple "OUTPUT" chains in the kernel firewall, and found my missing packets getting DROPed on one of them.

The routing tables were trying to send replies from my "external IPs" out the external NICs, as they normally should do. But when my internal LAN clients connect to my external IPs, the replies have to be sent back via the internal NIC, not the external NICs.

A routing nightmare for a novice such as myself.

So I patched in the ipt_ROUTE target module to my kernel, and then did this:
Code:

iptables -A OUTPUT -t mangle -s $EXT_IP1 -d $LAN_SUBNET -j ROUTE --oif $LAN_NIC
iptables -A OUTPUT -t mangle -s $EXT_IP2 -d $LAN_SUBNET -j ROUTE --oif $LAN_NIC


And all is well again. I just wish I understood the "ip route/rule" syntax well enough to do it properly that way, rather than via mangle rules in the firewall script.

Cheers

Top
#269104 - 11/11/2005 15:29 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
The reason you can't do that, as I've said many times, is that it's the firewall (or probably, more precisely, the NATting) that's causing the problem, not the routing. If you didn't have the firewall/NAT in place, it would all work fine as you configured it. Since it's the firewall/NAT that's causing the problem, you have to fix the firewall/NAT to fix the problem.
_________________________
Bitt Faulk

Top
#269105 - 11/11/2005 15:42 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Quote:
The reason you can't do that, as I've said many times, is that it's the firewall (or probably, more precisely, the NATting) that's causing the problem, not the routing. If you didn't have the firewall/NAT in place, it would all work fine as you configured it. Since it's the firewall/NAT that's causing the problem, you have to fix the firewall/NAT to fix the problem.


That's not consistent with observed behaviour.

The reason I'm having this problem is that my site has TWO external NICs, with individual external IP addresses. To make that work, I had to add source routing rules, to ensure that connections initiated on one of those external NICs, would have their entire connection happen on that same NIC. Otherwise, clients from the internet were unable to visit my servers.

But a consequence of using those routing entries, was that it cut off access to my external IP addresses from within our internel LAN. Even with all firewall rules removed, and the policies set to ACCEPT, internal clients were still unable to access the external IP addresses. EDIT: there is no NAT happening for LAN access to servers running on my external IP addresses.

When I only had one external NIC, the routing table was much simpler, with no source based routing entries. So my internal LAN clients had no issues accessing the external IPs.

So, I've fixed it with a firewall rule kludge, simply because that's the hammer I (mostly) understand. But a routing table fix would be far better.

Cheers


Edited by mlord (11/11/2005 15:50)

Top
#269106 - 11/11/2005 15:47 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Oh, and just to add to the confusion:

I also have anti-IP-address-spoofing enabled in the kernel. This was also getting in the way , because my PPPoE DSL modem (the new external IP connection) loops internally to eth2. If I turn on the spoofing filter for eth2, this then prevents the LAN clients from talking with the external IPs of the firewall machine.

This led to the following kernel settings:
Code:

# Enable(1) IP spoofing filters
for nic in /proc/sys/net/ipv4/conf/* ; do
echo 0 > $nic/accept_source_route # disabled source routed packets
echo 1 > $nic/rp_filter # prevent IP spoofing
done
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter # The DSL nic *must* allow spoofing
echo 0 >/proc/sys/net/ipv4/conf/${DSL_NIC}/rp_filter # The DSL nic *must* allow spoofing


Note that the last two lines were only necessary, because I have a non-zero IP address assigned to the ${DSL_NIC} (eth2), so that I can access the management interface of the DSL modem itself. If instead I used 0.0.0.0 as the IP address (etc..), then I don't thing the spoofing filter would have cared.

Whew!


Edited by mlord (11/11/2005 15:48)

Top
#269107 - 11/11/2005 15:56 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Oh, that's the part I was missing. Source-based routing is not a normal part of any standard IP stack. I'm not even sure if it's available on commercial-grade routers by default. It goes against the IP specification. If it's not part of the NAT module for Linux, it's another addition beyond the normal IP stack. That said, I suppose if you have it set up to route all packets from an IP address out of the external interface, of course it's going to go out fo the external interface. You need a rule that would take precedence. I don't know how the source-based routing works under Linux, but see if you can get it to apply only for the default destination route so that any static routes you have (like your directly-connected 10.whatever network) will take predecence in the routing table. It's bound to interact with the normal priority roung system in some way.

In fact, you shouldn't have to do that source-based routing except for that your ISPs (or theirs) have intentionally broken open routing by denying packets whose source addresses aren't in their whitelist.

I suppose it's hard to say which of these things is the most broken.
_________________________
Bitt Faulk

Top
#269108 - 11/11/2005 18:25 Re: Help: Is my site accessible? [Re: wfaulk]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:

In fact, you shouldn't have to do that source-based routing except for that your ISPs (or theirs) have intentionally broken open routing by denying packets whose source addresses aren't in their whitelist.



In the UK this applies pretty much all broadband users. British Telecom, who supply the lion's share of ADSLs in the UK decided some time ago to add source filtering to much of their core network, thereby breaking the setup for a whole load of people binding two lines.
_________________________
Remind me to change my signature to something more interesting someday

Top
#269109 - 11/11/2005 18:36 Re: Help: Is my site accessible? [Re: andy]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Yeah, I'd be surprised if there were any residential providers over here who don't block that way. It'd certainly be better to assume that that's the way they do it. That doesn't mean that they haven't intentionally broken standards-based routing on the Internet, though.
_________________________
Bitt Faulk

Top
Page 1 of 2 1 2 >