Firewall Problem

[zamrg]

I'm having problems with a firewall running on my server pc. It's quite a weird setup so bare with me

I have an Ubuntu Hardy server pc with a single network card (eth0) that dials up 2 pppoe connections, ppp0 (international) and ppp1 (local), and then splits the traffic over the 2 connections. I managed to get it to split local and int traffic by adapting the rt script for ipcop which I found on the forum.

I'm using shorewall to configure my firewall and am using this pc as a gateway/firewall/router to allow all other pcs on my network to access the internet. The pppoe connections are established using an old router in bridge mode which is also a wireless access point for the network.

I have the following configuration in shorewall:

zones

#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4

interfaces

#ZONE	INTERFACE	BROADCAST	OPTIONS
net	ppp0		-
net	ppp1		-
loc	eth0	detect	tcpflags

policy

#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
fw		net		ACCEPT
fw		loc		ACCEPT
loc		net		ACCEPT
net	all	DROP
all		all		REJECT		info

masq

#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
ppp0			eth0		$PPP0_IP
ppp1			eth0		$PPP1_IP
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

params

PPP0_IP=$(find_first_interface_address ppp0)
PPP1_IP=$(find_first_interface_address ppp1)

rules

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
COMMENT allow green to ping fw
Ping/ACCEPT	all		fw
COMMENT allow green to access local services on fw
DNS/ACCEPT	loc		fw
HTTP/ACCEPT	all	fw
HTTPS/ACCEPT	all	fw
SSH/ACCEPT	all		fw
NTP/ACCEPT	loc		fw
SMB/ACCEPT	loc		fw
Webmin/ACCEPT	all		fw
ACCEPT	all	fw	tcp	6667
COMMENT sabnzbd web interface
ACCEPT	all	fw	tcp	8080
COMMENT dhcp server
ACCEPT	loc	fw	udp	67:68
COMMENT ntop web interface
ACCEPT	all	fw	tcp	3000
COMMENT znc irc bouncer
ACCEPT	loc	fw	tcp	1337
ACCEPT	loc	fw	tcp	1338
COMMENT route green through transparent proxy on fw
HTTP/REDIRECT	loc		8081		tcp	www	-		!192.168.1.100

I know this is really weird setup having the server pc effectively use eth0 as a red and green interface but it's just a test environment.

I am able to access the machine remotely using the ppp1 (local) ip and ping it on this ip, however if I try use the ppp0 (international) ip, no packets are logged and I get no response.

I'm definitely no network and linux expert but would really appreciate some help here.

 

[zamrg]

I have included a copy of my ifconfig...

eth0      Link encap:Ethernet  HWaddr 00:1d:7d:70:d6:04  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:7dff:fe70:d604/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7316507 errors:0 dropped:1223802159 overruns:0 frame:0
          TX packets:11236517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3061488713 (2.8 GB)  TX bytes:1263545923 (1.1 GB)
          Interrupt:221 Base address:0x8000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1826605 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1826605 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:393799050 (375.5 MB)  TX bytes:393799050 (375.5 MB)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:41.240.30.XXX  P-t-P:41.240.64.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:18828 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:13238035 (12.6 MB)  TX bytes:3655975 (3.4 MB)

ppp1      Link encap:Point-to-Point Protocol  
          inet addr:165.146.240.XXX  P-t-P:165.146.180.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:143614 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138943 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:104129085 (99.3 MB)  TX bytes:31871599 (30.3 MB)

 

[.Froot.]

run "route -n" and paste the output.

 

[zamrg]

The list is too big too paste so I've uploaded it to http://www.gossy.co.za/routes.txt

 

[.Froot.]

Well your route -n does produce the correct output, so the addresses should get routed through the correct interface.
Never mind the "Can you post the contents of the /etc/ppp/peers/ international and local config file?" part

 

[.Froot.]

But from what I understand you can "telnet" into the server via your 165 address but not from the 41 address.
It sounds like the international IP simply does not reach it, going inbound.

 

[zamrg]

ye thats the problem here, I just can't access any open ports from my international ip.

I have 2 /etc/ppp/peers dialups, international and local

international

# Minimalistic default options file for DSL/PPPoE connections

noipdefault
defaultroute
replacedefaultroute
hide-password
#lcp-echo-interval 30
#lcp-echo-failure 4
noauth
persist
#mtu 1492
#persist
#maxfail 0
#holdoff 20
plugin rp-pppoe.so eth0
user "***@axxess.co.za"
#usepeerdns

local

# Minimalistic default options file for DSL/PPPoE connections

noipdefault
#defaultroute
#replacedefaultroute
hide-password
#lcp-echo-interval 30
#lcp-echo-failure 4
noauth
#persist
#mtu 1492
#persist
#maxfail 0
#holdoff 20
plugin rp-pppoe.so eth0
user "***@dsl.2gbsh.telkomsa.net"
#usepeerdns

 

[.Froot.]

Have you set your firewall to log all connections? From your outputs it doesn't look like it is set to log connections.
Your pppoe connections are fine, so the issue lies somewhere with (I'm assuming and hoping) your firewall and routing.
Can you describe the routing you have done to allow remote admin from your [local] connection? It is possible that you have not allowed the 41 IP range to connect?

 

[zamrg]

The only routing I have is for the local and international ips over the 2 pppoe connections. I then have the open ports as above, like Ping/ACCEPT all fw which should allow connections from anything to the firewall, but as you can see I can only ping the local ip and not the international one. Is there perhaps something from with the firewall setup?

 

[.Froot.]

It does sound like it is something on the firewall setup. It should by default work, though. Since you have ping enabled, it should definitely be working.

 

[zamrg]

*bump*

I know we got some linux boffs here and am desperately in need of help here. I tried posting on the ubuntu support forums but have so far received 0 responses.

 

[koffiejunkie]

I know this is really weird setup having the server pc effectively use eth0 as a red and green interface but it's just a test environment.

You're really using eth0 as GREEN and ppp0 and ppp1 as RED. The fact that the traffic's going over the same cable (i.e. the one plugged into your NIC) has little to do with it.

I am able to access the machine remotely using the ppp1 (local) ip and ping it on this ip, however if I try use the ppp0 (international) ip, no packets are logged and I get no response.

Your answer lies in the routes. I've had to do this a few times on web servers that had more than one public IPs on the same network and with the same gateway, but on separate NICs. Unfortunately this was some years ago so I don't remember the specifics, and I don't have any of the components required to reproduce that setup (two connections, or a linux box for that matter). The problem in my case was that the server was trying to respond via the wrong interface.

Question, the IP you're connecting from, is that in your local routes? Can you connect to this IP from your firewall? If so, can you traceroute it (might have to do that with a -I) to be sure it leaves via the correct interface?

 

[zamrg]

yes, the IP I'm connecting from is a local ip which falls into a local subnet, and hence is routed through the ppp1 (local) interface. When I try an international ip, it should be routed through the ppp0 (international) interface as the default route for all other ips not listed to go through local is to go through the international one.

I don't think 2 connections over 1 eth0 interface is what the problem is, since I can re-produce this setup on windows with routesentry and it works fine.

 

[koffiejunkie]

I don't think 2 connections over 1 eth0 interface is what the problem is, since I can re-produce this setup on windows with routesentry and it works fine.

I didn't say it is. Your ppp0 and ppp1 connections do not go via eth0, they go via the physical advice (the included tools to set it up makes this mistake too).