IP Tables - Can't access devices when IP Tables are active

Support for security such as Firewalls and securing linux
User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: IP Tables - Can't access devices when IP Tables are active

Post by jlehtone » 2017/02/09 17:28:25

Lets check the basics:

Code: Select all

ip -4 ad
ip ro
ip ro get 10.0.0.51
traceroute 10.0.0.51
iptables -t nat -S
iptables -t mangle -S

DateMike
Posts: 27
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/10 11:40:47

I have confirmed there are no Firewalls before the Centos Machine, the only form of security would be the IP tables.
Unfortunately I don't know enough about networks to diagnose this myself, it just doesn't make sense that everything works with IPtables off, but fails when IPtables are on.
Any other ideas?

DateMike
Posts: 27
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/10 13:29:43

jlehtone wrote:Lets check the basics:

Code: Select all

ip -4 ad
ip ro
ip ro get 10.0.0.51
traceroute 10.0.0.51
iptables -t nat -S
iptables -t mangle -S

Hi Jlehtone,

First maybe an understanding of the network connections between server and devices:

CENTOS SERVER --LAN--> Remote Mikrotik Switch --VPN--> Local Mikrotik Switch (10.0.0.50) --LAN--> Devices
Remote Mikrotik Switch --LAN--> Hosting Company Internet Breakout
I Hope all this makes sense.

Performed first with iptables off:

Code: Select all

[root@SERVERDNS ~]# ip -4 ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet PUBLIC IP brd PUBLIC IP SUBNET scope global eth1

Code: Select all

[root@SERVERDNS ~]# ip ro
10.0.0.0/24 via PUBLIC IP OF SWITCH dev eth1
10.0.1.0/24 via PUBLIC IP OF SWITCH dev eth1
SERVER SUBNET dev eth1  proto kernel  scope link  src SERVER PUBLIC IP
169.254.0.0/16 dev eth1  scope link  metric 1003
default via SERVER GATEWAY dev eth1

Code: Select all

[root@SERVER DNS ~]# ip ro get 10.0.0.51
10.0.0.51 via PUBLIC IP OF SWITCH dev eth1  src SERVER PUBLIC IP
    cache  mtu 1500 advmss 1460 hoplimit 64

Code: Select all

[root@SERVER DNS ~]# traceroute 10.0.0.51
traceroute to 10.0.0.51 (10.0.0.51), 30 hops max, 60 byte packets
 1  HOSTED SWITCH DNS (HOSTED SWITCH IP)  0.185 ms  0.141 ms  0.143 ms
 2  10.0.0.50 (10.0.0.50)  44.975 ms  46.370 ms  48.333 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Code: Select all

[root@SERVER DNS ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT

Code: Select all

[root@SERVER DNS ~]# iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
With IPtables on:

Code: Select all

[root@SERVERDNS ~]# ip -4 ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet PUBLIC IP brd PUBLIC IP SUBNET scope global eth1

Code: Select all

[root@SERVERDNS ~]# ip ro
10.0.0.0/24 via PUBLIC IP OF SWITCH dev eth1
10.0.1.0/24 via PUBLIC IP OF SWITCH dev eth1
SERVER SUBNET dev eth1  proto kernel  scope link  src SERVER PUBLIC IP
169.254.0.0/16 dev eth1  scope link  metric 1003
default via SERVER GATEWAY dev eth1

Code: Select all

[root@SERVER DNS ~]# ip ro get 10.0.0.51
10.0.0.51 via PUBLIC IP OF SWITCH dev eth1  src SERVER PUBLIC IP
    cache  mtu 1500 advmss 1460 hoplimit 64

Code: Select all

[root@SERVER DNS ~]# traceroute 10.0.0.51
traceroute to 10.0.0.51 (10.0.0.51), 30 hops max, 60 byte packets
 1  DNS OF SWITCH (PUBLIC IP OF SWITCH)  0.405 ms  0.340 ms  0.346 ms
 2  10.0.0.50 (10.0.0.50)  47.469 ms  43.544 ms  45.412 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Code: Select all

[root@SERVER DNS ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
[root@SERVER DNS ~]# iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
Regards,

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: IP Tables - Can't access devices when IP Tables are active

Post by jlehtone » 2017/02/10 16:28:28

Do I get this right?

"SERVER SUBNET" has public addresses.
"SERVER SUBNET" has at least three devices: (1) CentOS, (2) Mikrotik, (3) some other router.

The Mikrotik acts as a router. In addition to "SERVER SUBNET", it has some VPN subnet and it sends to 10.0.0/24 via that VPN.

It is not sure, whether the VPN is routed or bridged, whether there are NAT, etc.


I do suspect asymmetric routing: the replies from 10.0.0.51 do not return via same route. Without filtering that apparently is tolerable, but with the filter the replies are not seen as "related".


You could try a more focused dump:

Code: Select all

tcpdump -n -nn -l -i eth1 not port 161
Preferably create two; one with firewall up and other without.

When you did post the output of 'less', was that really the entire content of that logfile? (less is a pager.)

Post Reply