FC3 traffic can't get thru firewall
Bill Gradwohl
bill at ycc.com
Sun Feb 13 16:26:53 UTC 2005
A client attached an FC3 box to an existing private network of about 80
Windows and RH7.2 boxes and it can't seem to pass any traffic thru an
existing firewall. It can interact with boxes on the private network
just fine. The intent is to upgrade all their RH7.2 to FC3 over the next
30 day.
BTW - The client requested I scramble IP addresses and domain names.
An Internet router (123.12.23.1) connects to eth0 on an iptables
firewall. eth1 of that firewall services a private network. The system
wide rule is that any box on the private network can web browse. I
therefore decided to attempt to telnet to the Internet router on port
80, thus testing the path from the private side thru the firewall to an
Internet destination - namely the router.
A tcpdump listening on eth0 of the firewall for port 80 traffic to the
internet router shows the following:
tcpdump: listening on eth0
09:31:41.389575 0:4:75:86:e5:b7 0:c0:7b:94:e:94 ip 70:
bigboy.ftw.aia.32805 > router.aiaenv.com.http: S [tcp sum ok]
135994474:135994474(0) win 5840 <mss 1460,sackOK,timestamp 61546127 0>
(DF) [tos 0x10] (ttl 63, id 741, len 56)
09:31:44.388010 0:4:75:86:e5:b7 0:c0:7b:94:e:94 ip 70:
bigboy.ftw.aia.32805 > router.aiaenv.com.http: S [tcp sum ok]
135994474:135994474(0) win 5840 <mss 1460,sackOK,timestamp 61549127 0>
(DF) [tos 0x10] (ttl 63, id 743, len 56)
09:32:57.174934 0:4:75:86:e5:b7 0:c0:7b:94:e:94 ip 74:
mail1.aiaenv.com.49411 > router.aiaenv.com.http: S [tcp sum ok]
1483166439:1483166439(0) win 5840 <mss 1460,sackOK,timestamp 128170684
0,nop,wscale 0> (DF) [tos 0x10] (ttl 63, id 59483, len 60)
09:32:57.181716 0:c0:7b:94:e:94 0:4:75:86:e5:b7 ip 60:
router.aiaenv.com.http > mail1.aiaenv.com.49411: R [tcp sum ok] 0:0(0)
ack 1483166440 win 0 (ttl 64, id 11864, len 40)
The first 2 entries are from : telnet 123.12.23.1 80 from bigboy, an FC3
box. The telnet hangs never establishing a connection, ( I CTRL-C'd
after 2 packets) but the dump clearly shows that the traffic hit the
public side of the firewall. If I wait long enough, I get lots of
similar output, but never a reply packet, and eventually get "Connection
timed out".
The next 2 entries are from : telnet 123.12.23.1 80 from mail1, an old
RH7.2 box. The telnet connects and reports a "connection refused" as
there is no web server running on the router.
I've checked the firewalls logs for dropped packets and none are reported.
I even moved the IP address of bigboy around to several other private
addresses, and cleared the ARP caches involved to see if it was firewall
rule related, and no matter what IP I put bigboy on its always the same
thing. Traffic hits the public side of the firewall and disappears.
I've got ipv6 and Window scaling turned off on the FC3 box.
Any ideas?
--
Bill Gradwohl
bill at ycc.com
http://www.ycc.com
spamSTOMPER Protected email
More information about the fedora-list
mailing list