Heinzelmännchen Problem

Home Page Forums Network Management ZeroShell Heinzelmännchen Problem

This topic contains 26 replies, has 0 voices, and was last updated by  Pit 9 years, 6 months ago.

Viewing 15 posts - 1 through 15 (of 28 total)
  • Author
    Posts
  • #42372

    Pit
    Member

    Hello ,

    from the lan side of zeroshell i can reach hosts at port 80, 443 and 444 at internet.

    If i try to reach a special host at ports 1812, 1813 and 7000 nothing happens.

    A tcpdump at special host shows that the connection is made, but at ports 33xyz.

    Has someone any idea what heinzelmännchen scrumble my destination ports?

    Regards

    Pit

    #50200

    ppalias
    Member

    Most likely there is a rule at the firewall altering the destination port. Show us the output of the commands

    iptables -L -v
    iptables -t nat -L -v
    ifconfig

    for a start and we’ll see what could be wrong.

    #50201

    Pit
    Member

    Hello ppalias,
    here are the results:

    root@zeroshell root> iptables -L -v
    Chain INPUT (policy ACCEPT 13 packets, 708 bytes)
    pkts bytes target prot opt in out source destination
    405 70508 SYS_INPUT all — any any anywhere anywhere
    0 0 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
    258 35718 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
    40 4172 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh

    Chain FORWARD (policy ACCEPT 218 packets, 52580 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 317 packets, 171K bytes)
    pkts bytes target prot opt in out source destination
    412 179K SYS_OUTPUT all — any any anywhere anywhere

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    258 35718 ACCEPT all — any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    30 3966 ACCEPT all — lo any anywhere anywhere
    20 6488 ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
    15 17252 ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
    0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    29 2204 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
    311 40598 RETURN all — any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    30 3966 ACCEPT all — any lo anywhere anywhere
    21 1593 ACCEPT udp — any any anywhere anywhere udp dpt:domain
    15 908 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
    29 2204 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
    317 171K RETURN all — any any anywhere anywhere
    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    40 4172 ACCEPT all — ETH04 any anywhere anywhere
    0 0 DROP all — any any anywhere anywhere

    root@zeroshell root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 40 packets, 4069 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp — ETH04 any anywhere 192.168.0.199 tcp dpt:http to:192.168.7.201:80
    15 900 DNAT tcp — ETH04 any anywhere 192.168.0.199 tcp dpts:snpp:commplex-main to:192.168.7.201:444-5000
    11 660 DNAT tcp — ETH04 any anywhere anywhere tcp dpt:https to:192.168.7.75:443
    1 60 DNAT tcp — ETH04 any anywhere anywhere tcp dpt:ssh to:192.168.7.75:22

    Chain POSTROUTING (policy ACCEPT 11 packets, 923 bytes)
    pkts bytes target prot opt in out source destination
    92 6629 SNATVS all — any any anywhere anywhere
    15 900 MASQUERADE all — any ETH03 anywhere anywhere
    66 4806 MASQUERADE all — any ETH04 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 64 packets, 4932 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    root@zeroshell root> ifconfig
    ETH00 Link encap:Ethernet HWaddr 00:30:18:AA:BE:73
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    Interrupt:18 Base address:0xe000

    ETH01 Link encap:Ethernet HWaddr 00:30:18:AA:BE:74
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    Interrupt:19

    ETH02 Link encap:Ethernet HWaddr 00:30:18:AA:BE:75
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    Interrupt:16 Base address:0x2000

    ETH03 Link encap:Ethernet HWaddr 00:30:18:A1:71:5B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:112 errors:0 dropped:0 overruns:0 frame:0
    TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:16099 (15.7 Kb) TX bytes:41353 (40.3 Kb)
    Interrupt:23 Base address:0x6000

    ETH03:00 Link encap:Ethernet HWaddr 00:30:18:A1:71:5B
    inet addr:192.168.7.75 Bcast:192.168.7.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:23 Base address:0x6000

    ETH04 Link encap:Ethernet HWaddr 00:1B:21:56:DE:97
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:607 errors:0 dropped:0 overruns:0 frame:0
    TX packets:600 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:122933 (120.0 Kb) TX bytes:210159 (205.2 Kb)

    ETH04:00 Link encap:Ethernet HWaddr 00:1B:21:56:DE:97
    inet addr:192.168.0.199 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH04:01 Link encap:Ethernet HWaddr 00:1B:21:56:DE:97
    inet addr:87.234.250.2 Bcast:87.234.250.7 Mask:255.255.255.248
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    VPN99 Link encap:Ethernet HWaddr 00:FF:0C:F5:78:13
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    VPN99:00 Link encap:Ethernet HWaddr 00:FF:0C:F5:78:13
    inet addr:192.168.250.254 Bcast:192.168.250.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    dummy1 Link encap:Ethernet HWaddr 82:C4:47:FF:90:1B
    inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
    UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:188 errors:0 dropped:0 overruns:0 frame:0
    TX packets:188 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:22023 (21.5 Kb) TX bytes:22023 (21.5 Kb)

    Regards
    Pit

    #50202

    ppalias
    Member

    I can see that on ETH04 you have 2 IPs aliased, one public and one private. Also on interface ETH03 you have a private address. Right so far? I suppose your wan is ETH04 and ETH03 is the lan. What is the role of ETH04:00?
    Secondly I see that you are MASQUERADING on both ETH03 and ETH04, which looks wrong. Please clarify these questions and we’ll see how we will move on.

    #50203

    Pit
    Member

    The public IP at ETH04 is from the former/later location. There is a range of pulic IP’s.
    The private IP is at my home where i troubleshoot the balancer.

    ETH03 is my lan with one gateway machine. This machine and the balancer itself should be reachable over the virtual servers.

    My perception of the GUI Router/NAT was, that one has to point to the both devices between NAT is supposed to be. This was obviously wrong. Additionally behind the curtain works MASQUERADING and not NAT. This is confusing too.

    After some testing MASQUERADING only on device ETH04 solves the Problem.
    In virtual servers also the IP wich is supposed to be used has to be configured explicitly.
    Configuring the device only does not work.

    I thank you for your effort and the hint about MASQUERADING.

    Regards
    PIT

    #50204

    ppalias
    Member

    Masquerading is a kind of NAT, which is called PAT.

    Do you still suffer from a problem on your ZS or is it working as you expected?

    #50205

    Pit
    Member

    In this environment ZS works now as expected.

    Now i ask before my next mismatch causes trouble:

    Next step are three another lines (pppoe) balanced with the default one.

    Am i right to enable NAT on this devices?

    Am i right to change the default gateway to a balancer gateway?

    Am i right to point the traffic to a special server with a balancer rule to a dedicated gateway?

    Is it a good idea to enable rip-v.2 on all devices?

    Thanks in advance

    Pit

    #50206

    ppalias
    Member

    You will add all the 3 pppoe lines along with the default route in the NetBalancer. You will enable NAT on them.
    I am not sure what you mean to “change the default gateway to a balancer gateway”. All the PCs in your lan should use ZS as the default gateway obviously. ZS will automatically balance traffic among the configured gateways in NetBalancer.
    Enabling RIP is a bad idea if don’t really need it. I don’t see why you would need it here.

    #50207

    Pit
    Member

    … changing the default gateway to a balancer gateway….
    Irefer to the first picture at ZS landingpage: Thre is the default gateway disabled and the balancer gateway Infostrada ADSL used instead.

    #50208

    ppalias
    Member

    On this screenshot there are 2 more gateways apart from Infostrada. Wind and TRE, so you have 3 gateways.

    #50209

    Pit
    Member

    OK. I got the idea of ZS GUI.
    Thanks again for your help.

    Regards
    Pit

    #50210

    Pit
    Member

    At the production location the ZS balancer works fine over four ADSL lines.

    Does somebody know the trick to administer the machine and virtual servers from remote?

    VPN99 does not connect. Vitual server at :443 works only one time. After connecting to the other virtual server behind ZS the machines is no more reachable.

    I guess that the answer packages are balanced to the nirwana.

    Is there a way to solve this problem?

    Thanks in advance

    Pit

    #50211

    atheling
    Member

    @pit wrote:

    At the production location the ZS balancer works fine over four ADSL lines.

    Does somebody know the trick to administer the machine and virtual servers from remote?

    VPN99 does not connect. Vitual server at :443 works only one time. After connecting to the other virtual server behind ZS the machines is no more reachable.

    I guess that the answer packages are balanced to the nirwana.

    Is there a way to solve this problem?

    Thanks in advance

    Pit

    I am interpreting “I guess that the answer packages are balanced to the nirwana” to mean that the return message packets are balanced out to the wrong interfaces. If so, have you installed the latest version of the patch mentioned on this thread.

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=2125

    The last post has the patch, earlier in the thread is some discussion on how you can make it survive past a reboot.

    #50212

    Pit
    Member

    Thank you for the hint.

    The patch may be not compatible:

    root@zeroshell scripts> patch -p0 /dev/null
    – iptables -t mangle -D PREROUTING -j NetBalancer 2>/dev/null
    – iptables -t mangle -D INPUT -j NetBalancer 2>/dev/null
    – iptables -t mangle -D OUTPUT -j NetBalancer 2>/dev/null
    iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
    iptables -t mangle -D POSTROUTING -m state –state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
    if [ “`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`” = yes ] ; then
    iptables -t mangle -I PREROUTING 1 -j CONNMARK –restore-mark
    – iptables -t mangle -I PREROUTING 2 -j NetBalancer
    iptables -t mangle -I POSTROUTING 1 -m state –state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
    – iptables -t mangle -I INPUT 1 -j NetBalancer
    – iptables -t mangle -I OUTPUT 1 -j NetBalancer
    – iptables -t mangle -I OUTPUT 2 -j OpenVPN
    fi
    $SCRIPTS/nb_vpn 2> /dev/null
    $SCRIPTS/nb_setautomarking 2>/dev/null


    — 1,35 —-
    #!/bin/sh
    . /etc/kerbynet.conf
    iptables -t mangle -D PREROUTING -j CONNMARK –restore-mark 2>/dev/null
    + iptables -t mangle -D PREROUTING -m state –state NEW -j NB_CT_PRE 2>/dev/null
    + iptables -t mangle -D PREROUTING -m state –state NEW -j NetBalancer 2>/dev/null
    + iptables -t mangle -D INPUT -m state –state NEW -j NB_CT_POST 2>/dev/null
    + iptables -t mangle -D OUTPUT -j CONNMARK –restore-mark 2>/dev/null
    + iptables -t mangle -D OUTPUT -m state –state NEW -j NB_FO_PRE 2>/dev/null
    + iptables -t mangle -D OUTPUT -m state –state NEW -j NetBalancer 2>/dev/null
    iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
    iptables -t mangle -D POSTROUTING -m state –state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
    + # Need QoS to be done in mangle POSTROUTING. Note that if NetBalance
    + # is enabled then we will insert those rules/chains first. So any
    + # routing marks will be handled before we blow them away with QoS
    + # marks.
    + iptables -t mangle -D POSTROUTING -j QoS 2>/dev/null
    + iptables -t mangle -I POSTROUTING 1 -j QoS 2>/dev/null
    if [ “`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`” = yes ] ; then
    iptables -t mangle -I PREROUTING 1 -j CONNMARK –restore-mark
    + iptables -t mangle -I PREROUTING 2 -m state –state NEW -j NB_CT_PRE 2>/dev/null
    + iptables -t mangle -I PREROUTING 3 -m state –state NEW -j NetBalancer
    + iptables -t mangle -I INPUT 1 -m state –state NEW -j NB_CT_POST 2>/dev/null
    + iptables -t mangle -I OUTPUT 1 -j CONNMARK –restore-mark
    + iptables -t mangle -I OUTPUT 2 -m state –state NEW -j NB_FO_PRE
    + iptables -t mangle -I OUTPUT 3 -m state –state NEW -j NetBalancer
    + iptables -t mangle -I OUTPUT 4 -j OpenVPN
    iptables -t mangle -I POSTROUTING 1 -m state –state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
    fi
    $SCRIPTS/nb_vpn 2> /dev/null
    $SCRIPTS/nb_setautomarking 2>/dev/null
    + echo 300 > /proc/sys/net/ipv4/route/gc_min_interval
    + echo 360 > /proc/sys/net/ipv4/route/gc_timeout

    Are there any further ideas?

    #50213

    Pit
    Member

    Oops! something went wrong.

    The patch may be not compatible:

    root@zeroshell scripts> patch -p0 < zeroshell-3.patch
    patching file failoverd
    patching file fw_initrules
    Hunk #2 FAILED at 23.
    1 out of 2 hunks FAILED — saving rejects to file fw_initrules.rej
    patching file fw_makerule
    patching file fw_start
    Hunk #1 succeeded at 10 with fuzz 1.
    patching file fw_viewchain
    patching file nb_fw
    Hunk #1 FAILED at 1.
    1 out of 1 hunk FAILED — saving rejects to file nb_fw.rej
    patching file nb_setautomarking

    fw_initrules.rej:

    ***************
    *** 23,34 ****
    iptables -A INPUT -j SYS_INPUT
    iptables -A INPUT -p tcp –dport 80 -j SYS_HTTPS
    iptables -A INPUT -p tcp –dport 443 -j SYS_HTTPS
    iptables -A INPUT -p tcp –dport 22 -j SYS_SSH
    fi
    [ “$CHAIN” == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
    if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
    cd $CONFIG/Chains/$CHAIN/Rules
    RULES=`ls`
    for RULE in $RULES ; do
    ENABLED=”`cat $RULE/Enabled 2>/dev/null`”
    if [ “$ENABLED” == yes ] ; then
    — 23,38 —-
    iptables -A INPUT -j SYS_INPUT
    iptables -A INPUT -p tcp –dport 80 -j SYS_HTTPS
    iptables -A INPUT -p tcp –dport 443 -j SYS_HTTPS
    iptables -A INPUT -p tcp –dport 22 -j SYS_SSH
    fi
    [ “$CHAIN” == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
    + # If we are doing the QoS chain, thenlear any marks left over from
    + # Netbalancing/failover routing. The QoS chain is applied after
    + # routing so there is no conflict.
    + [ “$CHAIN” == “QoS” ] && iptables $TABLE -A $CH -j MARK –set-mark 0x0
    if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
    cd $CONFIG/Chains/$CHAIN/Rules
    RULES=`ls`
    for RULE in $RULES ; do
    ENABLED=”`cat $RULE/Enabled 2>/dev/null`”
    if [ “$ENABLED” == yes ] ; then

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic.