1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPTables / packet filtering question

Discussion in 'Tomato Firmware' started by ironman07882, Nov 4, 2010.

  1. ironman07882

    ironman07882 Networkin' Nut Member


    Hi, I was wondering if someone could shed some light on how the 2.4 Linux kernel packet filters ? I am using the stock Tomato 1.28 firmware. I also have loaded the tcpdump utility.

    What I am trying to accomplish is opening a tcp socket between a computer and a LPD server:

    HTML:
    <br>
    Computer         <--->              Tomato router      <---->  LPD Print Server
                                       vlan1          br0
                          192.168.128.2/27
                                            192.168.128.33/27
    192.168.128.28                                                   192.168.128.48
    </br>
    I started up tcpdump on both router interfaces and the computer's NIC. I noticed this behavior:

    HTML:
    <br>
    ---------------------------------------------------------->   TCP SYN DST 515
    <--------------------------------------------------------     TCP SYN/ACK 
    ----------->                                                  TCP ACK
    <--------------------------------------------------------     TCP SYN/ACK
    ----------->                                                  TCP ACK
    <--------------------------------------------------------     TCP SYN/ACK
    ----------->                                                  TCP ACK
    <--------------------------------------------------------     TCP SYN/ACK
    ----------->                                                  TCP ACK
    </br>

    The key observation via tcpdump is the TCP ACK packet originating from the computer is never logged by tcpdump on the router interface vlan1.

    So you are probably wondering: this could be a simple iptables issue.. However, I have cleared out the iptables chains and allowed an ACCEPT policy for INPUT, OUTPUT and FORWARD.

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    #


    Also, I noticed this message from the tcpdump packet capture on vlan1:



    # tcpdump -i vlan1 -v 'tcp src port 515 or tcp dst port 515'
    tcpdump: listening on vlan1, link-type EN10MB (Ethernet), capture size 65535 byt
    es
    23:07:03.412525 IP (tos 0x0, ttl 127, id 15141, offset 0, flags [DF], proto TCP
    (6), length 48)
    192.168.128.28.3445 > PS-25F75B.vitalos.us.printer: Flags , cksum 0x40af
    (correct), seq 4283200013, win 16384, options [mss 1460,nop,nop,sackOK], length
    0
    23:07:03.417013 IP (tos 0x0, ttl 63, id 6872, offset 0, flags [none], proto TCP
    (6), length 44)
    PS-25F75B.vitalos.us.printer > 192.168.128.28.3445: Flags [S.], cksum 0x4f8c
    (correct), seq 89470480, ack 4283200014, win 2920, options [mss 1280], length 0

    23:07:04.363968 IP (tos 0x0, ttl 63, id 6874, offset 0, flags [none], proto TCP
    (6), length 44)
    PS-25F75B.vitalos.us.printer > 192.168.128.28.3445: Flags [S.], cksum 0x4f8c
    (correct), seq 89470480, ack 4283200014, win 2920, options [mss 1280], length 0

    23:07:06.342753 IP (tos 0x0, ttl 63, id 6876, offset 0, flags [none], proto TCP
    (6), length 44)
    PS-25F75B.vitalos.us.printer > 192.168.128.28.3445: Flags [S.], cksum 0x4f8c
    (correct), seq 89470480, ack 4283200014, win 2920, options [mss 1280], length 0

    23:07:10.300616 IP (tos 0x0, ttl 63, id 6878, offset 0, flags [none], proto TCP
    (6), length 44)
    PS-25F75B.vitalos.us.printer > 192.168.128.28.3445: Flags [S.], cksum 0x4f8c
    (correct), seq 89470480, ack 4283200014, win 2920, options [mss 1280], length 0


    5 packets captured
    1247 packets received by filter
    194 packets dropped by kernel


    So my question: if iptables does not have any chains loaded and its INPUT, OUTPUT and FORWARD chains are fully flushed, what other criteria is forcing the Linux kernel to drop packets? And how can I find out what packets are being dropped (perhaps the ACK packet?)

    It is interesting to note that I can configure this router to open a TCP socket to this LPD printer using DNAT / port forwarding rules in IPCHAINS, and get a successful printout. I just can not achieve this will a simple, direct route as shown above.

    Any insight would be helpful. This routing issue is driving me nuts.
     
  2. mstombs

    mstombs Network Guru Member

    If the source and destination is on the LAN in same subnet the packet will be passed on by the switch in hardware, it won't touch the Linux kernel.
     
  3. ironman07882

    ironman07882 Networkin' Nut Member

    Understood, but the source (computer) and destination (LPD server) are not on the same subnets (note the /27 subnet designation assigned to vlan1 and br0). Essentially I have the linksys unit operating as a Level 3 router between two distinct subnet segments, one attached to the vlan1 interface and the other br0.

    To illustrate this more clearly, here is the routing table from the linksys device:

    HTML:
    <br>
    
    Tomato v1.28.1816
    
    
    BusyBox v1.14.4 (2010-06-27 20:11:16 PDT) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.5.59.1       192.168.128.1   255.255.255.255 UGH   1      0        0 vlan1
    192.168.128.0   *               255.255.255.224 U     0      0        0 vlan1
    192.168.128.32  *               255.255.255.224 U     0      0        0 br0
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         192.168.128.1   0.0.0.0         UG    0      0        0 vlan1
    #
    
    </br>
     

Share This Page