Marcin Davies
07-24-2004, 09:53 PM
Hello,
I have a very strange problem on my home network. The setup is:
Linux 2.2.17 Firewall/Gateway (ipchains): fw-old
Linux 2.4.22 Firewall/Gateway (iptables) : fw-new
Several Windows 2000 and one Windows 98 (not 2nd Edition)-Boxes
attached to the same switch and the same subnet.
I build a new server (fw-new) with iptables to replace the old one.
The iptable-Rules were setup with Shorewall. A test run with my
Windows 2000-Clients was successful, everything runs fine. So I
completely replaced the old-fw, and was happy. However, I have serious
problems connecting the only Windows98 Box: And here is what happens:
Pinging to the Internet and to fw-new runs fine (ICMP in general).
UDP Packets (e.g. DNS) too, but TCP-Connections are broken. When I
switch back to the old-fw everything runs fine.
For debugging purposes I changed the setup as follows: fw-new is now
just a router and forwards all packets to fw-old, which is connected
to the internet (and does NAT/Masquerading). The gateway for the
clients is fw-new and the Win98-Box is happy with that. With this
setup packets from the Win98-Box first traverse fw-new and go to
fw-old and this works fine.
But when I connect directly to fw-new TCP connections are nevertheless
broken (UDP and ICMP are again working). Here is what an ethereal dump
shows for trying SSH to fw-new:
*SSH:
8.842311 win98.lan.net -> fw-new.lan.net TCP 1030 > ssh [SYN]
Seq=437821 Ack=0 Win=8192 Len=0 MSS=1460
8.842462 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
12.239438 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
18.239433 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
....
The connection is initiated, and the server correctly sends an ACK.
And then our Win98-Box sleeps....
*HTTP:
0.439298 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
1.416402 win98.lan.net -> fw-new.lan.net TCP 1039 > www [SYN]
Seq=503546 Ack=0 Win=8192 Len=0 MSS=1460
1.416473 fw-new.lan.net -> win98.lan.net TCP www > 1039 [SYN, ACK]
Seq=1798673511 Ack=503547 Win=5840 Len=0 MSS=
1460
1.428368 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/index.html.de HTTP/1.1
1.428459 fw-new.lan.net -> win98.lan.net TCP www > 1039 [ACK]
Seq=1798673512 Ack=504089 Win=6504 Len=0
1.429367 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
1.429409 fw-new.lan.net -> win98.lan.net HTTP Continuation
1.959009 win98.lan.net -> fw-new.lan.net TCP 1040 > www [SYN]
Seq=504088 Ack=0 Win=8192 Len=0 MSS=1460
1.959077 fw-new.lan.net -> win98.lan.net TCP www > 1040 [SYN, ACK]
Seq=1796380650 Ack=504089 Win=5840 Len=0 MSS=
1460
1.960206 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/style/css/manual.css HTTP/1.1
1.960281 fw-new.lan.net -> win98.lan.net TCP www > 1040 [ACK]
Seq=1796380651 Ack=504574 Win=6432 Len=0
1.961134 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
1.961189 fw-new.lan.net -> win98.lan.net HTTP Continuation
4.429294 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
4.959290 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
10.429291 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
10.959285 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
11.879277 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
12.439301 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
When requesting a site, the request times out.
Weird, isnīt it? And no, the firewall doesnīt block TCP Connections,
it is wide open (Rules flushed/Policies accept) for this testing.
Using iptables 1.2.8 on Debian/woody.
I would be very thankful, if someone could give me a hint.
Greetings,
Marcin Davies
I have a very strange problem on my home network. The setup is:
Linux 2.2.17 Firewall/Gateway (ipchains): fw-old
Linux 2.4.22 Firewall/Gateway (iptables) : fw-new
Several Windows 2000 and one Windows 98 (not 2nd Edition)-Boxes
attached to the same switch and the same subnet.
I build a new server (fw-new) with iptables to replace the old one.
The iptable-Rules were setup with Shorewall. A test run with my
Windows 2000-Clients was successful, everything runs fine. So I
completely replaced the old-fw, and was happy. However, I have serious
problems connecting the only Windows98 Box: And here is what happens:
Pinging to the Internet and to fw-new runs fine (ICMP in general).
UDP Packets (e.g. DNS) too, but TCP-Connections are broken. When I
switch back to the old-fw everything runs fine.
For debugging purposes I changed the setup as follows: fw-new is now
just a router and forwards all packets to fw-old, which is connected
to the internet (and does NAT/Masquerading). The gateway for the
clients is fw-new and the Win98-Box is happy with that. With this
setup packets from the Win98-Box first traverse fw-new and go to
fw-old and this works fine.
But when I connect directly to fw-new TCP connections are nevertheless
broken (UDP and ICMP are again working). Here is what an ethereal dump
shows for trying SSH to fw-new:
*SSH:
8.842311 win98.lan.net -> fw-new.lan.net TCP 1030 > ssh [SYN]
Seq=437821 Ack=0 Win=8192 Len=0 MSS=1460
8.842462 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
12.239438 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
18.239433 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
....
The connection is initiated, and the server correctly sends an ACK.
And then our Win98-Box sleeps....
*HTTP:
0.439298 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
1.416402 win98.lan.net -> fw-new.lan.net TCP 1039 > www [SYN]
Seq=503546 Ack=0 Win=8192 Len=0 MSS=1460
1.416473 fw-new.lan.net -> win98.lan.net TCP www > 1039 [SYN, ACK]
Seq=1798673511 Ack=503547 Win=5840 Len=0 MSS=
1460
1.428368 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/index.html.de HTTP/1.1
1.428459 fw-new.lan.net -> win98.lan.net TCP www > 1039 [ACK]
Seq=1798673512 Ack=504089 Win=6504 Len=0
1.429367 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
1.429409 fw-new.lan.net -> win98.lan.net HTTP Continuation
1.959009 win98.lan.net -> fw-new.lan.net TCP 1040 > www [SYN]
Seq=504088 Ack=0 Win=8192 Len=0 MSS=1460
1.959077 fw-new.lan.net -> win98.lan.net TCP www > 1040 [SYN, ACK]
Seq=1796380650 Ack=504089 Win=5840 Len=0 MSS=
1460
1.960206 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/style/css/manual.css HTTP/1.1
1.960281 fw-new.lan.net -> win98.lan.net TCP www > 1040 [ACK]
Seq=1796380651 Ack=504574 Win=6432 Len=0
1.961134 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
1.961189 fw-new.lan.net -> win98.lan.net HTTP Continuation
4.429294 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
4.959290 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
10.429291 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
10.959285 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
11.879277 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
12.439301 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
When requesting a site, the request times out.
Weird, isnīt it? And no, the firewall doesnīt block TCP Connections,
it is wide open (Rules flushed/Policies accept) for this testing.
Using iptables 1.2.8 on Debian/woody.
I would be very thankful, if someone could give me a hint.
Greetings,
Marcin Davies