Linux – with fully permissive iptables, tcpdump shows icmp echo requests arriving, but no reply’s are sent

icmplinuxnetworking

I'm a bit stumped on where to look next. When using SoftEther IPsec VPN into my network, I can access every server in the main subnet but one. When behind the main firewall, the server responds to all network traffic as expected. Please note, that the server in question has no iptables rules what-so-ever and all the chains are set to accept. But, when I am remote, and connect to the VPN, this server becomes inaccessible. I started looking at the VPN server, but it has no rules to prevent access. I can tcpdump packets on the VPN server and see requests going to the problem server, but no replies. When I ssh hop to the problem server and tcpdump, I can see the requests from the VPN client node, but for some reason or another, the problem server is not replying. hosts.deny is empty. Where else can I look to see where these requests are going? The node is older, running Linux 2.6.38.

Best Answer

Did you tcpdump on the server itself when you try to reach it from the VPN (to make sure the trouble is on the server) ?

Related Solutions

Linux – Tough routing problem with Linux, Quagga and OpenVPN

What I find strange is it that client's routing tables are pointing to nowhere (0.0.0.0). It is ok for local networks but for 10.2.10.1 that passes trough a tunnel it might be a problem.

Linux – Squid TPROXY connection fails on specific sites

From the tcpdump output you provided, following lines indicate a problem, i.e. your host sending a SYN to destination, and then sending an RST to the destination as well, but ofcourse TTLs are different, so seems like some TPROXY magic going on:

12:55:17.255717 IP (tos 0x0, ttl 64, id 11025, offset 0, flags [none], proto TCP (6), length 56)
    x.x.x.150.62568 > 80.75.1.4.80: Flags [S], cksum 0x5f7e (incorrect -> 0x3c92), seq 572035649, win 14600, options [mss 1460,sackOK,TS val 66378265 ecr 0], length 0
12:55:17.258877 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    x.x.x.150.62568 > 80.75.1.4.80: Flags [R], cksum 0xa779 (correct), seq 572035650, win 0, length 0
12:55:18.253670 IP (tos 0x0, ttl 64, id 11026, offset 0, flags [none], proto TCP (6), length 56)
    x.x.x.150.62568 > 80.75.1.4.80: Flags [S], cksum 0x5f7e (incorrect -> 0x3b98), seq 572035649, win 14600, options [mss 1460,sackOK,TS val 66378515 ecr 0], length 0
12:55:18.257916 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    x.x.x.150.62568 > 80.75.1.4.80: Flags [R], cksum 0xa779 (correct), seq 572035650, win 0, length 0

It doesn't seem like an MTU problem. To start with troubleshooting, I suggest removing TPROXY (assuming you're using that) and switch to REDIRECT based rule and see if problem goes away. It would be helpful if you could paste your REDIRECT or related iptables rules.

Best Answer

Related Solutions

Linux – Tough routing problem with Linux, Quagga and OpenVPN

Linux – Squid TPROXY connection fails on specific sites

Related Topic