Re: [Shorewall-users] Openvpn on port 53 instead of 1194

Sun, 21 Feb 2016 17:12:07 -0800 

Have now installed wireshark and found the following:


If I start shorewall, I get errors similar to this:

--------------------------------------------------------------------
Feb 22 11:36:01 LeosLinux kernel: [38591.340239]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203 DST=198.18.0.2
LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=51779 DF PROTO=UDP SPT=44851 DPT=53
LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340251]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203
DST=208.67.222.222 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=11334 DF
PROTO=UDP SPT=44851 DPT=53 LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340261]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203
DST=208.67.220.220 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=23554 DF
PROTO=UDP SPT=44851 DPT=53 LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340271]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203 DST=198.18.0.1
LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=26970 DF PROTO=UDP SPT=44851 DPT=53
LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340299]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203 DST=198.18.0.2
LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=51780 DF PROTO=UDP SPT=26817 DPT=53
LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340310]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203
DST=208.67.222.222 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=11335 DF
PROTO=UDP SPT=26817 DPT=53 LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340320]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203
DST=208.67.220.220 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=23555 DF
PROTO=UDP SPT=26817 DPT=53 LEN=49
Feb 22 11:36:01 LeosLinux kernel: [38591.340330]
Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=172.20.34.203 DST=198.18.0.1
LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=26971 DF PROTO=UDP SPT=26817 DPT=53
LEN=49
----------------------------------------------------------------------------------

I have no idea what ip addresses 198.18.0.(1|2) are

If I stop the shorewall and flush the rules, iptables looks as follows:

---------------------------------------------------------------------
>>>sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       
--------------------------------------------------------------------

If I the start wireshark and openvon, I never see ip addresses
198.18.0.(1|2)

I'm obviously out of my depth here, so really could do with some help


Thanks,

Leo


On 20/02/16 13:50, Subscribe wrote:
>  Following is my environment. Attached is the output from the shorewall dump
>
> OS: Ubuntu 15.10 64bit Desktop on Laptop
> Shorewall version: 4.6.4.3
>
>
> llist@LeosGameLaptop:~$ sudo ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
> state DOWN group default qlen 1000
>     link/ether 80:fa:5b:13:29:be brd ff:ff:ff:ff:ff:ff
> 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
>     link/ether 80:19:34:b8:c8:e2 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.208/24 brd 192.168.1.255 scope global dynamic wlan0
>        valid_lft 2782sec preferred_lft 2782sec
>     inet6 fe80::8219:34ff:feb8:c8e2/64 scope link
>        valid_lft forever preferred_lft forever
> 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> state DOWN group default
>     link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
>        valid_lft forever preferred_lft forever
> 5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
> virbr0 state DOWN group default qlen 500
>     link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
> 20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UNKNOWN group default qlen 100
>     link/none
>     inet 172.20.17.184/22 brd 172.20.19.255 scope global tun0
>        valid_lft forever preferred_lft forever
>
> 5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
> virbr0 state DOWN group default qlen 500
>     link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
>
>
>
> llist@LeosGameLaptop:~$ sudo ip route show
> default via 172.20.16.1 dev tun0  proto static  metric 50
> default via 192.168.1.1 dev wlan0  proto static  metric 600
> 169.254.0.0/16 dev virbr0  scope link  metric 1000
> 172.20.16.0/22 dev tun0  proto kernel  scope link  src 172.20.17.184 
> metric 50
> 173.245.209.129 via 192.168.1.1 dev wlan0  proto static  metric 600
> 192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.208 
> metric 600
> 192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1
>
>
> I've been running shorewall for a few years now, but have run into the
> following problem recently.
>
> My shorewall files were created from the single interface example and are:
>
> ---------zones ----------------
> ###############################################################################
> #ZONE   TYPE    OPTIONS                 IN                      OUT
> #                                       OPTIONS                 OPTIONS
> fw      firewall
> net     ipv4
> ovpn    ipv4
> --------------------------------
>
> ----------- interfaces ----------------
> ###############################################################################
> ?FORMAT 2
> ###############################################################################
> #ZONE   INTERFACE       OPTIONS
> net     eth0           
> dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
> net      wlan0          
> dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
> ovpn    tun0              dhcp,optional
> ---------------------------------------------
>
> ----------- policy -----------------------------------------------
>
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> fw              net             ACCEPT
> ovpn            net             ACCEPT
> net             all             DROP            info
> ovpn            all             DROP            info
> # The FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> ------------------------------------------------------------------
>
>
> ------------ rules ---------------------------
> #ACTION         SOURCE          DEST            PROTO   DEST   
> SOURCE          ORIGINAL        RATE            USER/   MARK   
> CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
> #                                                       PORT   
> PORT(S)         DEST            LIMIT           GROUP
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
>
> # Drop packets in the INVALID state
>
> Invalid(DROP)  net              fw              tcp
>
> # Drop Ping from the "bad" net zone.. and prevent your log from being
> flooded..
>
> Ping(DROP)      net             fw
>
> # Permit all ICMP traffic FROM the firewall TO the net zone
>
> ACCEPT          fw              net             icmp
> #
> # Permit openvpn
>
> ACCEPT:info     ovpn            fw              udp     -       1194
> ACCEPT:info     fw              ovpn            udp     1194
> --------------------------------------------------------------------------------------
>
>
> I've set up a new laptop and found that when using the Openvpn client,
> shorewall rejects packets for destination port 53. 
>
> ================================================================================
> Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270388]
> Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=198.18.0.2
> LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=UDP SPT=13415 DPT=53
> LEN=57
> Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270396]
> Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.194.49
> LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=42653 DF PROTO=UDP SPT=13415 DPT=53
> LEN=57
> Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270405]
> Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.195.193
> LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=47650 DF PROTO=UDP SPT=13415 DPT=53
> LEN=57
> ================================================================================
>
> Openvpn is listening on 1194, so I'm not sure where port 53 gets
> involved. Suspected the Ubuntu dnsmasq, but after disabling this, the
> problem remains. Have posted this question on the Ubuntu network forum,
> but found no takers.
>
> netstat -tulpn
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address        
> State       PID/Program name
> tcp        0      0 127.0.0.1:1194          0.0.0.0:*              
> LISTEN      15776/openvpn  
> tcp        0      0 127.0.1.1:53            0.0.0.0:*              
> LISTEN      1759/dnsmasq   
> tcp        0      0 192.168.122.1:53        0.0.0.0:*              
> LISTEN      1452/dnsmasq   
> tcp        0      0 127.0.0.1:631           0.0.0.0:*              
> LISTEN      6607/cupsd     
> tcp        0      0 127.0.0.1:25            0.0.0.0:*              
> LISTEN      2247/master    
> tcp6       0      0 ::1:631                 :::*                   
> LISTEN      6607/cupsd     
> tcp6       0      0 ::1:25                  :::*                   
> LISTEN      2247/master    
> udp        0      0 0.0.0.0:59475          
> 0.0.0.0:*                           1093/avahi-daemon:
> udp        0      0 0.0.0.0:44297          
> 0.0.0.0:*                           15776/openvpn  
> udp        0      0 0.0.0.0:5353           
> 0.0.0.0:*                           1093/avahi-daemon:
> udp        0      0 0.0.0.0:24280          
> 0.0.0.0:*                           7767/dhclient  
> udp        0      0 127.0.1.1:53           
> 0.0.0.0:*                           1759/dnsmasq   
> udp        0      0 192.168.122.1:53       
> 0.0.0.0:*                           1452/dnsmasq   
> udp        0      0 0.0.0.0:67             
> 0.0.0.0:*                           1452/dnsmasq   
> udp        0      0 0.0.0.0:68             
> 0.0.0.0:*                           7767/dhclient  
> udp        0      0 0.0.0.0:631            
> 0.0.0.0:*                           1224/cups-browsed
> udp6       0      0 :::2277                
> :::*                                7767/dhclient  
> udp6       0      0 :::5353                
> :::*                                1093/avahi-daemon:
> udp6       0      0 :::58274               
> :::*                                1093/avahi-daemon:
>
>
>
> Thanks
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to