Problems with routing over multiple sequential default gateways.

joachim_m · November 28, 2011, 10:25pm

Hi.

I got a problem with sequential routing over two default routes, might bee that it?s just
due to my misunderstanding of routing basics. Given the following situation:

Host connections:
jocker (dhcp) 192.168.61.100—> sugoman, eth2 (fix) 192.168.61.20
sugoman, eth0 (dhcp) 192.168.20.107 —> troll, eth0 (fix) 192.168.20.21
troll, eth2 (dhcp) —> DSL-Router
DSL-Router —> Internet

Ping:
Jocker <----> sugoman = ok
Jocker <----> troll = not ok
Sugoman <----> troll = ok
Sugoman -----> Internet = ok

Host Troll is connected to a Unitymedia DSL-Router.

To my understanding a ping-request from the windows xp host jocker to the suse
10.2 based host troll is first routed via default gw to the suse 11.3 based host
sugoman. The ping-request doesn?t match any static routes there and should bee
therefore send finally via default gw to host troll. This does NOT happen, though ip-
forwarding on host sugoman and troll is on! See below.

Host: Jocker
Os: Wxp sp3
Windows Firewall is not active!

D:>\ipconfig
Windows-IP-Konfiguration
Ethernetadapter LAN-Verbindung:
Verbindungsspezifisches DNS-Suffix: oben.zuhause.
IP-Adresse. . . . . . . . . . . . : 192.168.61.100
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
IP-Adresse. . . . . . . . . . . . : fe80::2c0:dfff:fe13:600b%4
Standardgateway . . . . . . . . . : 192.168.61.20

Tunneladapter Teredo Tunneling Pseudo-Interface:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
Standardgateway . . . . . . . . . :

Tunneladapter Automatic Tunneling Pseudo-Interface:
Verbindungsspezifisches DNS-Suffix: oben.zuhause.
IP-Adresse. . . . . . . . . . . . : fe80::5efe:192.168.61.100%2
Standardgateway . . . . . . . . . :

D:> racert 192.168.20.21
Routenverfolgung zu troll.fm.ib-mitlehner.de [192.168.20.21] ?ber maximal
30 Abschnitte:
1 <1 ms <1 ms <1 ms 192.168.61.20
2 192.168.61.20 meldet: Zielprotokoll nicht erreichbar.

Ablaufverfolgung beendet.
D:>\

Host: Sugoman
Os: suse 11.3
Susefirewall2 is on, eth0, eth2 are set to internal zune.
Masquerading is off

sugoman:~ # route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.60.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.61.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.20.21 0.0.0.0 UG 0 0 0 eth0

sugoman:~ # cat /proc/sys/net/ipv4/ip_forward
1
sugoman:~ # ifconfig
eth0 Link encap:Ethernet Hardware Adresse 00:25:22:42:07:57
inet Adresse:192.168.20.107 Bcast:192.168.20.255 Maske:255.255.255.0
inet6 Adresse: fe80::225:22ff:fe42:757/64 Gltigkeitsbereich:
Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4441 errors:0 dropped:0 overruns:0 frame:0
TX packets:1087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 SendewarteschlangenlÇÏnge:1000
RX bytes:988653 (965.4 Kb) TX bytes:107193 (104.6 Kb)
Interrupt:20 Basisadresse:0xc000

eth2 Link encap:Ethernet Hardware Adresse 00:E0:4C:68:69:B6
inet Adresse:192.168.61.20 Bcast:192.168.61.255 Maske:255.255.255.0
inet6 Adresse: fe80::2e0:4cff:fe68:69b6/64 Gltigkeitsbereich:
Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1241 errors:0 dropped:0 overruns:0 frame:0
TX packets:1006 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 SendewarteschlangenlÇÏnge:1000
RX bytes:105895 (103.4 Kb) TX bytes:174378 (170.2 Kb)
Interrupt:31 Basisadresse:0xe000

sugoman:~ #

Host: Troll
Os: suse 10.2
Susefirewall2 is on, eth0 is set to internal, eth2 to external zone.
Masquerading is on

troll:~ # route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
178.200.xx.0 0.0.0.0 255.255.254.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 178.200.xx.xx 0.0.0.0 UG 0 0 0 eth2

troll:~ # cat /proc/sys/net/ipv4/ip_forward
1
troll:~ # ifconfig
eth0 Link encap:Ethernet Hardware Adresse 00:21:85:6F:B8:78
inet Adresse:192.168.20.21 Bcast:192.168.20.255 Maske:255.255.255.0
inet6 Adresse: fe80::221:85ff:fe6f:b878/64 Gltigkeitsbereich:
Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:294831527 errors:0 dropped:0 overruns:0 frame:0
TX packets:592615642 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 SendewarteschlangenlÇÏnge:100
RX bytes:26647733167 (25413.2 Mb) TX bytes:357248659526 (340698.8 Mb)
Speicher:fdde0000-fde00000

eth2 Link encap:Ethernet Hardware Adresse 00:10:5A:42:62:E5
inet Adresse:178.200.xx.xx Bcast:255.255.255.255 Maske:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:663823938 errors:14 dropped:0 overruns:8709 frame:22
TX packets:272566099 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 SendewarteschlangenlÇÏnge:1000
RX bytes:318772700649 (304005.3 Mb) TX bytes:22416962500 (21378.4 Mb)
Interrupt:17 Basisadresse:0x8000

troll:~ #

I?m googeling for weeks now and I tried a lot of strange things. Till yet I didn?t find a
solution to this problem unfortunately.

So help me please! Thank you in advance.

PS.
Output of ifconfig is reduced to eth0 and eth2 by editing.

DenverD · November 28, 2011, 11:01pm

On 11/28/2011 10:26 PM, joachim m wrote:
> So help me please!

sorry, i’m not a networking guru but i did see you have an openSUSE 10.2
in the mix, and my thought was: since it past its end of life on
November 30, 2008 <cite: http://en.opensuse.org/Lifetime>, and has not
been supported with security patches since–perhaps it has picked up a
root kit and has taken over your network…

and, in addition to causing the problems you describe maybe it is also
being used as a powerful botnet control node…

i don’t know.

–
DD http://tinyurl.com/DD-Caveat http://tinyurl.com/DD-Hardware
http://tinyurl.com/DD-Software
openSUSE®, the “German Engineered Automobiles” of operating systems!

ken_yap · November 29, 2011, 5:17am

Looks pretty complicated, but I would examine the firewall rules on sugoman. It could be that ping forwarding is blocked there. I would suggest turning off the firewall, but maybe you need the forwarding rules in iptables. Also you should try IP access in addition to ping (ICMP) access. Any open port on troll can be used as a target for a telnet test or traceroute (with -T, for TCP) test. Oops, I forgot jocker is a Windows machine so I don’t know whether their tracert supports TCP trace.

hcvv · November 29, 2011, 11:44am

And please use CODE tags around you computer texts next time: Posting in Code Tags - A Guide

joachim_m · November 30, 2011, 12:00am

Hello DenverD,

You are right, thanks. Suse 10.2 is pretty out. Host troll is being replaced soon
actually. So by the way, do you know a quick and simple Test to check for such a
root kit?

Hallo ken-yap,

Thanks for your answer. In my first post I put all the outputs required - in my opinion -
to be sufficient for a first analysis of the ip-flow. So it might look a bit scary indeed.
The trouble is, that packets do not pass beyond Host sugoman. I turned off the
firewall on sugoman, as you wrote. The result looks worse than wit firewall on, if you
see all the time-outs by tracert on jocker:

D: racert 192.168.20.21

Routenverfolgung zu troll.fm.ib-mitlehner.de [192.168.20.21] ?ber maximal 30
Abschnitte:

1 * * * Zeit?berschreitung der Anforderung.
2 * * * Zeit?berschreitung der Anforderung.
3 * * * Zeit?berschreitung der Anforderung.
…
30 * * * Zeit?berschreitung der Anforderung.

Ablaufverfolgung beendet.

D:\

So it does not seam to be a blocking of ICMP packets. All traffics originated from
sugoman to troll and backwards, are ok. Ping, telnet, samna-shares, etc. all that is
fine!
It looks as if packets arriving on eth2 (192.168.61.20) on Sugoman are simply not
routed over the default gw on eth0 of sugoman. Keep in mind: ?forwarding is on?! If
you are in doubt, inspect the outputs in my first post.

Are there any other good ideas?

ken_yap · November 30, 2011, 1:09am

Sorry all I can suggest is to concentrate on sugoman. Good luck. Lucky I don’t have a setup like this.

DenverD · November 30, 2011, 3:32pm

On 11/30/2011 12:06 AM, joachim m wrote:
> You are right, thanks. Suse 10.2 is pretty out. Host troll is being replaced soon actually. So by the way, do you know a quick and simple Test to check for such a root kit?

yep, but as far as i know both Rootkit Hunter and TripWire require some
administrative action on Day Zero (which is the only day you can be
certain the machine is clean)…

hmmmm…having said that Rootkit Hunter does look (even on Day Zero) for
known root kits/exploits, so if you have one of the more obvious, easy
to find problems it might find it without having seen the system earlier
(to have something known clean to compare to)…

–
DD
openSUSE®, the “German Engineered Automobiles” of operating systems!