Susefirewall - Vlan openning ports problem

Hi everyone:
I have a server running some basic services to the web ( smtp,dns,http,pop). Normally to do that i have a fixed IP 24.xxxx
Now i want manage the DNS myself so buy to my provider one additional IP.

The hardware connection is:
cablemodem ---- (single utp cable) ---- server ---- switch to internal net

After fight some days i can get running vlan at boot time, i get the vlan with different mac address, and i have the fixed IP (200.xxx).

#ifconfig
enp0s10 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.10.1
enp0s11 Link encap:Ethernet HWaddr 00:00:00:00:00:8B
inet addr:24.xxxxxxx
enp0s12 Link encap:Ethernet HWaddr 00:00:00:00:00:8C
inet addr:200.xxxxxx >>>>virtual<<<<

now my problem is SuSEfirewall2, all ports on enp0s12 seem closed when i run a external test.
http://mxtoolbox.com/SuperTool.aspx?action=scan%3A200.114.167.48&run=toolpage

I need at least port 53 open. I try edit on /etc/sysconfig/SuSEfirewall

     FW_DEV_EXT="enp0s11 enp0s12"

Also try execute in hand:
iptables -A INPUT -i enp0s12 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s12 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i enp0s12 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp0s12 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

But the test still say “all ports closed”. Searching the logs i found:
/var/log/messages
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
SuSEfirewall2: using default zone ‘ext’ for interface enp0s12
SuSEfirewall2: Firewall customary rules loaded from /root/bin/SuSEfirewall2-custom
schweb kernel: 8542.274025] net_ratelimit: 24 callbacks suppressed
schweb kernel: 8542.274043] IPv4: martian source XXXXXXXXXXXXXXXXXXXXXXXXx

into /var/log/firewall i didnt found any reference to enp0s12. Like not exist accepted or rejected packets.
My ISP say that they have all ports open

I will appreciate any clue.

Best Regards

Hello and welcome here.

Can you please tell us which version of openSUSE you use?

Also, when you post computer output here, please do so between CODE tags. It is the # button in the tool bar of the post editor. When applicable copy/paste complete, that is including the prompt, the command, the output and the next prompt.

Regards,

Thanks for the welcome. Sorry for the missing data, i cant edit the firs post. Here go the required data with code tag :

Server hardware: athlon 2000 with 4gb of ram and 2 disk in raid 1 of 3TB sata under pci controller, and backups hardware: 2 dvdwriter , one SDcard reader, and one disk of 1tb.
Server software: OpenSuse 13.1 x 32bits. Mail with postfix, courier-imap, apache2, mysql, squid.

Vlan was created with the command:

ip link add link enp0s11 name enp0s12 address 00:00:00:00:00:8C type macvlan
ip link set dev enp0s12 up

The dhcp process start as:
/sbin/dhcpcd --netconfig -L -E -G -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h schweb enp0s12

#dmesg |grep enp0s12
.... lot of same lines with IP not mine ...
[63510.754261] IPv4: martian source 172.26.29.151 from 172.26.29.1, on dev enp0s12
[63510.765225] IPv4: martian source 24.232.181.171 from 24.232.181.1, on dev enp0s12
[63510.828626] IPv4: martian source 181.170.21.183 from 181.170.21.1, on dev enp0s12
[63510.839989] IPv4: martian source 201.235.236.170 from 201.235.236.1, on dev enp0s12
[63510.908289] IPv4: martian source 201.231.102.171 from 201.231.102.1, on dev enp0s12
.......

In dmesg i found only references to enp0s11 (los of similar at post here

#dmesg
[73052.691134] SFW2-INext-DROP-DEFLT IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=46.152.60.80 DST=24.232.174.73 LEN=102 TOS=0x00 PREC=0x00 TTL=49 ID=45342 PROTO=ICMP TYPE=3 CODE=3 [SRC=24.232.174.73 DST=46.152.60.80 LEN=74 TOS=0x00 PREC=0x00 TTL=230 ID=18606 DF PROTO=UDP SPT=56857 DPT=53 LEN=54 ]
[73060.697827] SFW2-INext-ACC-TCP IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=188.165.15.90 DST=24.232.174.73 LEN=60 TOS=0x00 PREC=0xC0 TTL=51 ID=16501 DF PROTO=TCP SPT=52979 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A5799DD290000000001030307)
[73087.005027] SFW2-INext-DROP-DEFLT IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=103.38.42.66 DST=24.232.174.73 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=256 PROTO=TCP SPT=53019 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
[73088.927521] SFW2-INext-ACC-TCP IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=171.36.164.88 DST=24.232.174.73 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=8766 DF PROTO=TCP SPT=17544 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405780402080A3C888D650000000001030307)
[73129.566753] SFW2-INext-ACC-TCP IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=157.55.39.248 DST=24.232.174.73 LEN=48 TOS=0x02 PREC=0x00 TTL=109 ID=19767 DF PROTO=TCP SPT=36091 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 OPT (0204058C01010402)
[73135.409518] SFW2-INext-DROP-DEFLT IN=enp0s11 OUT= MAC=00:08:54:3a:4b:8b:00:01:5c:7a:28:46:08:00 SRC=61.240.144.65 DST=24.232.174.73 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=43279 PROTO=TCP SPT=60000 DPT=161 WINDOW=1024 RES=0x00 SYN URGP=0

Best regards

Some update of information:
I add a phisical network card to the server, and connect both to internet. After configure ad DHCP i get an IP. An the problem is the same: Card with ip 24.xxxxx have open ports, and log activity into /var/log/firewall
Card with ip 200.xxxx didnt have open ports, and log “martian source” into /var/log/messages.

I will still trying of found how get it work.

Some answers…

Ordinarily Public DNS requires that you install your DNS Servers on 2 separate boxes… But if you install in virtual machines on the same box, it’s unlikely anyone from the outside can tell what you’ve done. But, there is a reason to deploy on 2 physical boxes, it’s to provide redundancy. A better solution if you can make a deal with a friend somewhere who also needs to deploy on 2 IP addresses, you could solve both your problems if you served both yours and his Domain on your box and he did the same. Many people, even strangers (you can trust) would be willing to do this for you since in most cases the additional load and resources used is practically nil. It’s only the very big DNS services that serve hundreds and thousands of Domains that suffer significant resource usage.

If anyone has dreams of serving Domains differently to the Public and LAN on a multi-homed Server, it can’t be done (that I know of). You can only run one DNS server on a machine and the same Domains would be served on any configured interface.

The easiest way to provide DNS services in any SUSE FW zone (in particular anything other than the internal zone which is wide open by default) is to just add the DNS Service to the appropriate zone. That’s all, besides stop/restarting the service which should happen automatically when you use SUSE FW. The pre-configured DNS service will automatically open port 53 for you, you don’t have to go mucking with the iptables config files directly.

HTH,
TSU

I really appreciate your answer, and i know about redundance and the reason of 2 DNS. Since i have only a single server the redundance is useless in my case since if fail electricity, ISP or harware fail all sites go down.
Since long time i looked for friend or another internet connection as alternative. Unafortunelly i found some ISP directives: NO public address to the customers or the customer have completelly filtered incoming ports if the ip is public. And all of this with dynamic IP while i have 2 static IPs.

Your are right, the same Domain service serves for all cards the same information. This is good for me since my internals computers are directly added into the HOSTS file.
The named process answer to the dig on BOTH externals ip, when i run inside the server. But one IP is closed when i test from outside

The easiest way to provide DNS services in any SUSE FW zone (in particular anything other than the internal zone which is wide open by default) is to just add the DNS Service to the appropriate zone. That’s all, besides stop/restarting the service which should happen automatically when you use SUSE FW. The pre-configured DNS service will automatically open port 53 for you, you don’t have to go mucking with the iptables config files directly.

I agree, but didnt work sadly.
The most closest to get working it was:

FW_ZONES="ext2"
FW_DEV_ext2="enp0s12"
#FW_SERVICES_ACCEPT_ext="0.0.0.0,udp,53 0.0.0.0,tcp,53"
FW_SERVICES_ext2_TCP="53 80 110 995"

But still didnt work. Now i am in the suposition that the IP 200.XXXXX have not route configured, and i am reading:
http://lartc.org/howto/lartc.rpdb.multiple-links.html
http://linux-ip.net/html/adv-multi-internet.html

Best Regards, and thanks you

well this configuration seem work fine:
First edit the file:
/etc/iproute2/rt_tables
and add:

199     T1
200     T2

Please note a TAB as the separation (nice annotation on: http://www.linuxhorizon.ro/iproute2.html)

Second execute the following commands one by one.

ip route add 24.xxxxxx.0/24 dev enp0s11 src 24.xxxxx.73 table T1
ip route add default via 24.xxxxxx.1 table T1
ip route add 200.xxxxxxx.0/24 dev enp0s12 src 200.xxxxxx.48 table T2
ip route add default via 200.xxxxxx.1 table T2

ip route add 24.xxxxxxx.0/24 dev enp0s11 src 24.xxxxxx.73
ip route add 200.xxxxxxx.0/24 dev enp0s12 src 200.xxxxxx.48

ip route add default via 24.xxxxx.1

Thanks to:http://lartc.org/howto/lartc.rpdb.multiple-links.html

The SuSEfirewall part is add:

Work fine:
FW_DEV_EXT="any"

Didnt work:
#FW_DEV_EXT="enp0s11 enp0s12 enp0s9"
#FW_DEV_EXT="enp0s11 enp0s9"
#FW_DEV_EXT="enp0s11 enp0s12"
#FW_DEV_EXT="enp0s11"
#FW_DEV_EXT="enp0s9"

The following step is make the changes as permanents.

You cannot simply set up a single machine with both your DNS Public addresses…
The DNS addresses will be detected as the same machine and your Domain Registrar will almost certainly invalidate the setup.

To run more than one DNS on the same box, you have to setup as I described… At least one virtual machine so that each DNS public address is detected to belong to a different machine.

In general the Internet community will frown on any kind of DNS resolution simply failing for no discernable reason (which would happen if your DNS servers go down), probably because of the possible havoc created by unresolvable addresses. You can be forgiven for any of your Domain’s various services failing, but not DNS itself.

So, it’s still advisable to find a better setup for your Public DNS than what you’re setting up now.

Using a Hosts file for LAN name resolution is fine… Just don’t create a LAN zone in a Public DNS, else you expose your LAN topography to external hackers.
Highly recommend you create a virtual machine for LAN network services, if setup properly is a safe solution.

TSU

In understand to you, and agree with you. But please, you must try to undersand to me. I live in a country where 50% of the people are poor. There is not possible pay to a decent service since is blocked the dollar access. I am using hardware 5-10 years old, i dont have credit card, and my car are 21 years old. In this circunstances i do the best i can do, with resources that i have at my hand. I only have one server and one internet connection.

Now i am using free DNS service, and curently most sites are on freedns.afraid.org . The big problem that i found is that afraid allow any user create one subdomain inside of my domain.
For example i have “schdev.com.ar” domain, so my zone is:
schdev.com.ar —> my IP and good site
www.schdev.com.ar —> my IP and good site
mail.schdev.com.ar —> my IP and good
xj2.schdev.com.ar —> WTF? other site, and pishing/malware site
asdfa. -----> malware
etc etc -----> malware

Note: Afraid.org do not giveme tools to ban, reject these sites.

At this moment freedns is affecting my reputation and my good site is blacklisted. So i (a decent people) are stuck and tagged as malware server, loosing lot of customers. So my priority at this moment is recover my reputation and UNBAN my site.

About external/internal services. I have my own server since years and make backup one all weeks.
External: smtp, dns, www, pop (nothing more, all programs are nice with external/internal role). All other ports closed.
Internal: other normal services that i can say in a public forum.

My Registrar entity have a “autodelegate” option that allow put a glue of the NS server, and is working with my 2 public IPs.
Finnaly i get working with this secuence

#up VLAN can be skipped if is configured in ifcfg-enp0s12
/sbin/modprobe 8021q
ip link add link enp0s11 name enp0s12 address 00:08:54:3A:4B:8C type macvlan
ip link set dev enp0s12 up
/sbin/dhcpcd --netconfig -L -E -G -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h schweb enp0s12
#the routes
ip route add 24.xxx.xx.0/24 dev enp0s11 src 24.xxx.xxx.73 table T1
ip route add default via 24.xxx.xxx.1 table T1
ip route add 200.xxx.xxx.0/24 dev enp0s12 src 200.xxx.xxx.48 table T2
ip route add default via 200.xxx.xxx.1 table T2
ip route add 24.xxx.xxx.0/24 dev enp0s11 src 24.xxx.xxx.73
ip route add 200.xxx.xxx.0/24 dev enp0s12 src 200.xxx.xxx.48
ip route add default via 24.xxx.xxx.1
ip rule add from 24.xxx.xxx.73 table T1
ip rule add from 200.xxx.xxx.48 table T2
ip route flush cache
/sbin/rcSuSEfirewall2 stop
/sbin/rcSuSEfirewall2 start

The port scan report as open 25,53,80,110,995, all other report as closed for both public IP.

The only thing that remain to solve is a lot of martian source from my ISP gateway under DARPA protocol. As soon i dicover how solve it i will post here.
A pleasure talk with you, and have a nice day.
Christian

DNS services for your own Domain typically is a very light load.
For that reason, you can also typically install other Internet facing services in the same VM if you are resource-challenged.
Even a 5 year old machine with say… 6GB of RAM can tyically run a vm providing Internet services while serving LAN services on the Host machine (physical machine). If you don’t install any desktops, then you might be able to run the same setup (physical machine running one vm Guest) on 3GB of RAM without too much of an issue.

As for issues configuring your DNS… You’d have to better describe your Domain zone configuration files to clearly show what is a Domain, and within that Domain what kinds of records there are.

If you have problems configuring your DNS records manually, find out what kind of online tools are available, and/or verify the DNS server is bind-compatible (it’s almost certainly). You might then use a DNS tool to configure the file locally, then upload or manually enter into the zone files at afraid.org.

Also, when you are serving your own Server to the Internet (particularly a mail server), you will need to tell your ISP what you are doing because besides what you are doing with your DNS configuration, your ISP will also need to make some modifications to their DNS records.

TSU

Thanksyou, my server is athlon 2000 (single core with 2 GB of ram). I have prepared for domains other server K6/2 450mhz with 100mb of ram with a debian netinst, where named is the only service running. But since i have sucess to setup the vlan and ports will come back to storage box hehehe.

At this moment i have dns zones configured, running and pass the test,
http://www.dnsstuff.com/tools#dnsReport

http://mxtoolbox.com/SuperTool.aspx?action=a%3Aschdev.com.ar&run=toolpage

Now i am working in the warnings that i get into dnsstuff (abuse@ postmaster@ etc). And after that i will come back to the martian source.

Thanks for all yours comments

I am getting martian source:

2015-06-17T10:29:44.228656-03:00 schweb kernel: [74675.940197] IPv4: martian source 10.58.130.218 from 10.58.128.1, on dev enp0s12
2015-06-17T10:29:44.228710-03:00 schweb kernel: [74675.940203] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:44.228718-03:00 schweb kernel: [74675.940652] IPv4: martian source 10.58.246.133 from 10.58.128.1, on dev enp0s12
2015-06-17T10:29:44.228724-03:00 schweb kernel: [74675.940658] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:44.228729-03:00 schweb kernel: [74675.941032] IPv4: martian source 10.58.235.7 from 10.58.128.1, on dev enp0s12
2015-06-17T10:29:44.228734-03:00 schweb kernel: [74675.941035] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.033919-03:00 schweb kernel: [74680.749246] net_ratelimit: 172 callbacks suppressed
2015-06-17T10:29:49.034001-03:00 schweb kernel: [74680.749274] IPv4: martian source 24.232.200.148 from 24.232.200.1, on dev enp0s12
2015-06-17T10:29:49.034009-03:00 schweb kernel: [74680.749283] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.063307-03:00 schweb kernel: [74680.778633] IPv4: martian source 24.232.174.175 from 24.232.174.1, on dev enp0s12
2015-06-17T10:29:49.063388-03:00 schweb kernel: [74680.778668] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.093126-03:00 schweb kernel: [74680.808435] IPv4: martian source 200.114.167.124 from 200.114.167.1, on dev enp0s11
2015-06-17T10:29:49.093206-03:00 schweb kernel: [74680.808465] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.117980-03:00 schweb kernel: [74680.833314] IPv4: martian source 201.235.236.196 from 201.235.236.1, on dev enp0s12
2015-06-17T10:29:49.118058-03:00 schweb kernel: [74680.833345] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.137853-03:00 schweb kernel: [74680.853179] IPv4: martian source 10.58.227.157 from 10.58.128.1, on dev enp0s12
2015-06-17T10:29:49.137937-03:00 schweb kernel: [74680.853215] ll header: 00000000: ff ff ff ff ff ff 00 01 5c 7a 28 46 08 06        ........\z(F..
2015-06-17T10:29:49.154777-03:00 schweb kernel: [74680.870122] IPv4: martian source 200.126.196.70 from 200.126.196.1, on dev enp0s12

Checking the origin MAC, the martian package are originated on ISP gateway.(green)
Are of the protocol DARPA (red). After read i can understand that they are sended by ISP to avoid ARP spoofing. I have no problem with this, but overflood my log file.

enp0s11 are one interface to internet.
enp0s12 are another interface to internet.

I try:

echo 0>/proc/sys/net/ipv4/conf/*interface*/log_martians

But the martians continue into the log

Any idea or clue?

OK,
My main question would be why you’re setting up a vlan. It complicates your network setup, particularly if it’s not necessary.

Keep in mind that even if your DNS tools suggest that your current public DNS setup is working, it can fail at any time for the reasons I gave (I’ve been down your road before).

I don’t see any indication of a “DARPA protocol” although I’m going to assume purely based on the large number they may be arps. Maybe an explanation?

You may want to fingerprint (passively scan) your ISP gateway (some people will take offence with active scanning) to determine if the OS is Windows or not. If it’s a Windows box, that’s the default behavior and you’ll just be flooded with arps. If it’s a Linux box, excessive arping is off by default but can be turned on. You already noticed the downside (excessive traffic possibly deemed unnecessary), the perceived upside is that network health is less dependent on hosts announcing themselves properly.

If you feel up to it, you might also run Wireshark to inspect and analyze the martian packets to verify they’re simply arp.

If the box is non-Windows, it might be worthwhile to just message your ISP admins and ask them whether what you’re finding is normal. Maybe they made a mistake somewhere.

TSU