Author Topic: Zentyal 6 - HTTPS packets dropped  (Read 3547 times)

BaggyG

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Zentyal 6 - HTTPS packets dropped
« on: January 09, 2019, 10:57:18 am »
Hi there,

I have recently upgraded to Zentyal 6.0.  Since then, I noticed that there are lots of packets being dropped (source: internal destination: external port: 443).  I have no rules that should be blocking this set up (in fact I have any/any/any) for Packet Filter>Internal Networks.

I looked up a few of the IP addresses (small sample) and it came up with Microsoft and Facebook as being the destinations.  I'll also note that SmartScreen (Windows 10) no longer works.

So it seems that there are some rules somewhere that are set to drop packets based on some criteria that I have no control over through the GUI.  Does anyone have any suggestions on how I might be able to troubleshoot this?

Edit:  I should mention that I have this running on Citrix XenServer 7.6.  Although I don't think that should matter.

Thanks.
« Last Edit: January 13, 2019, 02:56:25 am by BaggyG »

BaggyG

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #1 on: February 06, 2019, 02:54:27 am »
This is driving me bonkers.

Full disclaimer:  I am NOT a Linux expert.

There are a number of websites and services that aren't working due to this issue of this traffic being dropped.  Some Microsoft and Apple services as well as various other services that use https.  However, I can connect to some websites (e.g. office365, google, Zenyal forums) with no problem.

I've been able to establish that Port 443 is referenced in iptables (iglobal chain) explicitly as being allowed.

I have done a traceroute on some of IP addresses that are showing in the logs as have dropped traffic on port 443 and it succeeds.

So would I be right in assuming then that some of the traffic (log example below) is being dropped because for some reason it isn't being identified as part of the iglobal chain?  And if that's the case, why would that be (when the traceroute was successful)?  What steps can I take to troubleshoot this?

I don't know if this will be help you help me but I am at a total loss and pulling out what little hair I have left.

From iptables:
Code: [Select]
Chain INPUT (policy DROP)
iglobal    all  --  0.0.0.0/0            0.0.0.0/0

Chain iglobal (1 references)
iaccept    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW

From log:
Code: [Select]
Feb  6 12:47:10 server02 kernel: [861297.589581] zentyal-firewall drop IN=eth0 OUT=eth1 MAC=xxx SRC=192.168.1.x DST=17.173.66.103 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=55542 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1
Feb  6 12:47:10 server02 kernel: [861297.589751] zentyal-firewall drop IN=eth0 OUT=eth1 MAC=xxx SRC=192.168.1.x DST=17.139.246.5 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=55550 DPT=44  WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1
Feb  6 12:47:10 server02 kernel: [861297.763496] zentyal-firewall drop IN=eth0 OUT=eth1 MAC=xxx SRC=192.168.1.x DST=17.56.48.13 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=55553 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1
Feb  6 12:47:25 server02 kernel: [861312.410993] zentyal-firewall drop IN=eth0 OUT=eth1 MAC=xxx SRC=192.168.1.x DST=72.30.3.10 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56062 DPT=443 WINDOW=2048 RES=0x00 ACK PSH FIN URGP=0 MARK=0x1
« Last Edit: February 06, 2019, 03:44:23 am by BaggyG »

mdtech

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +1/-0
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #2 on: November 06, 2019, 04:04:40 pm »
Hi

I have notice the same issue.

Have you made any progress?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #3 on: November 06, 2019, 05:09:31 pm »
 :)

First, do you use the HTTP-Proxy Zentyal module? This module uses iptables too.

Please, run these commands and paste here the output:

Code: [Select]
sudo iptables -t nat --list-rules
sudo iptables -t filter --list-rules
sudo iptables -t mangle --list-rules

I'm curious about this issue.

Cheers!


- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

mdtech

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +1/-0
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #4 on: November 12, 2019, 07:45:42 pm »
Yes Proxy is Enabled...but not  always configured at the workstation but problem is the same.

Please note that AA.BBB.CCC.DDD is not AA.BBB.CCC.DDE

sudo iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postmodules
-N premodules
-A PREROUTING -j premodules
-A POSTROUTING -j postmodules
-A POSTROUTING ! -s AA.BBB.CCC.DDE/32 -o eth0 -j SNAT --to-source AA.BBB.CCC.DDE
-A premodules ! -d 192.168.1.2/32 -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.1.2/32 -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.2.1/32 -i eth2 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.3.1/32 -i eth3 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.4.1/32 -i eth4 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A premodules ! -d 192.168.5.1/32 -i eth5 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
==================================================================
sudo iptables -t mangle --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N CHECKIP-TEST
-N FAILOVER-TEST
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -m mac --mac-source 00:C1:64:25:26:1F -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m mark --mark 0x0/0xff -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j FAILOVER-TEST
-A OUTPUT -j CHECKIP-TEST

==================================================================

sudo iptables -t filter --list-rules

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N drop
-N faccept
-N fdns
-N fdrop
-N ffwdrules
-N fglobal
-N fmodules
-N fnoexternal
-N fnospoof
-N fnospoofmodules
-N fredirects
-N ftoexternalonly
-N iaccept
-N idrop
-N iexternal
-N iexternalmodules
-N iglobal
-N imodules
-N inoexternal
-N inointernal
-N inospoof
-N inospoofmodules
-N log
-N oaccept
-N odrop
-N oglobal
-N ointernal
-N omodules
-N preforward
-N preinput
-N preoutput
-A INPUT -i lo -j ACCEPT
-A INPUT -j preinput
-A INPUT -m state --state INVALID -j idrop
-A INPUT -m state --state RELATED,ESTABLISHED -j iaccept
-A INPUT -j inospoof
-A INPUT -j iexternalmodules
-A INPUT -j iexternal
-A INPUT -j inoexternal
-A INPUT -j imodules
-A INPUT -j iglobal
-A INPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j iaccept
-A INPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j iaccept
-A INPUT -j idrop
-A FORWARD -j preforward
-A FORWARD -m state --state INVALID -j fdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j faccept
-A FORWARD -j fnospoof
-A FORWARD -j fredirects
-A FORWARD -j fmodules
-A FORWARD -j ffwdrules
-A FORWARD -j fnoexternal
-A FORWARD -j fdns
-A FORWARD -j fglobal
-A FORWARD -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j faccept
-A FORWARD -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j faccept
-A FORWARD -j fdrop
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j preoutput
-A OUTPUT -m state --state INVALID -j odrop
-A OUTPUT -m state --state RELATED,ESTABLISHED -j oaccept
-A OUTPUT -j ointernal
-A OUTPUT -j omodules
-A OUTPUT -j oglobal
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 8 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 0 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 3 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 4 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 11 -m state --state NEW -j oaccept
-A OUTPUT -p icmp ! -f -m icmp --icmp-type 12 -m state --state NEW -j oaccept
-A OUTPUT -j odrop
-A drop -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall drop " --log-level 7
-A drop -j DROP
-A faccept -i eth0 -j NFQUEUE --queue-num 0
-A faccept -j ACCEPT
-A fdrop -j drop
-A ffwdrules -i eth1 -j RETURN
-A ffwdrules -i eth2 -j RETURN
-A ffwdrules -i eth3 -j RETURN
-A ffwdrules -i eth4 -j RETURN
-A ffwdrules -i eth5 -j RETURN
-A fglobal -j faccept
-A fnoexternal -i eth0 -m state --state NEW -j fdrop
-A fnospoof -j fnospoofmodules
-A fnospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j fdrop
-A fnospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j fdrop
-A fnospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j fdrop
-A fnospoof -s 192.168.1.0/24 ! -i eth1 -j fdrop
-A fnospoof -s 192.168.2.0/24 ! -i eth2 -j fdrop
-A fnospoof -s 192.168.3.0/24 ! -i eth3 -j fdrop
-A fnospoof -s 192.168.4.0/24 ! -i eth4 -j fdrop
-A fnospoof -s 192.168.5.0/24 ! -i eth5 -j fdrop
-A ftoexternalonly -o eth0 -j faccept
-A ftoexternalonly -j fdrop
-A iaccept -i eth0 -j NFQUEUE --queue-num 0
-A iaccept -j ACCEPT
-A idrop -j drop
-A iexternal -i eth1 -j RETURN
-A iexternal -i eth2 -j RETURN
-A iexternal -i eth3 -j RETURN
-A iexternal -i eth4 -j RETURN
-A iexternal -i eth5 -j RETURN
-A iexternal -p udp -m udp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --sport 631 --dport 631 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 4000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iexternal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iexternal -p tcp -m tcp --dport 587 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 110 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 143 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 993 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 995 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 4190 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 25 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 465 -m state --state NEW -j drop
-A iexternal -p udp -m udp --dport 1812 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5222 -m state --state NEW -j drop
-A iexternal -p tcp -m tcp --dport 5223 -m state --state NEW -j drop
-A iexternalmodules -i eth1 -j RETURN
-A iexternalmodules -i eth2 -j RETURN
-A iexternalmodules -i eth3 -j RETURN
-A iexternalmodules -i eth4 -j RETURN
-A iexternalmodules -i eth5 -j RETURN
-A iglobal -p tcp -m tcp --dport 80 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 10000 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 587 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 110 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 143 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 993 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 995 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 4190 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 25 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 465 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 1812 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5222 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 5223 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 88 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 135 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 137 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 138 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 139 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 389 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 445 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 464 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 636 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3268 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 3269 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 49152:65535 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 53 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 123 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --sport 67:68 --dport 67:68 -m state --state NEW -j iaccept
-A iglobal -p udp -m udp --dport 69 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 22 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 8443 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 20 -m state --state NEW -j iaccept
-A iglobal -p tcp -m tcp --dport 21 -m state --state NEW -j iaccept
-A imodules -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth2 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth3 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth4 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -i eth5 -p tcp -m state --state NEW -m tcp --dport 3128 -j iaccept
-A imodules -p tcp -m state --state NEW -m tcp --dport 3129 -j DROP
-A inoexternal -i eth0 -m state --state NEW -j idrop
-A inospoof -j inospoofmodules
-A inospoof -s 192.168.2.211/32 -m mac ! --mac-source 10:60:4B:14:25:50 -j idrop
-A inospoof -s 192.168.2.210/32 -m mac ! --mac-source 00:20:78:0E:F8:53 -j idrop
-A inospoof -s AA.BBB.CCC.DDD/30 ! -i eth0 -j idrop
-A inospoof -s 192.168.1.0/24 ! -i eth1 -j idrop
-A inospoof -s 192.168.2.0/24 ! -i eth2 -j idrop
-A inospoof -s 192.168.3.0/24 ! -i eth3 -j idrop
-A inospoof -s 192.168.4.0/24 ! -i eth4 -j idrop
-A inospoof -s 192.168.5.0/24 ! -i eth5 -j idrop
-A log -m limit --limit 50/min --limit-burst 10 -j LOG --log-prefix "zentyal-firewall log " --log-level 7
-A log -j RETURN
-A oaccept -j ACCEPT
-A odrop -j drop
-A oglobal -m state --state NEW -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p udp -m udp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 53 -j oaccept
-A omodules -p tcp -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 80 -j oaccept
-A omodules -p tcp -m state --state NEW -m tcp --dport 443 -j oaccept
« Last Edit: November 12, 2019, 08:02:39 pm by mdtech »

nektariosko

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #5 on: December 01, 2019, 04:03:37 pm »
Hello all,
Same issue for me ...

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6 - HTTPS packets dropped
« Reply #6 on: December 02, 2019, 06:23:40 pm »
 :)

I have see your data and I'm not able to see any weird rule which could produce the described effect.

I'll try creating a trace rule for some of the IPs suffering this behaviour ( see https://www.opsist.com/blog/2015/08/11/how-do-i-see-what-iptables-is-doing.html )

Please, update!

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,