[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

URGENT: Gateway problems (again, more information added)

Some time ago I've send a mail about this to this mailinglist but no one
gave any reaction, so here it is again with more info:

The problem is that there is this server that is being used for
(main tasks) : gateway, dns-server and samba.
The gateway calls using ISDN (which works fine), but keeps calling and
calling when it shouldn't...

This is what tcpdump -i ippp0 gives:

ag 0:57135@63512+) [tos 0xa2] [ttl 0]
15:04:58.941020 www.icq.com.www >
vp204-54.worldonline.nl.62418: . 1:537(536) ack 351 win 33232
15:04:58.941020 www.icq.com.www > vp204-54.worldonline.nl.62418: F
749:749(0) ack 351 win 33232
15:04:58.941020 truncated-ip - 29506 bytes missing!0.40.232.3 >
64.0.127.6: (frag 29285:29496@63512+) [tos 0x6f] [ttl 0]
15:04:58.981020 www.icq.com.www > vp204-54.worldonline.nl.62418: P
537:749(212)
ack 351 win 33232
15:04:58.981020 truncated-ip - 27437 bytes missing!0.40.233.3 >
64.0.127.6: (frag 12594:27467@63512+) [tos 0x6e] [ttl 0]
15:04:58.991020 truncated-ip - 12845 bytes missing!0.40.234.3 >
64.0.127.6: (frag 18767:12871@63512+) [tos 0x32] [ttl 0]
15:04:59.001020 truncated-ip - 17777 bytes missing!0.48.235.3 >
64.0.127.6: (frag 0:17835@63512+) [tos 0x2c] [ttl 0]
15:04:59.121020 www.icq.com.www > vp204-54.worldonline.nl.62418: . ack 352
win 33232
15:04:59.131020 www.icq.com.www > vp204-54.worldonline.nl.62419: S
927708209:927708209(0) ack 1697778 win 33232 <mss 536>
15:04:59.131020 truncated-ip - 18717 bytes missing!0.40.237.3 >
64.0.127.6: (frag 24437:18767@63512+) [tos 0x5f] [ttl 0]
15:04:59.141020 truncated-ip - 37521 bytes missing!1.134.238.3 >
64.0.127.6: (frag 16384:37917@63512+) [tos 0x29] [ttl 0]
15:04:59.311020 www.icq.com.www > vp204-54.worldonline.nl.62419: P
537:552(15) ack 351 win 33232
15:04:59.311020 truncated-ip - 12599 bytes missing!0.40.240.3 >
64.0.127.6: (frag 115:12637@63512+) [tos 0x54] [ttl 0]
15:04:59.391020 www.icq.com.www >
vp204-54.worldonline.nl.62419: . 1:537(536) ack 351 win 33232
15:04:59.391020 0.40.241.3 > 64.0.127.6: (frag 0:0@63512+) [ttl 0]
15:04:59.391020 truncated-ip - 65485 bytes missing!0.40.242.3 >
64.0.127.6: (frag 65535:65475@63512+) [tos 0xff] [ttl 0]
15:04:59.391020 www.icq.com.www > vp204-54.worldonline.nl.62419: F
552:552(0) ack 351 win 33232
15:04:59.391020 0.40.243.3 > 64.0.127.6: (frag 0:0@63512+) [ttl 0]
15:04:59.401020 truncated-ip - 102 bytes missing!0.48.244.3 >
64.0.127.6: (frag
9231:108@63512+) [tos 0x67] [ttl 0]
15:04:59.411020 a.root-servers.net.domain >
vp204-54.worldonline.nl.3091: 60076
NXDomain*- 0/1/0 (127) (DF)

This is what tcpdump -i eth0 gives:

15:10:31.151020 0:a0:24:f:e9:6b > 0:40:33:39:b2:29 sap f0 I
(s=0,r=97,R) len=42
                         c2c2 c2c2 c2c2 c2c2 c2c2 c2c2 c2c2 c2c2
                         c2c2 c2c2 c2c2 c2c2 c2c2 c2c2 c2c2 c2c2
                         c2c2 c2c2 c2c2 c2c2 c2c2
15:10:31.151020 0:a0:24:f:e9:6b > 0:40:33:39:b2:29 sap f0 I
(s=104,r=97,C) len=49
                         0e00 ffef 160c 0000 2800 2800 152c ff53
                         4d42 7100 0000 0080 0100 0000 0000 0000
                         0000 0000 0000 01d0 0000 0000 813c 0000
                         00
15:10:31.161020 0:40:33:39:b2:29 > 0:a0:24:f:e9:6b sap f0 I
(s=97,r=105,P) len=42
                         0e00 ffef 1400 0000 2800 0000 2c15 2020
                         2020 2020 2020 2020 2020 2020 2020 2020
                         2020 2020 2020 2020 2020
15:10:31.161020 0:a0:24:f:e9:6b > 0:40:33:39:b2:29 sap f0 I
(s=0,r=98,R) len=42
                         c4c4 c4c4 c4c4 c4c4 c4c4 c4c4 c4c4 c4c4
                         c4c4 c4c4 c4c4 c4c4 c4c4 c4c4 c4c4 c4c4
                         c4c4 c4c4 c4c4 c4c4 c4c4
15:10:46.761020 0:40:33:39:b2:29 > 0:a0:24:f:e9:6b sap f0 I
(s=98,r=105,P) len=42
                         0e00 ffef 1f00 0000 0000 0000 2c15 2020
                         2020 2020 2020 2020 2020 2020 2020 2020
                         2020 2020 2020 2020 2020
15:10:47.091020 0:a0:24:f:e9:6b > 0:40:33:39:b2:29 sap f0 I
(s=0,r=99,R) len=42
                         c6c6 c6c6 c6c6 c6c6 c6c6 c6c6 c6c6 c6c6
                         c6c6 c6c6 c6c6 c6c6 c6c6 c6c6 c6c6 c6c6
                         c6c6 c6c6 c6c6 c6c6 c6c6
15:10:56.151020 Free_Technics.FREE_TECHNICS.netbios-ssn > MARK.1025: P
4272:4276(4) ack 1740 win 19655 (DF) [tos 0x10]
15:10:56.281020 arp who-has Free_Technics.FREE_TECHNICS tell MARK
15:10:56.281020 arp reply Free_Technics.FREE_TECHNICS is-at
0:10:4b:41:dd:67
15:10:56.281020 MARK.1025 > Free_Technics.FREE_TECHNICS.netbios-ssn: . ack
4276
win 8287 (DF)


This is what ipchains -L gives:

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  localnet/16           anywhere              n/a
DENY       all  ------  localnet/16          !localnet/16           n/a

Chain forward (policy ACCEPT):
MASQ       all  ----l-  localnet/16           anywhere              n/a

Chain output (policy ACCEPT):
-          tcp  ----l-  anywhere              anywhere              any ->
telnet
-          tcp  ----l-  anywhere              anywhere              any ->
ftp-          tcp  ----l-  anywhere              anywhere              any
->   ssh-          tcp  ----l-  anywhere              anywhere
ftp-data ->
  any

If any more info is needed, please tell me so I can provide you with it!!

HELP!!!!!!!!!!!!!!!!!!!!!

Ron
Reply to: