Socket connection fail


#1

Hello you all,

I am facing a problem to use socket connection on my legato distribution running on a FX30. I connected it over Ethernet interface eth0, it gets an IP address correctly and I configured the DNS server, so using the ping command I can reach all the addresses I tried.

The problem is that I can’t establish a socket connection to a server using port 80, I tried it using the telnet command and using a python script.

I check the iptable rules but I coudn’t figure out what is blocking the connection, it is like some rule is blocking the answer from the server.

Someone could help me to fix this problem?

Thanks in advance

Gustavo


#2

Hi,

Did you capture the wireshark log by “tcpdump” command?
Maybe you can see some clue in it.


#3

Hi Gustavo,

It can be useful to log dropped traffic, in order to identify the one blocked by the firewall. This can be done by appending these lines to rules.v* files:
-N LOGGING
-A INPUT -j LOGGING
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP

You should also check if your Linux kernel configuration is including this:
CONFIG_ANDROID_PARANOID_NETWORK=y

Regards.


#4

Hi flu,

When I added these lines on the rules.v4 file the eth0 ethernet stops to work, I remove it and it works again. Have you faced this problem?

Thanks

Gustavo


#5

Hi,

I capture, the command I was using to test is the follow:

root@fx30:~# wget --spider google.com
Connecting to google.com (172.217.30.110:80)

The tcpdump result is this:

root@fx30:~# tcpdump -i eth0 host google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:28:07.797220 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 49928 ecr 0,nop,wscale 5], length 0
00:28:07.809184 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496000 ecr 49928,nop,wscale 8], length 0
00:28:08.109291 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496300 ecr 49928,nop,wscale 8], length 0
00:28:08.793192 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50028 ecr 0,nop,wscale 5], length 0
00:28:08.805156 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796496998 ecr 49928,nop,wscale 8], length 0
00:28:10.793253 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50228 ecr 0,nop,wscale 5], length 0
00:28:10.805278 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796498998 ecr 49928,nop,wscale 8], length 0
00:28:10.818493 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796499010 ecr 49928,nop,wscale 8], length 0
00:28:14.803263 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 50629 ecr 0,nop,wscale 5], length 0
00:28:14.815197 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796503008 ecr 49928,nop,wscale 8], length 0
00:28:18.815624 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796507007 ecr 49928,nop,wscale 8], length 0
00:28:22.833295 IP 192.168.0.38.41021 > gru06s35-in-f14.1e100.net.http: Flags [S], seq 19810176, win 29200, options [mss 1460,sackOK,TS val 51432 ecr 0,nop,wscale 5], length 0
00:28:22.846572 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796511039 ecr 49928,nop,wscale 8], length 0
00:28:30.845626 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796519038 ecr 49928,nop,wscale 8], length 0
00:28:46.845076 IP gru06s35-in-f14.1e100.net.http > 192.168.0.38.41021: Flags [S.], seq 219951946, ack 19810177, win 42408, options [mss 1380,sackOK,TS val 3796535038 ecr 49928,nop,wscale 8], length 0

It looks like the data is getting out and getting in but the connection is not stablished. Have you any idea looking this data what is bloking the communication?

Thank you so much!

Gustavo


#6

Hi,
Can you capture the wireshark log by the following and attached here?
“tcpdump -s0 -i eth0 -w /tmp/test.pcap”


#7

Hi,

Sure, it is attached!

Thank you

BR

Gustavo

test.pcap (47.6 KB)


#8

test.pcap (16.8 KB)

This is the wireshark I captured for rmnet0:
tcpdump -s0 -i rmnet0 -w /tmp/test.pcap
wget --spider google.com

On packet 7, there is acknowledgement sent back to google server.
However in your wireshark, I don’t see such packet sent from module.

Is this problem only happen to eth0? how about rmnet0?


#9

The rmnet0 is not being used in my module, it is not listed in the ifconfig command.

My iptables.rules file content is like follow

# Generated by iptables-save v1.4.21 on Thu Nov 10 19:02:24 2016
*filter
:INPUT ACCEPT [80:17812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:22530]
-A INPUT -i rmnet0 -p icmp -m icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i rmnet0 -j DROP
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
**-A INPUT -i eth0 -j DROP **
COMMIT
# Completed on Thu Nov 10 19:02:24 2016

And the iptables -L command returns the follow

root@fx30:~# iptables -L
Chain INPUT (policy ACCEPT)
**target prot opt source destination **
ACCEPT icmp – anywhere anywhere icmp echo-reply state ESTABLISHED
ACCEPT tcp – anywhere anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp – anywhere anywhere udp spt:domain state ESTABLISHED
**DROP all – anywhere anywhere **
**ACCEPT icmp – anywhere anywhere **
ACCEPT tcp – anywhere anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp – anywhere anywhere udp spt:domain state ESTABLISHED
**DROP all – anywhere anywhere **

Chain FORWARD (policy ACCEPT)
**target prot opt source destination **

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Do you think it can be some rule blocking?

Thank you!

BR

Gustavo


#10

Hi,

This is the information from my WP8:


root@swi-mdm9x15:/# cat /etc/iptables/rules.v4

Generated by iptables-save v1.4.21

*filter
:INPUT ACCEPT [65:13163]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:3656]

The following line disables ssh over all interfaces other than usb0.

To enable ssh on a different interface, replace ‘usb0’ with other

interface’s name, e.g.:

-A INPUT ! -i eth0 -p tcp -m tcp --dport 22 -j DROP

-A INPUT ! -i usb0 -p tcp -m tcp --dport 22 -j DROP
COMMIT
root@swi-mdm9x15:/#

root@swi-mdm9x15:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp – anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


#11

Hi Gustavo,

This is due to this line;
-A LOGGING -j DROP

Some traffic over ethX is probably dropped.
It is recommended to look at LOGGING traces output to UART, to find which protocols/ports must be enabled on a network interface…

KR.


#12

Hello,

The problem was solved, the following line was missing in the iptables.rules file

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Thank you guys!

BR

Gustavo