Troubleshooting cheat sheet - howto configure and validate iptables setup with Novell Access Manager

  • 7006050
  • 19-May-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Java Agents
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway

Situation

AM 3.1 iptables troubleshooting cheat sheet
================================

Functionality: Goal is to be able to understand what Access Manager components need iptables and how to confirm the setup is correct. iptables is normally used by the Linux IDP server and the SSLVPN.

IDP: The Linux IDP server is not started with the root user, but the novlwww user. As a result of Linux OS restrictions on non root users, the IDP server cannot listen on any TCP port below 1024 - we use tcp 8443 by default. Ideally users will want to access the IDP server from their browsers on tcp 443 so that no non standard holes are required in firewalls located between users and the IDP server. To do this, we can define a baseURL TCP port in the IDP general configuration page as 443, and use iptables to redirect incoming HTTP request from tcp 443 to the tcp 8443 port the IDP is  really listening on. The only iptables entry required to do this is

# iptables -t nat -A PREROUTING -d <$idp_server_listening_ip_address> -p tcp --dport 443 -j DNAT --to <$idp_server_listening_ip_address>:8443

SSLVPN: The SSLVPN server in Enterprise mode acts as an IP router, routing IP packets from the private (default 12.8.0.0/16) SSLVPN subnet to the detination host we are protecting. By default, this destination host receives a request with the source IP address of the private SSLVPN client. In order to respond back to the SSLVPN client, the destination host must have a path back through the SSLVPN server. It can do this by either

a) adding a routing table entry on the private host for the SSLVPN client subnet with a next hop of the SSLVPN server. Cumbersome as needs to be added to all hosts.
b) adding an iptables entry on the SSLVPN server rewriting the source IP address of outgoing requests to that of the SSLVPN server local interface

The only iptables entry required to do this is

# iptables -t nat -A POSTROUTING -s 12.8.0.0/16 -j SNAT --to <$sslvpn_server_nexthop_to_dest_ip_address> where 12.8.0.0 is the 'Assigned IP Address Pool For Enterprise Mode' under the SSLVPN Basic configuration settings (setup also available in SSLVPN 'Advanced configuration' configuration settings).

iptables settings required to capture all relevant info:

The registered iptables entries on both the IDP or SSLVPN server are available with

# iptables -t nat -nvL

Info to request:

- IDP server:

# iptables -t nat -nvL
# netstat -patune|grep 8443
# netcat -v -v <$idp_server_listening_ip_address> 443 ... must be done from non IDP server
# tcpdump -i any -s 0 -idptrace.cap port 443 or port 8443
# /var/opt/novell/tomcat5/conf/server.xml
# amdiagcfg.sh output from Admin Console (/opt/novell/devman/bin/ directory)

- SSLVPN server:

# iptables -t nat -nvL
# tcpdump -i any -s 0 -sslvpntrace.cap host <$ip_addr_of_sslvpn_prot_appl>

What to look for in log files:

- IDP:
> Make sure that the 'packets' value for the chain is non 0 (see 49 below, indicating that the port has been rewritten in 49 packets).
> Make sure the interface (may be multiple!) and the 'to' IP address port are correct.

idpcluster:/etc/init.d # iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1593K packets, 116M bytes)
 pkts bytes target     prot opt in     out     source               destination
   49  2352 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:147.2.16.109:8443

> Make sure netcat output shows port open (147.2.16.109 is IP address of my IDP server). Indicates both tcp 443 and 8443 open

# netcat -v -v 147.2.16.109 443
idpcluster.lab.novell.com [147.2.16.109] 443 (https) open

> tcpdump output should show request destined for IDP server IP address on TCP 443
> /var/opt/novell/tomcat5/conf/server.xml should show connector TCP port as 8443
> amdiagcfg.sh output will show IDP base URL as 443

- SSLVPN:
> Make sure that the 'packets' value for the chain is non 0 (see 77 below, indicating that the port has been rewritten in 77 packets)
> Make sure the 'source' and 'to' IP address port are correct.

sslvpncluster:/etc/init.d # iptables -t nat -nvL

Chain POSTROUTING (policy ACCEPT 2638K packets, 159M bytes)
 pkts bytes target     prot opt in     out     source               destination
    77 91927 SNAT      all  --  *      *       12.8.0.0/16          0.0.0.0/0           to:10.0.0.1

> tcpdump output should show request destined for protected application have the new SSLVPN interface source IP address, and responses from the remote host should be destined for the SSLVPN server.


Useful TIDs:

1. iptables tutorial at http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html (see Masquerading section)
2. Translating the Identity Server port at https://www.novell.com/documentation/novellaccessmanager31/identityserver/?page=/documentation/novellaccessmanager31/identityserver/data/b6fyxpk.html
3. Configuring Source NAT for SSLVPN server at https://www.novell.com/documentation/novellaccessmanager31/sslvpn_serverguide/?page=/documentation/novellaccessmanager31/sslvpn_serverguide/data/bjlxhe6.html
4. "An error has occurred which may have invalidated your authentication" - https://support.microfocus.com/kb/doc.php?id=7005830&sliceId=1&docTypeID=DT_TID_1_1&dialogID=137875069&stateId=0%200%20137873431