Category Archives: Linux

iptables INVALID use case

This article describes a use case of iptables INVALID state.

LAN is connected to the gateway eth1.
VPN server offers VPN services on network, for example a client will have the address
VPN server has two interfaces and, forwarding is enabled.
All routes are maintained ONLY on the gateway

When VPN client wants to reach a server located on the LAN, for example, it does not work !!!

Let’s have a look at routes.
Way to go:
VPN client wants to reach
First it goes to its gateway,
then it reach the still on the gateway
and is on the connected interface, then it reaches the server
Way back:
server has a default gateway,
and then nothing happen, packet are stopped on the gateway, it means packet are not sent back and it does not work.

Why ?
This is because LAN server send returns packet back to the default gateway instead of VPN server
Default gateway does not accept this: packet are not NEW nor ESTABLISHED. This is asymetric routing.

In order to make this possible there are several solutions:
– add on all LAN server a route like via, but I do not want this solution since I only maintain routes on the gateway
– other solution is to make gateway accept packets that are not NEW or ESTABLISHED:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state INVALID -j ACCEPT

This rule says packet coming from LAN (on exiting on LAN (from to destination VPN network ( are accepted even though they do not have a normal state (INVALID).
You are accepting asymetric routing on your network and now it works: VPN clients do have access to all LAN servers.

And to not forget legitim trafic:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state NEW,ESTABLISHED -j ACCEPT

Debian active directory authentication

Ensure the debian server date and the AD server do have the same date and time. If needed install ntpd or ntpdate.

Install the kerberos things. The AD domain is UNKNOWN.

aptitude install krb5-user libpam-krb5

Edit file /etc/krb5.conf

        default = FILE:/var/log/krb5.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = UNKNOWN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        UNKNOWN.LOCAL = {
                kdc = carotte
                admin_server = carotte

        .unknown = UNKNOWN
        UNKNOWN.LOCAL = unkown.local

        krb4_convert = true
        krb4_get_tickets = false

Check it works and you can authenticate a windows AD user from the debian server:

kinit administrator

You will be prompted the administrator passowrd:

Password for administrator@UNKNOWN.LOCAL:

No message is a good thing. Check you have been granted a kerberos ticket:


You should have the ticket:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@UNKNOWN.LOCAL

Valid starting       Expires              Service principal
10/15/2015 13:51:07  10/15/2015 23:51:07  krbtgt/UNKNOWN.LOCAL@UNKNOWN.LOCAL
        renew until 10/22/2015 13:51:03

Now integrate the debian server in the AD domain

apt-get install samba winbind

Change file /etc/samba.conf


        workgroup = UNKNOWN
        security = ads
        realm = UNKNOWN.LOCAL
        password server = carotte
        domain logons = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind enum groups = yes
        winbind enum users = yes
        winbind use default domain = yes
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        prefered master = no
        os level = 0
        idmap config *:backend = tdb
        idmap config *:range = 11000-20000
        idmap config UNKNOWN:backend = rid
        idmap config UNKNOWN:range = 10000000-1900000000

Restart services:

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Now join the domain:

net ads join -U administrator

Give administrator password:

Enter administrateur's password:
Using short domain name -- UNKNOWN
Joined '
kikinou' to dns domain 'unknown.local'

Greetings, linux kikinou server joined the domain « UNKNOWN »
You are now able to view AD users and groups from the linux server:

wbinfo -u
wbinfo -g

Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups.
Add windbind at the end of these two lines:

          passwd:         compat winbind
          group:          compat winbind

Make a test by getting AD users and groups

getent passwd

You should get a view of passwd file with also AD users informations.

getent group

The same as above but showing group with AD groups.
In case getent does not return anything else than local information (no AD info), check you have the library that connects winbind to nss. If not install it:

apt-get install libnss-winbind

Edit file /etc/pam.d/common-session and add the two last lines (for debian):

session [default=1]           
session requisite             
session required              
session required
session required umask=0022 skel=/etc/skel

That’s it, you can now log on your debian server with a windows AD user.

sshd fatal: cipher & key exhange

I did some update on an old debian system and then SSH server refused to let me in.
I got the message:

sshd[19482]: fatal: no matching cipher found:

Just have a look in your /var/log/auth file and determine what cipher the client and server are using. This error message means there is no common cipher between the client and the server.

I added in /etc/ssh/sshd_config file the lines:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,,,,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Then I got a new error message:

sshd[20362]: fatal: Unable to negotiate a key exchange method [preauth]

Just precise key exchange method by adding the following line in your /etc/ssh/sshd_config file:,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1