iptables strange problem

Hello

i have some machines with the flowoing iptable rules
my problem is that sometimes i get a timeout when reaching some
services from the public interface.
and sometimes it works great
it is a very strange problem maybe something with established rule and
invalid traffic.
most common timeout is on ssh and http.
when i flush all rules everything works fine.


Thanks in advance
Nikos


echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with
tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with
tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with
tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT

/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT



# ethx (All Interfaces)
/sbin/iptables -A OUTPUT -p udp --dport 33434:33999 -j ACCEPT
# traceroute udp packets
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d debian.otenet.gr --dport 80 -j
ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j
ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT

# eth2 (Managment Interface)
/sbin/iptables -A INPUT -i eth2 -p udp --dport 161 -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

# eth0 (Public Interface)
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j DROP
/sbin/iptables -A FORWARD -j DROP

On 13 Mar 2006 03:27:14 -0800, "paranic" <(E-Mail Removed)> wrote:

>i have some machines with the flowoing iptable rules

The order of iptables rules is important, and you list them out of order.

Grant.
--
Testing can show the presense of bugs, but not their absence.
-- Dijkstra

Are these rules on a network firewall or a server or just a PC? Which
interfaces are public, private, etc.?

Seems like there are a lot of duplicate rules in the first few
sections. If you are already checking the relevant rules (related,
established traffic, and syn packets) in the INPUT chain, then those
rules are unnecessary in the OUTPUT and FORWARD chains Also, since
ip_forward is disabled anyway (via "echo 0 >
/proc/sys/net/ipv4/ip_forward"), nothing is going to get through the
FORWARD chain regardless, so no point in setting anything there. For a
simple firewall (unless you are doing port forwarding), nothing is
necessary to be set in the nat and mangle tables either. I would
probably also set the action to -j DROP on the SYN packet instead of
REJECT. I would set the invalid packet rule to REJECT instead of DROP.
I would also specify an incoming interface on the SYN packet INPUT
rule and/or (depending on what this machine does) a source address
(being the address of your machine). That way, your machine can make
all the outgoing connections it wants... it merely discriminates
against the incoming ones.

I think it would help first if I knew what the machine does (e.g.
network firewall, server, PC, etc.)

X

Grand
whats wrong with the ordering?
allow rules first and then deny rules?
also i got rid of the unnececary rules.


X wrote:
> Are these rules on a network firewall or a server or just a PC? Which
> interfaces are public, private, etc.?
>
> Seems like there are a lot of duplicate rules in the first few
> sections. If you are already checking the relevant rules (related,
> established traffic, and syn packets) in the INPUT chain, then those
> rules are unnecessary in the OUTPUT and FORWARD chains Also, since
> ip_forward is disabled anyway (via "echo 0 >
> /proc/sys/net/ipv4/ip_forward"), nothing is going to get through the
> FORWARD chain regardless, so no point in setting anything there. For a
> simple firewall (unless you are doing port forwarding), nothing is
> necessary to be set in the nat and mangle tables either.
ok with the FORWARD and the rest i got rid of them
but i cant remove the OUTPUT rules because i have default OUTPUT DROP
so i have to put something for established.

>I would
> probably also set the action to -j DROP on the SYN packet instead of
> REJECT. I would set the invalid packet rule to REJECT instead of DROP.
> I would also specify an incoming interface on the SYN packet INPUT
> rule and/or (depending on what this machine does) a source address
> (being the address of your machine). That way, your machine can make
> all the outgoing connections it wants... it merely discriminates
> against the incoming ones.
>
> I think it would help first if I knew what the machine does (e.g.
> network firewall, server, PC, etc.)
>
> X

here is my new modified config
i think that it will cause the same problem in a while.
if it cause problem i will change the DROP REJECT on the SYN and
invalid packet.

Try this:

echo "1" >/proc/sys/net/ipv4/ip_forward

/etc/sysconfig/iptables:
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source <your eth0 gateway ip #>
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0}
-A FORWARD -i eth0 ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

then run /etc/rc.d/init.d/iptables restart

This will greatly simplify things for you. BTW in the example above eth0 is
the internet facing device.





paranic wrote:

> Hello
>
> i have some machines with the flowoing iptable rules
> my problem is that sometimes i get a timeout when reaching some
> services from the public interface.
> and sometimes it works great
> it is a very strange problem maybe something with established rule and
> invalid traffic.
> most common timeout is on ssh and http.
> when i flush all rules everything works fine.
>
>
> Thanks in advance
> Nikos
>
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> /sbin/iptables -F
> /sbin/iptables -X
> /sbin/iptables -Z
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with
> tcp-reset
> /sbin/iptables -A INPUT -m state --state INVALID -j DROP
>
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with
> tcp-reset
> /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
>
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with
> tcp-reset
> /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
>
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
>
> /sbin/iptables -t mangle -F
> /sbin/iptables -t mangle -X
> /sbin/iptables -t mangle -Z
> /sbin/iptables -t mangle -P PREROUTING ACCEPT
> /sbin/iptables -t mangle -P OUTPUT ACCEPT
> /sbin/iptables -t mangle -P INPUT ACCEPT
> /sbin/iptables -t mangle -P FORWARD ACCEPT
> /sbin/iptables -t mangle -P POSTROUTING ACCEPT
>
> /sbin/iptables -t nat -F
> /sbin/iptables -t nat -X
> /sbin/iptables -t nat -Z
> /sbin/iptables -t nat -P PREROUTING ACCEPT
> /sbin/iptables -t nat -P OUTPUT ACCEPT
> /sbin/iptables -t nat -P POSTROUTING ACCEPT
>
>
>
> # ethx (All Interfaces)
> /sbin/iptables -A OUTPUT -p udp --dport 33434:33999 -j ACCEPT
> # traceroute udp packets
> /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j ACCEPT
> /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp -d debian.otenet.gr --dport 80 -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
>
> # eth2 (Managment Interface)
> /sbin/iptables -A INPUT -i eth2 -p udp --dport 161 -j ACCEPT
> /sbin/iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
>
> # eth0 (Public Interface)
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
>
> /sbin/iptables -A INPUT -j DROP
> /sbin/iptables -A OUTPUT -j DROP
> /sbin/iptables -A FORWARD -j DROP

--
Regards,
Peter.
http://www.pelicom.net.nz

Are you using this machine as a firewall for your network (i.e. NAT) or
are you just using these rules to firewall an individual computer?
This is the most important question, as it will determine whether or
not you need to use PREROUTING and POSTROUTING rules. You also much
enable ip_forward (echo 1 > /proc/sys/net/ipv4/ip_forward) for a
network firewall (for NAT), or else none of the machines on the other
side will get packets forwarded to them. However, if this is just a
server that you are using iptables to firewall, then you don't have to
worry about forwarding.

Here is a base configuration I would use. With the limited information
on what you want this for, I will have to make some assumptions. I am
assuming that this is a server that is both on a public and a private
network. I'm also assuming that the private network is relatively
"safe", such that you will allow general connections from it. I'm
assuming that public network connections are desired to be disallowed
by default, with a few exceptions.

####### set defaults
iptables -P INPUT DROP
# ^ defaults to dropping the packet in the INPUT chain
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# ^ FORWARD/OUTPUT chains accept packets if they manage to make it
through the INPUT chain

####### exception rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ^ accepts ESTABLISHED, RELATED traffic on all interfaces
iptables -A INPUT -i ! [private interface, like eth0] -p tcp --syn -j
DROP
# ^ DROPs connection requests (syn packets) from all interfaces that
are not the private network interface
# iptables -A INPUT -m state --state INVALID -j REJECT # This rule
is optional
# ^ REJECTs invalid packets. I've never used this, personally.

####### your server's services exception rules for the public network
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # allows SSH
connections
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT # allows FTP
active connection
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT # allows FTP
connection
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT # allows HTTP
connection
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT # allows HTTPS
connection

####### Other rules
# list them here... specify them on the INPUT chain, not the OUTPUT
chain

Also, there are no need for your last set of rules, because if no rules
are matched in the chain, then the default action will be taken, which
is DROP for the INPUT chain. Also, if the packet gets DROPped in the
INPUT chain, then it will never see the OUTPUT or FORWARD chains, so
for just a simple, non-NAT firewall, no reason to add rules to any
chain but the INPUT chain.

Hope this helps,

X

Correction:
iptables -A INPUT -i ! [public interface, like eth0] -p tcp --syn -j
ACCEPT
# ^ ACCEPT the connection request if it does not come from the public
interface
Instead of:
iptables -A INPUT -i ! [private interface, like eth0] -p tcp --syn -j
DROP

The way iptables matches rules, it will keep trying to match rules, but
once it hits one that matches, it will take that action and stop trying
to match rules. So you need to look at it from the point of view that
your default INPUT chain action is DROP if no rules are matched. So,
any rules you add are rules that you want it to do something different
from the default (mainly, ACCEPT). So only add rules that ACCEPT and
let the default policy of DROP take care of the rest. If it does hit a
DROP and you later have a rule to ACCEPT that kind of packet, the
latter rule will never be called because the DROP action has already
been taken.

X