iptables doesn't stop connection

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables doesn't stop connection
@ 2004-05-01  7:58 Philipp Offermann
  2004-05-01  8:17 ` Antony Stone
  0 siblings, 1 reply; 2+ messages in thread
From: Philipp Offermann @ 2004-05-01  7:58 UTC (permalink / raw)
  To: netfilter

Hi,

I'm using iptables to firewall my system but it doesn't seem to work. For 
example I have a cvs-server running (port 2401) that shoud not be accessible 
from the outside. Still when I'm trying to connect with "telnet mymachine 
2401" I get a connection, if not on the first try then on the second. I get 
the following syslog:

Apr 27 11:12:36 mymachine kernel: [IPTABLES DROP] : IN=eth0 OUT= 
MAC=00:0c:76:1d:b0:ec:00:02:85:1a:d7:20:08:00 SRC=193.250.17.211 
DST=*myip* LEN=60 TOS=0x10 PREC=0x00 TTL=52 ID=57653 DF PROTO=TCP 
SPT=40871 DPT=2401 WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A000E2C400000000001030300)

Apr 27 11:12:39 mymachine kernel: [IPTABLES DROP] : IN=eth0 OUT= 
MAC=00:0c:76:1d:b0:ec:00:02:85:1a:d7:20:08:00 SRC=193.250.17.211 
DST=*myip* LEN=60 TOS=0x10 PREC=0x00 TTL=52 ID=57654 DF PROTO=TCP 
SPT=40871 DPT=2401 WINDOW=5840 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A000E2D6C0000000001030300)

Apr 27 11:12:45 mymachine cvs-pserver[1746]: connect from 193.250.17.211

You find my iptables configuration at the end of the message. Does anyone know 
why I can connect to my cvs server?

Thankx a lot,
Philipp


Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
bad_tcp_packets  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 
ACCEPT     all  --  127.0.0.1            0.0.0.0/0          
ACCEPT     all  --  *myip*       0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            *myip*     state RELATED,ESTABLISHED 
tcp_packets  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 
udp_packets  udp  --  0.0.0.0/0            0.0.0.0/0          udp 
icmp_packets  icmp --  0.0.0.0/0            0.0.0.0/0          
log_drop   all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 3/min 
burst 3 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain allowed (10 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 
flags:0x16/0x02 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp state 
RELATED,ESTABLISHED 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 

Chain bad_tcp_packets (1 references)
target     prot opt source               destination         
log_drop   tcp  --  0.0.0.0/0            0.0.0.0/0          tcp 
flags:!0x16/0x02 state NEW 

Chain icmp_packets (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11 

Chain log_accept (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 6 level 
4 prefix `[IPTABLES ACCEPT] : ' 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain log_drop (5 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 6 level 
4 prefix `[IPTABLES DROP] : ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0          

Chain log_reject (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 6 level 
4 prefix `[IPTABLES REJECT] : ' 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp reject-with 
tcp-reset 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with 
icmp-port-unreachable 

Chain tcp_packets (1 references)
target     prot opt source               destination         
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22 
log_reject  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:113 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:10000 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 
log_drop   tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:465 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110 
log_drop   tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:995 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:143 
log_drop   tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:993 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:389 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:1002 
allowed    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8080 

Chain udp_packets (1 references)
target     prot opt source               destination         
DROP       udp  --  0.0.0.0/0            213.239.192.18     udp dpts:135:139 
DROP       udp  --  0.0.0.0/0            255.255.255.255    udp dpts:135:139 


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: iptables doesn't stop connection
  2004-05-01  7:58 iptables doesn't stop connection Philipp Offermann
@ 2004-05-01  8:17 ` Antony Stone
  0 siblings, 0 replies; 2+ messages in thread
From: Antony Stone @ 2004-05-01  8:17 UTC (permalink / raw)
  To: netfilter

On Saturday 01 May 2004 8:58 am, Philipp Offermann wrote:

> Hi,
>
> I'm using iptables to firewall my system but it doesn't seem to work. For
> example I have a cvs-server running (port 2401) that shoud not be
> accessible from the outside. Still when I'm trying to connect with "telnet
> mymachine 2401" I get a connection, if not on the first try then on the
> second.

That final phrase should ring some bells - why is the behaviour not identical 
on different connection attempts?

> You find my iptables configuration at the end of the message. Does anyone
> know why I can connect to my cvs server?

Just for info, if you need to post your ruleset again, please send the output 
of "iptables -L -nvx" instead of just "iptables -L" - the extra options tell 
us which interfaces your rules apply to (and also show us the packet & byte 
counts), which can be quiet important in debugging problems.

> Chain INPUT (policy ACCEPT)

Tut tut tut - a default ACCEPT policy on INPUT :(

> target     prot opt source               destination

> log_drop   all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
> 3/min burst 3

So, you are LOGging and DROPping with a rate limit?   What happens to packets 
which are more frequent than this, I wonder?

Oh yes, they get ACCEPTed by your default policy :)

> Chain FORWARD (policy ACCEPT)

Ugh.   Another default ACCEPT policy :((

Regards,

Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - Report in the New York Times, following a demonstration at the 1939 World's 
Fair.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-05-01  8:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-01  7:58 iptables doesn't stop connection Philipp Offermann
2004-05-01  8:17 ` Antony Stone

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.