Is iptables black-listing me?

Is iptables black-listing me?

[Olivier.Keunen]

[-- Attachment #1: Type: text/plain, Size: 3666 bytes --]

Hello,

Here is the problem I hope somebody on the list can help me with:

We have been running iptables on a Debian Linux box for some times. It 
works fine, except that from time to time, one of the server in the farm 
is denied access through the firewall for a while without any evidenced of 
what is causing the default nor what fixes it ! Traffic through the 
firewall from other servers in the farm still flows normally in the 
meantime. The box is somewhat loaded as it runs a Windows 2000 DC, DNS, 
DHCP & mail services, but it seems to work fine for what I can tell.

We have both nating & filtering rules as follow (where x.x. & y.y. replace 
the external & internal network IP ranges):

# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*mangle
:PREROUTING ACCEPT [30062301:24484022112]
:INPUT ACCEPT [4198390:1941057227]
:FORWARD ACCEPT [25793352:22533866498]
:OUTPUT ACCEPT [4637289:2018602790]
:POSTROUTING ACCEPT [30430582:24552464804]
COMMIT
# Completed on Thu Jan 22 14:47:03 2004
# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*filter
:INPUT DROP [9938:1125519]
:FORWARD ACCEPT [25793352:22533866498]
:OUTPUT ACCEPT [3495998:1919643818]
[1335687:165906544] -A INPUT -s y.y.2.0/255.255.255.0 -i eth2 -j ACCEPT 
[364:45069] -A INPUT -s y.y.1.0/255.255.255.0 -i eth1 -j ACCEPT 
[0:0] -A INPUT -d x.x.2.210 -p udp -m udp --dport 1886 -j ACCEPT 
[0:0] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 1886 -j ACCEPT 
[0:0] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 1885 -j ACCEPT 
[0:0] -A INPUT -d x.x.2.210 -p udp -m udp --dport 1885 -j ACCEPT 
[1768:225589] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 10000 -j ACCEPT 
[1459:112620] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 22 -j ACCEPT 
[232015:19489204] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 
6/sec -j ACCEPT 
[2615789:1754070556] -A INPUT -m state --state RELATED,ESTABLISHED -j 
ACCEPT 
[1370:82126] -A INPUT -i lo -j ACCEPT 
[1141232:98954488] -A OUTPUT -o lo -j ACCEPT 
COMMIT
# Completed on Thu Jan 22 14:47:03 2004
# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*nat
:PREROUTING ACCEPT [592546:39140555]
:POSTROUTING ACCEPT [224874:17450381]
:OUTPUT ACCEPT [284539:21162120]
[0:0] -A PREROUTING -d x.x.2.6 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination y.y.1.2:80 
[0:0] -A PREROUTING -d x.x.2.6 -p tcp -m tcp --dport 443 -j DNAT 
--to-destination y.y.1.2:443 
[2833:132792] -A PREROUTING -d x.x.2.5 -p tcp -m multiport --dports 
smtp,lotusnote,www,domain,https -j DNAT --to-destination y.y.2.2 
[1:79] -A PREROUTING -d x.x.2.5 -p udp -m multiport --dports domain -j 
DNAT --to-destination y.y.2.2 
[0:0] -A PREROUTING -d x.x.2.4 -p tcp -m multiport --dports 1494,443 -j 
DNAT --to-destination y.y.2.5 
[6:288] -A PREROUTING -d x.x.2.3 -p tcp -m multiport --dports 10000,ssh -j 
DNAT --to-destination y.y.2.4 
[0:0] -A POSTROUTING -s y.y.1.2 -o eth0 -j SNAT --to-source x.x.2.6
[0:0] -A POSTROUTING -s y.y.2.2 -o eth0 -j SNAT --to-source x.x.2.5
[433482:23976479] -A POSTROUTING -o eth0 -j SNAT --to-source x.x.2.210 
COMMIT
# Completed on Thu Jan 22 14:47:03 2004

Once the struggling server (y.y.2.5) is blocked, removing the filtering 
rules does not restore the connection. It just seems like the firewall has 
blacklisted my server although I don't see what could be causing it.

Any suggestion?

Could it be related to the [232015:19489204] -A INPUT -p icmp -m icmp 
--icmp-type 8 -m limit --limit 6/sec -j ACCEPT  rule that was set to avoid 
"ping of death" attacks

Also, I found a file called /etc/init.d/iptables.lock on my system. What 
is used for?

Thanks in advance to whoever can help...

Olivier.






[-- Attachment #2: Type: text/html, Size: 6096 bytes --]

Re: Is iptables black-listing me?

[Alistair Tonner]

On July 9, 2004 11:23 am, Olivier.Keunen@crp-sante.healthnet.lu wrote:
> Hello,
>
> Here is the problem I hope somebody on the list can help me with:
>
> We have been running iptables on a Debian Linux box for some times. It
> works fine, except that from time to time, one of the server in the farm
> is denied access through the firewall for a while without any evidenced of
> what is causing the default nor what fixes it ! Traffic through the
> firewall from other servers in the farm still flows normally in the
> meantime. The box is somewhat loaded as it runs a Windows 2000 DC, DNS,
> DHCP & mail services, but it seems to work fine for what I can tell.
>
> We have both nating & filtering rules as follow (where x.x. & y.y. replace
> the external & internal network IP ranges):
>
> # Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
> *mangle

	Greetings Oliver:

	1) please don't use iptables-save output -- it isn't easy to read, and is 
often unclear on certain details ..  Most here prefer (from what I've seen) 
to see the output from 
iptables -L -n -v -x 
	and 
iptables -L -n -v -x -t [ nat/mangle ] 
   for analysis -- or the script that actually loads the rules.. 

	2) Same box every time? Same problem every time? 
	*takes a quick glance at the rules*  -- have you completely eliminated 
	all components on the windows box and what I presume is a switch that
	sits between linux / windows? -- this sounds like a GigE card problem 
	we were having on win2k boxen running as DC's ...  they were plugged into 
	100Mb Ethernet ports on a cisco .. and apparently the cards would try to step
	up to 1000Mb once in a while ---  hard setting the speed fixed the problem.
	AutosenseLESS is my motto...

	3) I would strongly reccommend that the next instance of this problem you 
	insert LOG rules at the top of FORWARD and INPUT for the source IP and 
	see if you are actually getting the packets, and possibly see why your 
	rules might be dropping them.
	LOGged packets will go to your default syslog -- whereever that might be 
	on Deb.

>	Could it be related to the [232015:19489204] -A INPUT -p icmp -m icmp 
>	--icmp-type 8 -m limit --limit 6/sec -j ACCEPT  rule that was set to avoid 
>	"ping of death" attacks

	I highgly doubt it unless all the communication you are referring to is ICMP.
	This rule is limited to ICMP and should not drop TCP or UDP.  You might 
	not be able to ping out for a while, but the rule is fairly relaxed .. 
	someone once posted an excellent explaination of the timing buckets for this, 
	but it is slightly beyond my recall at the moment.

	Alistair Tonner

> Thanks in advance to whoever can help...
>
> Olivier.