inconsistant behaviour

inconsistant behaviour

[ashley]

G'day,

I've built a firewall-gateway for a Uni.

The initial script sets up:

IPTABLES=/sbin/iptables

EXTIF="eth1"
INTIF="eth0"

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW

When a student logs on this instruction is given:

/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

This works well.

When a student logs off these instructions are given:

/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

Now this works fairly well. Less than 1% of the time it fails to remove 
the entry from the ALLOW chain and very rearly it fails to remove from 
the ACCT chain.

Where can I look to find this error. Though rare the 1% ends up being a 
significant number given the load is high.

Also msn messagenger packets do not seam to be counted by the iptables 
chain?? This is an observation from the help desk as students are 
complaining they are being logged off for inactivity and they are using 
messanger. When I hand check packets using iptables there appears to be 
no packet count. Whe they do a download there is.

I'm not an iptables guru so hints and or suggestions appreciated.

thanks

Ashley

inconsistant behaviour

[Ashley Maher]

G'day,

I've built a firewall-gateway for a Uni.

The initial script sets up:

IPTABLES=/sbin/iptables

EXTIF="eth1"
INTIF="eth0"

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW

When a student logs on this instruction is given:

/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

This works well.

When a student logs off these instructions are given:

/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

Now this works fairly well. Less than 1% of the time it fails to remove 
the entry from the ALLOW chain and very rearly it fails to remove from 
the ACCT chain.

Where can I look to find this error. Though rare the 1% ends up being a 
significant number given the load is high.

Also msn messagenger packets do not seam to be counted by the iptables 
chain?? This is an observation from the help desk as students are 
complaining they are being logged off for inactivity and they are using 
messanger. When I hand check packets using iptables there appears to be 
no packet count. Whe they do a download there is.

I'm not an iptables guru so hints and or suggestions appreciated.

thanks

Ashley

Re: inconsistant behaviour

[Joel Newkirk]

On Thu, 2003-09-25 at 01:05, Ashley Maher wrote:
> $IPTABLES -N ACCT
> $IPTABLES -F ACCT
> $IPTABLES -N ALLOW
> $IPTABLES -P ALLOW DROP

You can't set a policy on a custom chain - it always returns to the
calling chain at the end.  Think of it as a hardwired "RETURN" policy...

> $IPTABLES -F ALLOW
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -j ACCT
> $IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
> $IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> 
> When a student logs on this instruction is given:
> 
> /sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
> /sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
> 
> This works well.
> 
> When a student logs off these instructions are given:
> 
> /sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
> /sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
> 
> Now this works fairly well. Less than 1% of the time it fails to remove 
> the entry from the ALLOW chain and very rearly it fails to remove from 
> the ACCT chain.
>
> Where can I look to find this error. Though rare the 1% ends up being a 
> significant number given the load is high.

?? There's no reason it should 'fail' to remove the rule from either
chain.  However, what happens if a student logs on twice without logging
off?  Will it enter two pairs of rules, but only delete one?  (That's
what will happen if there are two matching rules to a single -D delete
command - the first one found goes, anything else remains)  If this is
the case, you;d be better off grepping the output of "$IPTABLES -L
ALLOW" and making sure you remove duplicates.  Something like:

for ((c=0;c<$($IPTABLES -L -n ALLOW | grep -c $IP);c++)) 
do
	$IPTABLES -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
done

Or alternately, run your 'remove' function when they login, before
creating new rules for them, to ensure that there's no 'legacy' of older
rules for that IP.

> Also msn messagenger packets do not seam to be counted by the iptables 
> chain?? This is an observation from the help desk as students are 
> complaining they are being logged off for inactivity and they are using 
> messanger. When I hand check packets using iptables there appears to be 
> no packet count. Whe they do a download there is.

What exactly is being monitored to determine 'activity'?  The ACCT chain
rule for the student's IP?  That will never see ESTABLISHED or RELATED
state packets.  You'd need to put the state rule AFTER the ACCT rule in
FORWARD chain to ensure that ACCT counts ALL packets.

> I'm not an iptables guru so hints and or suggestions appreciated.
>
> thanks
> 
> Ashley

Hope that helps.

j

RE: inconsistant behaviour

[Mark E. Donaldson]

Ashley - you are setting your Default Policy with -P, and then immediately
flushing it with -F.  This is not what you want to do.  Flush first and set
your rules after that.  You will find the results much more to your liking.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ashley Maher
Sent: Wednesday, September 24, 2003 10:05 PM
To: netfilter@lists.netfilter.org
Subject: inconsistant behaviour


G'day,

I've built a firewall-gateway for a Uni.

The initial script sets up:

IPTABLES=/sbin/iptables

EXTIF="eth1"
INTIF="eth0"

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW

When a student logs on this instruction is given:

/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

This works well.

When a student logs off these instructions are given:

/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF

Now this works fairly well. Less than 1% of the time it fails to remove
the entry from the ALLOW chain and very rearly it fails to remove from
the ACCT chain.

Where can I look to find this error. Though rare the 1% ends up being a
significant number given the load is high.

Also msn messagenger packets do not seam to be counted by the iptables
chain?? This is an observation from the help desk as students are
complaining they are being logged off for inactivity and they are using
messanger. When I hand check packets using iptables there appears to be
no packet count. Whe they do a download there is.

I'm not an iptables guru so hints and or suggestions appreciated.

thanks

Ashley