* inconsistant behaviour
@ 2003-09-25 5:05 Ashley Maher
2003-09-25 7:07 ` Joel Newkirk
2003-09-26 3:48 ` Mark E. Donaldson
0 siblings, 2 replies; 4+ messages in thread
From: Ashley Maher @ 2003-09-25 5:05 UTC (permalink / raw)
To: netfilter
G'day,
I've built a firewall-gateway for a Uni.
The initial script sets up:
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
When a student logs on this instruction is given:
/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
This works well.
When a student logs off these instructions are given:
/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
Now this works fairly well. Less than 1% of the time it fails to remove
the entry from the ALLOW chain and very rearly it fails to remove from
the ACCT chain.
Where can I look to find this error. Though rare the 1% ends up being a
significant number given the load is high.
Also msn messagenger packets do not seam to be counted by the iptables
chain?? This is an observation from the help desk as students are
complaining they are being logged off for inactivity and they are using
messanger. When I hand check packets using iptables there appears to be
no packet count. Whe they do a download there is.
I'm not an iptables guru so hints and or suggestions appreciated.
thanks
Ashley
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: inconsistant behaviour
2003-09-25 5:05 inconsistant behaviour Ashley Maher
@ 2003-09-25 7:07 ` Joel Newkirk
2003-09-26 3:48 ` Mark E. Donaldson
1 sibling, 0 replies; 4+ messages in thread
From: Joel Newkirk @ 2003-09-25 7:07 UTC (permalink / raw)
To: Ashley Maher; +Cc: netfilter
On Thu, 2003-09-25 at 01:05, Ashley Maher wrote:
> $IPTABLES -N ACCT
> $IPTABLES -F ACCT
> $IPTABLES -N ALLOW
> $IPTABLES -P ALLOW DROP
You can't set a policy on a custom chain - it always returns to the
calling chain at the end. Think of it as a hardwired "RETURN" policy...
> $IPTABLES -F ALLOW
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -j ACCT
> $IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
> $IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
> $IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
>
> When a student logs on this instruction is given:
>
> /sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
> /sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
>
> This works well.
>
> When a student logs off these instructions are given:
>
> /sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
> /sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
>
> Now this works fairly well. Less than 1% of the time it fails to remove
> the entry from the ALLOW chain and very rearly it fails to remove from
> the ACCT chain.
>
> Where can I look to find this error. Though rare the 1% ends up being a
> significant number given the load is high.
?? There's no reason it should 'fail' to remove the rule from either
chain. However, what happens if a student logs on twice without logging
off? Will it enter two pairs of rules, but only delete one? (That's
what will happen if there are two matching rules to a single -D delete
command - the first one found goes, anything else remains) If this is
the case, you;d be better off grepping the output of "$IPTABLES -L
ALLOW" and making sure you remove duplicates. Something like:
for ((c=0;c<$($IPTABLES -L -n ALLOW | grep -c $IP);c++))
do
$IPTABLES -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
done
Or alternately, run your 'remove' function when they login, before
creating new rules for them, to ensure that there's no 'legacy' of older
rules for that IP.
> Also msn messagenger packets do not seam to be counted by the iptables
> chain?? This is an observation from the help desk as students are
> complaining they are being logged off for inactivity and they are using
> messanger. When I hand check packets using iptables there appears to be
> no packet count. Whe they do a download there is.
What exactly is being monitored to determine 'activity'? The ACCT chain
rule for the student's IP? That will never see ESTABLISHED or RELATED
state packets. You'd need to put the state rule AFTER the ACCT rule in
FORWARD chain to ensure that ACCT counts ALL packets.
> I'm not an iptables guru so hints and or suggestions appreciated.
>
> thanks
>
> Ashley
Hope that helps.
j
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: inconsistant behaviour
2003-09-25 5:05 inconsistant behaviour Ashley Maher
2003-09-25 7:07 ` Joel Newkirk
@ 2003-09-26 3:48 ` Mark E. Donaldson
1 sibling, 0 replies; 4+ messages in thread
From: Mark E. Donaldson @ 2003-09-26 3:48 UTC (permalink / raw)
To: Ashley Maher, netfilter
Ashley - you are setting your Default Policy with -P, and then immediately
flushing it with -F. This is not what you want to do. Flush first and set
your rules after that. You will find the results much more to your liking.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Ashley Maher
Sent: Wednesday, September 24, 2003 10:05 PM
To: netfilter@lists.netfilter.org
Subject: inconsistant behaviour
G'day,
I've built a firewall-gateway for a Uni.
The initial script sets up:
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
When a student logs on this instruction is given:
/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
This works well.
When a student logs off these instructions are given:
/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
Now this works fairly well. Less than 1% of the time it fails to remove
the entry from the ALLOW chain and very rearly it fails to remove from
the ACCT chain.
Where can I look to find this error. Though rare the 1% ends up being a
significant number given the load is high.
Also msn messagenger packets do not seam to be counted by the iptables
chain?? This is an observation from the help desk as students are
complaining they are being logged off for inactivity and they are using
messanger. When I hand check packets using iptables there appears to be
no packet count. Whe they do a download there is.
I'm not an iptables guru so hints and or suggestions appreciated.
thanks
Ashley
^ permalink raw reply [flat|nested] 4+ messages in thread
* inconsistant behaviour
@ 2003-09-25 4:51 ashley
0 siblings, 0 replies; 4+ messages in thread
From: ashley @ 2003-09-25 4:51 UTC (permalink / raw)
To: netfilter
G'day,
I've built a firewall-gateway for a Uni.
The initial script sets up:
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
When a student logs on this instruction is given:
/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
This works well.
When a student logs off these instructions are given:
/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
Now this works fairly well. Less than 1% of the time it fails to remove
the entry from the ALLOW chain and very rearly it fails to remove from
the ACCT chain.
Where can I look to find this error. Though rare the 1% ends up being a
significant number given the load is high.
Also msn messagenger packets do not seam to be counted by the iptables
chain?? This is an observation from the help desk as students are
complaining they are being logged off for inactivity and they are using
messanger. When I hand check packets using iptables there appears to be
no packet count. Whe they do a download there is.
I'm not an iptables guru so hints and or suggestions appreciated.
thanks
Ashley
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-09-26 3:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-25 5:05 inconsistant behaviour Ashley Maher
2003-09-25 7:07 ` Joel Newkirk
2003-09-26 3:48 ` Mark E. Donaldson
-- strict thread matches above, loose matches on Subject: below --
2003-09-25 4:51 ashley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox