* --policy DROP kills everything?
@ 2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-10 14:48 ` Steven M Campbell
0 siblings, 2 replies; 14+ messages in thread
From: David Busby @ 2005-06-08 21:11 UTC (permalink / raw)
To: netfilter
I have this these rules on a host, to protect only this host.
# Generated by iptables-save v1.2.11 on Tue Jun 7 23:03:58 2005
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
-A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Jun 7 23:03:58 2005
These are the loaded modules: iptable_filter, ip_tables
I cannot make an SSH or HTTP connection to the box.
I was under the impression that a policy of DROP will drop the packets if they dont match a rule.
If I switch the policy to ACCEPT then no problem. If I add a last rule as DROP then it also fails.
If I put a LOG or ULOG before the DROP rule then I can see packes destined for port 80 making it to log, shouldn't
ACCEPT have passed them through? What stupid little thing did I miss?
imperium root # iptables --version
iptables v1.2.11
imperium root # uname -a
Linux imperium 2.6.10-gentoo-r6-edoceo #4 Sun May 1 03:48:25 PDT 2005 i686 AMD Athlon(TM) XP 1700+ AuthenticAMD GNU/Linux
/djb
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: --policy DROP kills everything?
2005-06-08 21:11 David Busby
@ 2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32 ` David Busby
2005-06-10 14:48 ` Steven M Campbell
1 sibling, 1 reply; 14+ messages in thread
From: Rob Sterenborg @ 2005-06-08 22:02 UTC (permalink / raw)
To: netfilter
> # Generated by iptables-save v1.2.11 on Tue Jun 7 23:03:58 2005
> *filter
>> INPUT DROP [0:0]
>> FORWARD ACCEPT [0:0]
>> OUTPUT ACCEPT [0:0]
> -A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> COMMIT # Completed on Tue Jun 7 23:03:58 2005
>
> These are the loaded modules: iptable_filter, ip_tables
>
> I cannot make an SSH or HTTP connection to the box.
Add this on top of the other INPUT rules :
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> I was under the impression that a policy of DROP will drop
> the packets if they dont match a rule.
That is correct. But..
A new ssh packet comes in and is accepted by --dport 22. The other
packets in the same connection have state ESTABLISHED and you're not
allowing those packets. That's why they are dropped.
> ACCEPT have passed them through? What stupid little thing did I miss?
The one rule above ;o).
Gr,
Rob
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-08 22:02 ` Rob Sterenborg
@ 2005-06-08 23:32 ` David Busby
2005-06-09 6:26 ` Rob Sterenborg
0 siblings, 1 reply; 14+ messages in thread
From: David Busby @ 2005-06-08 23:32 UTC (permalink / raw)
To: netfilter
Rob Sterenborg wrote:
>
> Add this on top of the other INPUT rules :
>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
Ok so I changed the rules to this:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But it won't accept new connections on port 80 or 22. The Established SSH conection is fine.
I can see new connections to port 80 or 22 in my logs, see:
IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Why they don't jump to accept? They match a rule.
So then I adjusted #1 above to this
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Doesn't that now allow any new connection to any port on any protocol making my FW worthless?
Then I tried moving the RELATED,ESTABLISHED to the last rule like this:
imperium root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
But I still cannot get new connections in and my estabilshed SSH is still OK.
Should I not use policy DROP but add a last rule of DROP? Which is the "right" way?
I guess I learned so far that I need to accept new and established. But I cannot seem to get the rules to work.
I've been up and down the man page and samples but seem to be missing one more stupid little thing :(
Please help.
/djb
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: --policy DROP kills everything?
@ 2005-06-09 3:05 Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09 17:59 ` R. DuFresne
0 siblings, 2 replies; 14+ messages in thread
From: Ginter, Jeff A @ 2005-06-09 3:05 UTC (permalink / raw)
To: netfilter
I have seen very similar results.
I have my first rule as Established/Related then I allow out 80, 443,
etc. (just a few ports)...and the web and other traffic dies.
When I tcpdump, I notice that for some of this traffic the s-port and
d-port are no longer matching (they are now high ports) and the
established, related rules don't seem to pick this up.
This is in my forwarding chain (there is a private network behind with 1
to 1 nats).
I added a rule that allowed ALL out, since security is not a concern for
that direction for me in this environment, but I shouldn't have had to
do that.
Let me know if you get anywhere with this Dave. Thanks.
Jeff Ginter, CISSP
Computer Associates
Mid-Atlantic Consulting Manager
tel: +1 908 874-9726
cell: +1 609 577-1494
jeff.ginter@ca.com
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of David Busby
Sent: Wednesday, June 08, 2005 7:32 PM
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Rob Sterenborg wrote:
>
> Add this on top of the other INPUT rules :
>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
Ok so I changed the rules to this:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level
warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But it won't accept new connections on port 80 or 22. The Established
SSH conection is fine.
I can see new connections to port 80 or 22 in my logs, see:
IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN
URGP=0
IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN
URGP=0
Why they don't jump to accept? They match a rule.
So then I adjusted #1 above to this
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
Doesn't that now allow any new connection to any port on any protocol
making my FW worthless?
Then I tried moving the RELATED,ESTABLISHED to the last rule like this:
imperium root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
But I still cannot get new connections in and my estabilshed SSH is
still OK.
Should I not use policy DROP but add a last rule of DROP? Which is the
"right" way?
I guess I learned so far that I need to accept new and established. But
I cannot seem to get the rules to work.
I've been up and down the man page and samples but seem to be missing
one more stupid little thing :(
Please help.
/djb
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-09 11:54 ` busby
@ 2005-06-09 5:04 ` Gary W. Smith
0 siblings, 0 replies; 14+ messages in thread
From: Gary W. Smith @ 2005-06-09 5:04 UTC (permalink / raw)
To: busby, netfilter
This may or my not help your situation. Included are my rules for the INPUT
chain on one of my firewalls. We don't default drop (which can be bad) but
rather end all our chains with REJECT icmp-host-prohibited. But something
you might want to do to quickly solve this problem is to try the following:
Instead of defaulting to DROP put a LOG at the end of the INPUT chain with
something like '-j LOG --log-prefix "INPUT_DROP: " --log-level 1'. Then do
a tail -n 0 -f /var/log/messages | grep "INPUT_DROP". It will tell you
exactly what you have missed.
While you are at it you might want to do the same for FORWARD and OUTPUT to
rule out the usual suspects.
The output from the logs might be more useful to you that trying to guess at
why the related connection isn't working.
BTW, here is my INPUT. eth0 if external IF, eth1 is internal IF, lo, well
if I explain that you need some funamentals, ppp+ is the PPTPD IF.
Basically I allow all interfaces to come in. eth0 doesn't actually accept
any data but just log the number of bytes that travel across it's IF for
accounting purposes.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
INCOUNT all -- eth0 * 0.0.0.0/0 123.123.123.1
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
MARK match 0x1
filter_firewall all -- eth0 * 0.0.0.0/0 0.0.0.0/0
filter_trusted all -- * * 0.0.0.0/0 0.0.0.0/0
LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 1 prefix `INPUT: '
REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Hope the helps,
Gary Smith
On 6/9/05 4:54 AM, "busby@edoceo.com" <busby@edoceo.com> wrote:
> My OUTPUT and FORWARD tables have policy ACCEPT and no rules.
> It's only INPUT that is causing headache. In my current state (below) an
> established connection is OK (like ssh in then start) but after adding
> these rule no new connection can be made.
>
> Config:
>>
>> imperium root # iptables -L INPUT -n
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
>> ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
>>
>
>
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: --policy DROP kills everything?
2005-06-08 23:32 ` David Busby
@ 2005-06-09 6:26 ` Rob Sterenborg
2005-06-10 18:08 ` Jason Opperisano
0 siblings, 1 reply; 14+ messages in thread
From: Rob Sterenborg @ 2005-06-09 6:26 UTC (permalink / raw)
To: netfilter
>> Add this on top of the other INPUT rules :
>>
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> Ok so I changed the rules to this:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 192.168.42.2
> udp spt:53
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2
> tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2
> tcp dpt:80
> LOG all -- 0.0.0.0/0 0.0.0.0/0
> LOG level warning
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> But it won't accept new connections on port 80 or 22. The
I'm not quite sure if that's true : you have a rule that says :
-A INPUT -d 192.168.42.2 -p tcp --dport 22 -j ACCEPT
I have similar rules and it accepts just fine.
> Established SSH conection is fine.
> I can see new connections to port 80 or 22 in my logs, see:
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00
> SYN URGP=0
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00
> SYN URGP=0
>
> Why they don't jump to accept? They match a rule.
>
> So then I adjusted #1 above to this
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> state NEW,RELATED,ESTABLISHED
Um, for me it's quite early in the morning but if I read this correct,
you just accepted from everything to everything. That is not what you
want I think.
> Doesn't that now allow any new connection to any port on any
> protocol making my FW worthless?
Yes, but you allow everything in this rule so it's indeed worthless.
> Then I tried moving the RELATED,ESTABLISHED to the last rule like
> this:
>
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 192.168.42.2
> udp spt:53
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2
> tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2
> tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 4
>
> But I still cannot get new connections in and my estabilshed SSH is
> still OK.
If -m state is not specified then, in my experience, -m state --state
NEW is assumed (someone please correct me if I'm telling nonsense here)
so your rules *will* allow new connections.
ESTABLISHED cannot be accepted if there hasn't been a NEW that has been
accepted.
> Should I not use policy DROP but add a last rule of DROP? Which is
> the "right" way?
That is essentially what policy DROP is doing ; if no rules match : DROP
it.
You can set it to ACCEPT and add an ending rule that drops or rejects
all packets not matched (you have more flexibility if working that way),
but the idea is the same.
> I guess I learned so far that I need to accept new
> and established. But I cannot seem to get the rules to work.
> I've been up and down the man page and samples but seem to be
> missing one more stupid little thing :(
> Please help.
Somewhere you said ipt_state isn't loaded. Is it loaded now ??
Gr,
Rob
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: --policy DROP kills everything?
2005-06-09 3:05 --policy DROP kills everything? Ginter, Jeff A
@ 2005-06-09 11:54 ` busby
2005-06-09 5:04 ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
1 sibling, 1 reply; 14+ messages in thread
From: busby @ 2005-06-09 11:54 UTC (permalink / raw)
To: netfilter
My OUTPUT and FORWARD tables have policy ACCEPT and no rules.
It's only INPUT that is causing headache. In my current state (below) an
established connection is OK (like ssh in then start) but after adding
these rule no new connection can be made.
Config:
>
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: --policy DROP kills everything?
2005-06-09 3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
@ 2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21 ` David Busby
1 sibling, 1 reply; 14+ messages in thread
From: R. DuFresne @ 2005-06-09 17:59 UTC (permalink / raw)
To: Ginter, Jeff A; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We found that in a 1:1 nat setup the policy for the forward chain has to
be accept or traffic will not flow.
Thanks,
Ron DuFresne
On Wed, 8 Jun 2005, Ginter, Jeff A wrote:
> I have seen very similar results.
>
> I have my first rule as Established/Related then I allow out 80, 443,
> etc. (just a few ports)...and the web and other traffic dies.
>
> When I tcpdump, I notice that for some of this traffic the s-port and
> d-port are no longer matching (they are now high ports) and the
> established, related rules don't seem to pick this up.
>
> This is in my forwarding chain (there is a private network behind with 1
> to 1 nats).
>
> I added a rule that allowed ALL out, since security is not a concern for
> that direction for me in this environment, but I shouldn't have had to
> do that.
>
> Let me know if you get anywhere with this Dave. Thanks.
>
>
>
> Jeff Ginter, CISSP
> Computer Associates
> Mid-Atlantic Consulting Manager
> tel: +1 908 874-9726
> cell: +1 609 577-1494
> jeff.ginter@ca.com
>
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of David Busby
> Sent: Wednesday, June 08, 2005 7:32 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: --policy DROP kills everything?
>
> Rob Sterenborg wrote:
>>
>> Add this on top of the other INPUT rules :
>>
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> Ok so I changed the rules to this:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level
> warning
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> But it won't accept new connections on port 80 or 22. The Established
> SSH conection is fine.
> I can see new connections to port 80 or 22 in my logs, see:
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
> Why they don't jump to accept? They match a rule.
>
> So then I adjusted #1 above to this
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
>
> Doesn't that now allow any new connection to any port on any protocol
> making my FW worthless?
> Then I tried moving the RELATED,ESTABLISHED to the last rule like this:
>
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 192.168.42.2 udp spt:53
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
>
> But I still cannot get new connections in and my estabilshed SSH is
> still OK.
>
> Should I not use policy DROP but add a last rule of DROP? Which is the
> "right" way?
> I guess I learned so far that I need to accept new and established. But
> I cannot seem to get the rules to work.
> I've been up and down the man page and samples but seem to be missing
> one more stupid little thing :(
> Please help.
>
> /djb
>
>
>
>
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCqIOcst+vzJSwZikRAhTVAJ0R00SOPrQgUoDCtgEy40tA0qIOCgCghZ7c
SZw5E9zWeSJ4TjdmThNkC4s=
=PU6m
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-09 17:59 ` R. DuFresne
@ 2005-06-09 18:21 ` David Busby
2005-06-09 18:36 ` Damon Gray
2005-06-09 18:52 ` R. DuFresne
0 siblings, 2 replies; 14+ messages in thread
From: David Busby @ 2005-06-09 18:21 UTC (permalink / raw)
To: netfilter
R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> We found that in a 1:1 nat setup the policy for the forward chain has to
> be accept or traffic will not flow.
>
> Thanks,
>
> Ron DuFresne
My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at all.
I have these rules below:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:514
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
An cannot make new connections to port 22 or port 80, I see it in the logs.
An existing ssh connection will stay if I connect with no rules then run iptables-restore.
This seems totally odd to me. The UDP traffic is also blocked. Everyone is telling me that these rules should work,
new connections should be allowed and such but it's not the case. Here's what my modules look like:
imperium root # lsmod
Module Size Used by
ipt_LOG 6272 1
ipt_state 1472 1
ip_conntrack 39860 1 ipt_state
iptable_filter 2944 1
ip_tables 16320 3 ipt_LOG,ipt_state,iptable_filter
So everything looks loaded OK too, but it's not working, I even added this rule:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
But still cannot make a new connection to port 22 or 80, what gives? What do I try now?
/djb
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-09 18:21 ` David Busby
@ 2005-06-09 18:36 ` Damon Gray
[not found] ` <42A8909E.1030104@edoceo.com>
2005-06-09 18:52 ` R. DuFresne
1 sibling, 1 reply; 14+ messages in thread
From: Damon Gray @ 2005-06-09 18:36 UTC (permalink / raw)
To: David Busby; +Cc: netfilter
It might help if you could send the output of ifconfig (or ip addr show)
and iptables -nvL. This output isn't showing what interfaces you are
applying these rules to.
On Thu, 9 Jun 2005, David Busby wrote:
> R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> We found that in a 1:1 nat setup the policy for the forward chain has to be
>> accept or traffic will not flow.
>>
>> Thanks,
>>
>> Ron DuFresne
>
> My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at
> all.
> I have these rules below:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:53
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:123
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:514
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
>
> An cannot make new connections to port 22 or port 80, I see it in the logs.
> An existing ssh connection will stay if I connect with no rules then run
> iptables-restore.
> This seems totally odd to me. The UDP traffic is also blocked. Everyone is
> telling me that these rules should work, new connections should be allowed
> and such but it's not the case. Here's what my modules look like:
>
> imperium root # lsmod
> Module Size Used by
> ipt_LOG 6272 1
> ipt_state 1472 1
> ip_conntrack 39860 1 ipt_state
> iptable_filter 2944 1
> ip_tables 16320 3 ipt_LOG,ipt_state,iptable_filter
>
> So everything looks loaded OK too, but it's not working, I even added this
> rule:
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:80
>
> But still cannot make a new connection to port 22 or 80, what gives? What do
> I try now?
>
> /djb
>
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-09 18:21 ` David Busby
2005-06-09 18:36 ` Damon Gray
@ 2005-06-09 18:52 ` R. DuFresne
1 sibling, 0 replies; 14+ messages in thread
From: R. DuFresne @ 2005-06-09 18:52 UTC (permalink / raw)
To: David Busby; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
to allow port 8 and 22 from the outside into the firewall itself,you need
NEW,ESTABLISHED,RELATED, ESTABLISHED,RELATED will not suffice.
It would suffice for out going only connections, but for incoming to the
FW from any sites outside, you need to allow the syn=NEW.
Thanks,
Ron DuFresne
On Thu, 9 Jun 2005, David Busby wrote:
> R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> We found that in a 1:1 nat setup the policy for the forward chain has to
>> be accept or traffic will not flow.
>>
>> Thanks,
>>
>> Ron DuFresne
>
> My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at
> all.
> I have these rules below:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:53
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:123
> ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:514
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
>
> An cannot make new connections to port 22 or port 80, I see it in the logs.
> An existing ssh connection will stay if I connect with no rules then run
> iptables-restore.
> This seems totally odd to me. The UDP traffic is also blocked. Everyone is
> telling me that these rules should work, new connections should be allowed
> and such but it's not the case. Here's what my modules look like:
>
> imperium root # lsmod
> Module Size Used by
> ipt_LOG 6272 1
> ipt_state 1472 1
> ip_conntrack 39860 1 ipt_state
> iptable_filter 2944 1
> ip_tables 16320 3 ipt_LOG,ipt_state,iptable_filter
>
> So everything looks loaded OK too, but it's not working, I even added this
> rule:
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:80
>
> But still cannot make a new connection to port 22 or 80, what gives? What do
> I try now?
>
> /djb
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCqI/cst+vzJSwZikRAhWOAJ9IDdK+zJg+OZFIgDlZ1L70/QiuwgCgzr96
2/aVRqww5vfCotUcROUhW08=
=93zv
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
[not found] ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
@ 2005-06-09 20:59 ` David Busby
0 siblings, 0 replies; 14+ messages in thread
From: David Busby @ 2005-06-09 20:59 UTC (permalink / raw)
To: netfilter
Damon Gray wrote:
> David,
> Sorry, but all I can suggest is getting rid of the -i eth0 on the
> port 22 and port 80 rules because you won't be able to connect from lo0
> with that. You also don't need the the --state NEW rule for ssh either,
> your allow anything to port 22 will be enough for that and anything
> destined for port 22. And also (like someone else suggested) put the
> --state ESTABLISHED,RELATED at the top. Other than that your rules look
> correct to me. Is there anything in any of the other tables? Like if you
> do a iptables -t nat -nvL or -t mangle? What kernel are you running?
>
> Sorry I couldn't be of more help.
>
> -Damon-
>
I appreciate all the help this list is providing, it seems very odd to me and it's nice to know it's also confusing to
others ;) I've got no other tables, no nat, no mangle (I didn't even build those modules) I moved EST,REL to the top,
it was last while I was testing. I'm still at the same state, my established is OK but NEW (tcp/udp) are not. I'm
using kernel 2.6.10-gentoo-r6, so it's vanilla with gentoo patches. I've fetched 2.6.11-gentoo-r9 and am currently
building it, I'll try my rules with it.
I also tried getting rid of the interface parameter rules, no help. I tried getting rid of destination IP rules, no go.
I ended up with this very loose setup
imperium syslog-ng # iptables -nv -L
Chain INPUT (policy DROP 43 packets, 3392 bytes)
pkts bytes target prot opt in out source destination
6 312 ACCEPT all -- * * 127.0.0.0/8 0.0.0.0/0
4067 3419K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 180 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
43 3392 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3270 packets, 277K bytes)
pkts bytes target prot opt in out source destination
But I still cannot connect :( My TCP and UDP traffic is still dead. Do I need to enable something in /proc? This
machine isn't forwarding or being a router, the rules are only to protect this single host. I've unloaded and reloaded
the kernel modules no go.
(time passes)
Rebooted with the 2.6.11-gentoo-r9 kernel, set my firewall rules and presto!
Every thing is working perfectly with the above rules.
I then went through and tied the rules to more be more specific and it's all still working perfect.
Glad that's over, thanks to everyone who helped out!
/djb
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
@ 2005-06-10 14:48 ` Steven M Campbell
1 sibling, 0 replies; 14+ messages in thread
From: Steven M Campbell @ 2005-06-10 14:48 UTC (permalink / raw)
To: netfilter
David Busby wrote:
> I have this these rules on a host, to protect only this host.
>
> # Generated by iptables-save v1.2.11 on Tue Jun 7 23:03:58 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> COMMIT
> # Completed on Tue Jun 7 23:03:58 2005
>
I used loaded these same rules changing only the ip address to match
mine and tested only SSH (didn't have apache running). It worked for
me, however, the DNS reverse lookup for the by SSH daemon had to time
out which took around 10-20 seconds (I'm sure there is a real fixed
number there I'm just to lazy to look it up). Ensure the eth0 really is
192.168.42.2 and be patient. I don't know if there would be issues
with the web server you have with this or not as I didn't test. The
bottom line is that this is an incomplete firewall set as SSH uses DNS
and, even though it may be configured to ignore the result it still does
the query, making it wait for a timeout is a problem.
While not part of your question I'd like to address some comments made
here about connection tracking (all that --state stuff):
For the record, once a connection tracking module is loaded it tracks
connections, it does nothing to them it just tracks the numbers. You
not need to see --state NEW in a rule to actually start tracking. The
--state things are there so you can =query= the state of the packet
relative to the connection tracker, you can see if this is a NEW packet,
an ESTABLISHED connection or a connection/packet RELATED to another (for
example FTP and FTP Data channels). The module tracks the connections
the --state allows us to apply the information to our firewall rules.
This confused me for quite a while too but now that I get it, it is
really quite obvious and simple.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: --policy DROP kills everything?
2005-06-09 6:26 ` Rob Sterenborg
@ 2005-06-10 18:08 ` Jason Opperisano
0 siblings, 0 replies; 14+ messages in thread
From: Jason Opperisano @ 2005-06-10 18:08 UTC (permalink / raw)
To: netfilter
On Thu, Jun 09, 2005 at 08:26:38AM +0200, Rob Sterenborg wrote:
> If -m state is not specified then, in my experience, -m state --state
> NEW is assumed (someone please correct me if I'm telling nonsense here)
> so your rules *will* allow new connections.
that is; indeed, nonsense.
-j
--
"Peter: And this is where the Pilgrims landed at Fraggle Rock."
--Family Guy
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2005-06-10 18:08 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-09 3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09 5:04 ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21 ` David Busby
2005-06-09 18:36 ` Damon Gray
[not found] ` <42A8909E.1030104@edoceo.com>
[not found] ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59 ` David Busby
2005-06-09 18:52 ` R. DuFresne
-- strict thread matches above, loose matches on Subject: below --
2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32 ` David Busby
2005-06-09 6:26 ` Rob Sterenborg
2005-06-10 18:08 ` Jason Opperisano
2005-06-10 14:48 ` Steven M Campbell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox