RE: --policy DROP kills everything?

RE: --policy DROP kills everything?

[Ginter, Jeff A]

I have seen very similar results.

I have my first rule as Established/Related then I allow out 80, 443,
etc. (just a few ports)...and the web and other traffic dies.

When I tcpdump, I notice that for some of this traffic the s-port and
d-port are no longer matching (they are now high ports) and the
established, related rules don't seem to pick this up.

This is in my forwarding chain (there is a private network behind with 1
to 1 nats).

I added a rule that allowed ALL out, since security is not a concern for
that direction for me in this environment, but I shouldn't have had to
do that.

Let me know if you get anywhere with this Dave.  Thanks.

 
 
Jeff Ginter, CISSP
Computer Associates
Mid-Atlantic Consulting Manager
tel:    +1 908 874-9726
cell:   +1 609 577-1494
jeff.ginter@ca.com
 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of David Busby
Sent: Wednesday, June 08, 2005 7:32 PM
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?

Rob Sterenborg wrote:
> 
> Add this on top of the other INPUT rules :
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 

Ok so I changed the rules to this:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG level
warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But it won't accept new connections on port 80 or 22.  The Established
SSH conection is fine.
I can see new connections to port 80 or 22 in my logs, see:

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN
URGP=0

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN
URGP=0

Why they don't jump to accept?  They match a rule.

So then I adjusted #1 above to this

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
NEW,RELATED,ESTABLISHED

Doesn't that now allow any new connection to any port on any protocol
making my FW worthless?
Then I tried moving the RELATED,ESTABLISHED to the last rule like this:

imperium root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 4

But I still cannot get new connections in and my estabilshed SSH is
still OK.

Should I not use policy DROP but add a last rule of DROP?  Which is the
"right" way?
I guess I learned so far that I need to accept new and established.  But
I cannot seem to get the rules to work.
I've been up and down the man page and samples but seem to be missing
one more stupid little thing :(
Please help.

/djb

RE: --policy DROP kills everything?

[busby]

My OUTPUT and FORWARD tables have policy ACCEPT and no rules.
It's only INPUT that is causing headache.  In my current state (below) an
established connection is OK (like ssh in then start) but after adding
these rule no new connection can be made.

Config:
>
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 4
>

Re: --policy DROP kills everything?

[Gary W. Smith]

This may or my not help your situation.  Included are my rules for the INPUT
chain on one of my firewalls.  We don't default drop (which can be bad) but
rather end all our chains with REJECT icmp-host-prohibited.  But something
you might want to do to quickly solve this problem is to try the following:

Instead of defaulting to DROP put a LOG at the end of the INPUT chain with
something like '-j LOG --log-prefix "INPUT_DROP: " --log-level 1'.  Then do
a tail -n 0 -f /var/log/messages | grep "INPUT_DROP".  It will tell you
exactly what you have missed.

While you are at it you might want to do the same for FORWARD and OUTPUT to
rule out the usual suspects.

The output from the logs might be more useful to you that trying to guess at
why the related connection isn't working.

BTW, here is my INPUT.  eth0 if external IF, eth1 is internal IF, lo, well
if I explain that you need some funamentals, ppp+ is the PPTPD IF.
Basically I allow all interfaces to come in.  eth0 doesn't actually accept
any data but just log the number of bytes that travel across it's IF for
accounting purposes.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target     prot opt in     out     source               destination
INCOUNT    all  --  eth0   *       0.0.0.0/0            123.123.123.1
ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED

ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
MARK match 0x1 

filter_firewall  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
filter_trusted  all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 1 prefix `INPUT: '

REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited

Hope the helps, 

Gary Smith


On 6/9/05 4:54 AM, "busby@edoceo.com" <busby@edoceo.com> wrote:

> My OUTPUT and FORWARD tables have policy ACCEPT and no rules.
> It's only INPUT that is causing headache.  In my current state (below) an
> established connection is OK (like ssh in then start) but after adding
> these rule no new connection can be made.
> 
> Config:
>> 
>> imperium root # iptables -L INPUT -n
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
>> ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
>> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
> level 4
>> 
> 
> 
> 
> 

RE: --policy DROP kills everything?

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We found that in a 1:1 nat setup the policy for the forward chain has to 
be accept or traffic will not flow.

Thanks,

Ron DuFresne

On Wed, 8 Jun 2005, Ginter, Jeff A wrote:

> I have seen very similar results.
>
> I have my first rule as Established/Related then I allow out 80, 443,
> etc. (just a few ports)...and the web and other traffic dies.
>
> When I tcpdump, I notice that for some of this traffic the s-port and
> d-port are no longer matching (they are now high ports) and the
> established, related rules don't seem to pick this up.
>
> This is in my forwarding chain (there is a private network behind with 1
> to 1 nats).
>
> I added a rule that allowed ALL out, since security is not a concern for
> that direction for me in this environment, but I shouldn't have had to
> do that.
>
> Let me know if you get anywhere with this Dave.  Thanks.
>
>
>
> Jeff Ginter, CISSP
> Computer Associates
> Mid-Atlantic Consulting Manager
> tel:    +1 908 874-9726
> cell:   +1 609 577-1494
> jeff.ginter@ca.com
>
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of David Busby
> Sent: Wednesday, June 08, 2005 7:32 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: --policy DROP kills everything?
>
> Rob Sterenborg wrote:
>>
>> Add this on top of the other INPUT rules :
>>
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>
> Ok so I changed the rules to this:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG level
> warning
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> But it won't accept new connections on port 80 or 22.  The Established
> SSH conection is fine.
> I can see new connections to port 80 or 22 in my logs, see:
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
> Why they don't jump to accept?  They match a rule.
>
> So then I adjusted #1 above to this
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> NEW,RELATED,ESTABLISHED
>
> Doesn't that now allow any new connection to any port on any protocol
> making my FW worthless?
> Then I tried moving the RELATED,ESTABLISHED to the last rule like this:
>
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
> level 4
>
> But I still cannot get new connections in and my estabilshed SSH is
> still OK.
>
> Should I not use policy DROP but add a last rule of DROP?  Which is the
> "right" way?
> I guess I learned so far that I need to accept new and established.  But
> I cannot seem to get the rules to work.
> I've been up and down the man page and samples but seem to be missing
> one more stupid little thing :(
> Please help.
>
> /djb
>
>
>
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCqIOcst+vzJSwZikRAhTVAJ0R00SOPrQgUoDCtgEy40tA0qIOCgCghZ7c
SZw5E9zWeSJ4TjdmThNkC4s=
=PU6m
-----END PGP SIGNATURE-----

Re: --policy DROP kills everything?

[David Busby]

R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> We found that in a 1:1 nat setup the policy for the forward chain has to 
> be accept or traffic will not flow.
> 
> Thanks,
> 
> Ron DuFresne

My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at all.
I have these rules below:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:53
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:123
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:514
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

An cannot make new connections to port 22 or port 80, I see it in the logs.
An existing ssh connection will stay if I connect with no rules then run iptables-restore.
This seems totally odd to me.  The UDP traffic is also blocked.  Everyone is telling me that these rules should work, 
new connections should be allowed and such but it's not the case.  Here's what my modules look like:

imperium root # lsmod
Module                  Size  Used by
ipt_LOG                 6272  1
ipt_state               1472  1
ip_conntrack           39860  1 ipt_state
iptable_filter          2944  1
ip_tables              16320  3 ipt_LOG,ipt_state,iptable_filter

So everything looks loaded OK too, but it's not working, I even added this rule:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

But still cannot make a new connection to port 22 or 80, what gives?  What do I try now?

/djb

Re: --policy DROP kills everything?

[Damon Gray]

It might help if you could send the output of ifconfig (or ip addr show) 
and iptables -nvL. This output isn't showing what interfaces you are 
applying these rules to.

On Thu, 9 Jun 2005, David Busby wrote:

> R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> 
>> We found that in a 1:1 nat setup the policy for the forward chain has to be 
>> accept or traffic will not flow.
>> 
>> Thanks,
>> 
>> Ron DuFresne
>
> My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at 
> all.
> I have these rules below:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:53
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:123
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:514
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 
> level 4
>
> An cannot make new connections to port 22 or port 80, I see it in the logs.
> An existing ssh connection will stay if I connect with no rules then run 
> iptables-restore.
> This seems totally odd to me.  The UDP traffic is also blocked.  Everyone is 
> telling me that these rules should work, new connections should be allowed 
> and such but it's not the case.  Here's what my modules look like:
>
> imperium root # lsmod
> Module                  Size  Used by
> ipt_LOG                 6272  1
> ipt_state               1472  1
> ip_conntrack           39860  1 ipt_state
> iptable_filter          2944  1
> ip_tables              16320  3 ipt_LOG,ipt_state,iptable_filter
>
> So everything looks loaded OK too, but it's not working, I even added this 
> rule:
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
> dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
> dpt:80
>
> But still cannot make a new connection to port 22 or 80, what gives?  What do 
> I try now?
>
> /djb
>
>
>

Re: --policy DROP kills everything?

[David Busby]

Damon Gray wrote:
> David,
>     Sorry, but all I can suggest is getting rid of the -i eth0 on the 
> port 22 and port 80 rules because you won't be able to connect from lo0 
> with that. You also don't need the the --state NEW rule for ssh either, 
> your allow anything to port 22 will be enough for that and anything 
> destined for port 22. And also (like someone else suggested) put the 
> --state ESTABLISHED,RELATED at the top. Other than that your rules look 
> correct to me. Is there anything in any of the other tables? Like if you 
> do a iptables -t nat -nvL or -t mangle? What kernel are you running?
> 
> Sorry I couldn't be of more help.
> 
> -Damon-
> 

I appreciate all the help this list is providing, it seems very odd to me and it's nice to know it's also confusing to
others ;)  I've got no other tables, no nat, no mangle (I didn't even build those modules)  I moved EST,REL to the top,
it was last while I was testing.  I'm still at the same state, my established is OK but NEW (tcp/udp) are not.  I'm
using kernel 2.6.10-gentoo-r6, so it's vanilla with gentoo patches.  I've fetched 2.6.11-gentoo-r9 and am currently
building it, I'll try my rules with it.

I also tried getting rid of the interface parameter rules, no help.  I tried getting rid of destination IP rules, no go.
I ended up with this very loose setup

imperium syslog-ng # iptables -nv -L
Chain INPUT (policy DROP 43 packets, 3392 bytes)
  pkts bytes target     prot opt in     out     source               destination
     6   312 ACCEPT     all  --  *      *       127.0.0.0/8          0.0.0.0/0
  4067 3419K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
     3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    43  3392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3270 packets, 277K bytes)
  pkts bytes target     prot opt in     out     source               destination

But I still cannot connect :(  My TCP and UDP traffic is still dead.  Do I need to enable something in /proc?  This
machine isn't forwarding or being a router, the rules are only to protect this single host.  I've unloaded and reloaded
the kernel modules no go.

(time passes)

Rebooted with the 2.6.11-gentoo-r9 kernel, set my firewall rules and presto!
Every thing is working perfectly with the above rules.
I then went through and tied the rules to more be more specific and it's all still working perfect.
Glad that's over, thanks to everyone who helped out!

/djb

Re: --policy DROP kills everything?

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



to allow port 8 and 22 from the outside into the firewall itself,you need 
NEW,ESTABLISHED,RELATED, ESTABLISHED,RELATED will not suffice.

It would suffice for out going only connections, but for incoming to the 
FW from any sites outside, you need to allow the syn=NEW.

Thanks,

Ron DuFresne


On Thu, 9 Jun 2005, David Busby wrote:

> R. DuFresne wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> 
>> We found that in a 1:1 nat setup the policy for the forward chain has to 
>> be accept or traffic will not flow.
>> 
>> Thanks,
>> 
>> Ron DuFresne
>
> My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at 
> all.
> I have these rules below:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:53
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:123
> ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:514
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 
> level 4
>
> An cannot make new connections to port 22 or port 80, I see it in the logs.
> An existing ssh connection will stay if I connect with no rules then run 
> iptables-restore.
> This seems totally odd to me.  The UDP traffic is also blocked.  Everyone is 
> telling me that these rules should work, new connections should be allowed 
> and such but it's not the case.  Here's what my modules look like:
>
> imperium root # lsmod
> Module                  Size  Used by
> ipt_LOG                 6272  1
> ipt_state               1472  1
> ip_conntrack           39860  1 ipt_state
> iptable_filter          2944  1
> ip_tables              16320  3 ipt_LOG,ipt_state,iptable_filter
>
> So everything looks loaded OK too, but it's not working, I even added this 
> rule:
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
> dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
> dpt:80
>
> But still cannot make a new connection to port 22 or 80, what gives?  What do 
> I try now?
>
> /djb
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCqI/cst+vzJSwZikRAhWOAJ9IDdK+zJg+OZFIgDlZ1L70/QiuwgCgzr96
2/aVRqww5vfCotUcROUhW08=
=93zv
-----END PGP SIGNATURE-----

--policy DROP kills everything?

[David Busby]

I have this these rules on a host, to protect only this host.

# Generated by iptables-save v1.2.11 on Tue Jun  7 23:03:58 2005
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
-A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Jun  7 23:03:58 2005

These are the loaded modules: iptable_filter, ip_tables

I cannot make an SSH or HTTP connection to the box.
I was under the impression that a policy of DROP will drop the packets if they dont match a rule.
If I switch the policy to ACCEPT then no problem.  If I add a last rule as DROP then it also fails.
If I put a LOG or ULOG before the DROP rule then I can see packes destined for port 80 making it to log, shouldn't 
ACCEPT have passed them through?  What stupid little thing did I miss?

imperium root # iptables --version
iptables v1.2.11
imperium root # uname -a
Linux imperium 2.6.10-gentoo-r6-edoceo #4 Sun May 1 03:48:25 PDT 2005 i686 AMD Athlon(TM) XP 1700+ AuthenticAMD GNU/Linux

/djb

RE: --policy DROP kills everything?

[Rob Sterenborg]

> # Generated by iptables-save v1.2.11 on Tue Jun  7 23:03:58 2005
> *filter
>> INPUT DROP [0:0]
>> FORWARD ACCEPT [0:0]
>> OUTPUT ACCEPT [0:0]
> -A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> COMMIT # Completed on Tue Jun  7 23:03:58 2005
> 
> These are the loaded modules: iptable_filter, ip_tables
> 
> I cannot make an SSH or HTTP connection to the box.

Add this on top of the other INPUT rules :

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

> I was under the impression that a policy of DROP will drop
> the packets if they dont match a rule.

That is correct. But..
A new ssh packet comes in and is accepted by --dport 22. The other
packets in the same connection have state ESTABLISHED and you're not
allowing those packets. That's why they are dropped.

> ACCEPT have passed them through?  What stupid little thing did I miss?

The one rule above ;o).


Gr,
Rob

Re: --policy DROP kills everything?

[David Busby]

Rob Sterenborg wrote:
> 
> Add this on top of the other INPUT rules :
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 

Ok so I changed the rules to this:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But it won't accept new connections on port 80 or 22.  The Established SSH conection is fine.
I can see new connections to port 80 or 22 in my logs, see:

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Why they don't jump to accept?  They match a rule.

So then I adjusted #1 above to this

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Doesn't that now allow any new connection to any port on any protocol making my FW worthless?
Then I tried moving the RELATED,ESTABLISHED to the last rule like this:

imperium root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

But I still cannot get new connections in and my estabilshed SSH is still OK.

Should I not use policy DROP but add a last rule of DROP?  Which is the "right" way?
I guess I learned so far that I need to accept new and established.  But I cannot seem to get the rules to work.
I've been up and down the man page and samples but seem to be missing one more stupid little thing :(
Please help.

/djb

RE: --policy DROP kills everything?

[Rob Sterenborg]

>> Add this on top of the other INPUT rules :
>> 
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> 
> 
> Ok so I changed the rules to this:
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state RELATED,ESTABLISHED
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         192.168.42.2
> udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2
> tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2
> tcp dpt:80
> LOG        all  --  0.0.0.0/0            0.0.0.0/0
> LOG level warning
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> But it won't accept new connections on port 80 or 22.  The

I'm not quite sure if that's true : you have a rule that says :
-A INPUT -d 192.168.42.2 -p tcp --dport 22 -j ACCEPT
I have similar rules and it accepts just fine.

> Established SSH conection is fine.
> I can see new connections to port 80 or 22 in my logs, see:
> 
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00
> SYN URGP=0 
> 
> IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00
> SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00
> TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00
> SYN URGP=0 
> 
> Why they don't jump to accept?  They match a rule.
> 
> So then I adjusted #1 above to this
> 
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state NEW,RELATED,ESTABLISHED

Um, for me it's quite early in the morning but if I read this correct,
you just accepted from everything to everything. That is not what you
want I think.

> Doesn't that now allow any new connection to any port on any
> protocol making my FW worthless?

Yes, but you allow everything in this rule so it's indeed worthless.

> Then I tried moving the RELATED,ESTABLISHED to the last rule like
> this: 
> 
> imperium root # iptables -L INPUT -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     udp  --  192.168.42.1         192.168.42.2
> udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2
> tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2
> tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state RELATED,ESTABLISHED
> LOG        all  --  0.0.0.0/0            0.0.0.0/0
> LOG flags 0 level 4
> 
> But I still cannot get new connections in and my estabilshed SSH is
> still OK. 

If -m state is not specified then, in my experience, -m state --state
NEW is assumed (someone please correct me if I'm telling nonsense here)
so your rules *will* allow new connections.

ESTABLISHED cannot be accepted if there hasn't been a NEW that has been
accepted.

> Should I not use policy DROP but add a last rule of DROP? Which is
> the "right" way?

That is essentially what policy DROP is doing ; if no rules match : DROP
it.
You can set it to ACCEPT and add an ending rule that drops or rejects
all packets not matched (you have more flexibility if working that way),
but the idea is the same.

> I guess I learned so far that I need to accept new
> and established.  But I cannot seem to get the rules to work.
> I've been up and down the man page and samples but seem to be
> missing one more stupid little thing :(
> Please help.

Somewhere you said ipt_state isn't loaded. Is it loaded now ??


Gr,
Rob

Re: --policy DROP kills everything?

[Jason Opperisano]

On Thu, Jun 09, 2005 at 08:26:38AM +0200, Rob Sterenborg wrote:
> If -m state is not specified then, in my experience, -m state --state
> NEW is assumed (someone please correct me if I'm telling nonsense here)
> so your rules *will* allow new connections.

that is; indeed, nonsense.

-j

--
"Peter: And this is where the Pilgrims landed at Fraggle Rock."
        --Family Guy

Re: --policy DROP kills everything?

[Steven M Campbell]

David Busby wrote:
> I have this these rules on a host, to protect only this host.
>
> # Generated by iptables-save v1.2.11 on Tue Jun  7 23:03:58 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> COMMIT
> # Completed on Tue Jun  7 23:03:58 2005
>
I used loaded these same rules changing only the ip address to match 
mine and tested only SSH (didn't have apache running).  It worked for 
me, however, the DNS reverse lookup for the by SSH daemon had to time 
out which took around 10-20 seconds (I'm sure there is a real fixed 
number there I'm just to lazy to look it up).  Ensure the eth0 really is 
192.168.42.2 and be patient.   I don't know if there would be issues 
with the web server you have with this or not as I didn't test.  The 
bottom line is that this is an incomplete firewall set as SSH uses DNS 
and, even though it may be configured to ignore the result it still does 
the query, making it wait for a timeout is a problem.

While not part of your question I'd like to address some comments made 
here about connection tracking (all that --state stuff):
For the record, once a connection tracking module is loaded it tracks 
connections, it does nothing to them it just tracks the numbers.  You 
not need to see --state NEW in a rule to actually start tracking.  The 
--state things are there so you can =query= the state of the packet 
relative to the connection tracker, you can see if this is a NEW packet, 
an ESTABLISHED connection or a connection/packet RELATED to another (for 
example FTP and FTP Data channels).   The module tracks the connections 
the --state allows us to apply the information to our firewall rules.   
This confused me for quite a while too but now that I get it, it is 
really quite obvious and simple.