ssh session are hanging when firewall is restarted

ssh session are hanging when firewall is restarted

[Adishesh M]

Hi,
When we insert below rules into the ip tables, ssh sessions are
hanging ( infact all tcp connection are terminated).

“iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP”.

what is the problem with this above rule. we used this rule to drop
bad tcp packets. when firewall is restarted using "service iptables
restart", ssh sessions are hanging.


Rule used for testing.

ssh session hangs
<set 1>
--------------------------
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
iptables -A INPUT -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  INPUT -d 10.255.13.157   -j DROP


ssh session hangs
<set 2>
----------------------------
iptables -N TEST_LAN_1
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP



ssh session does not hang
<set 3>
---------------------------------------
iptables -N TEST_LAN_1
iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP


ssh session does not hang
<set 4>
---------------------------------------
iptables -A INPUT -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  INPUT -d 10.255.13.157   -j DROP


steps to reproduce the this issue
-----------------------------------------------
    iptables -F
    iptables  -X
    <Insert any one set of rules from set 1 or set 2 >
    service ip6tables stop
    service iptables save
    iptables -L -n
    service iptables restart
    iptables -L -n

Thanks and regards,
Adishesh

Re: ssh session are hanging when firewall is restarted

[Adishesh M]

Hi,

update to below help.

with only below one rule, all tcp connection are hanging.

"iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP"

How to reproduce
-------------------------
1. open more then one ssh session to the machine
2.  iptables -P INPUT ACCEPT && iptables -F  && iptables  -X
3. service ip6tables stop
4. iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
5. service iptables restart

ssh session will be terminated.



I am using below operating system.
root@ATCA-N6> uname -a
Linux ATCA-N6 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT
2011 x86_64 x86_64 x86_64 GNU/Linux
root@ATCA-N6>


Thanks and regards,
Adishesh


libnetfilter_conntrack-0.0.100-2.el6.x86_64



Thanks and regards,
Adishesh




On Wed, Aug 24, 2011 at 7:12 PM, Adishesh  M <adisheshsm@gmail.com> wrote:
> Hi,
> When we insert below rules into the ip tables, ssh sessions are
> hanging ( infact all tcp connection are terminated).
>
> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP”.
>
> what is the problem with this above rule. we used this rule to drop
> bad tcp packets. when firewall is restarted using "service iptables
> restart", ssh sessions are hanging.
>
>
> Rule used for testing.
>
> ssh session hangs
> <set 1>
> --------------------------
> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP
> iptables -A INPUT -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  INPUT -d 10.255.13.157   -j DROP
>
>
> ssh session hangs
> <set 2>
> ----------------------------
> iptables -N TEST_LAN_1
> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP
> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>
>
>
> ssh session does not hang
> <set 3>
> ---------------------------------------
> iptables -N TEST_LAN_1
> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>
>
> ssh session does not hang
> <set 4>
> ---------------------------------------
> iptables -A INPUT -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  INPUT -d 10.255.13.157   -j DROP
>
>
> steps to reproduce the this issue
> -----------------------------------------------
>    iptables -F
>    iptables  -X
>    <Insert any one set of rules from set 1 or set 2 >
>    service ip6tables stop
>    service iptables save
>    iptables -L -n
>    service iptables restart
>    iptables -L -n
>
> Thanks and regards,
> Adishesh
>

Re: ssh session are hanging when firewall is restarted

[Grant Taylor]

On 8/24/2011 08:42, Adishesh M wrote:
> what is the problem with this above rule. we used this rule to drop
> bad tcp packets. when firewall is restarted using "service iptables
> restart", ssh sessions are hanging.

I don't think there is any thing wrong with the rule at all.  I think 
the problem is how you are thinking about the connection.

You are looking for connections that are new to the connection tracking 
sub-system that do not have a SYN flag set.

An already established SSH connection will not need to send a SYN 
packet, but will still appear "new" to the connection tracking 
sub-system after you re-start the firewall.

So, IMHO, this behavior should be expected.

I'd sit down and think about how frequently this ""problem (such as it 
is) happens and if it has enough impact to cause me to want to re-design 
firewall rules to take it in to account.



Grant. . . .

Re: ssh session are hanging when firewall is restarted

[Tyler J. Wagner]

On 2011-08-25 07:04, Grant Taylor wrote:
> I'd sit down and think about how frequently this ""problem (such as it is)
> happens and if it has enough impact to cause me to want to re-design
> firewall rules to take it in to account.

Indeed. A better solution:

-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

If your firewall script clears the connection states (conntrack -F) or
unloads and reloads the kernel modules (thus doing the same thing), you
will always have this problem, and no different iptables design will fix it.

Regards,
Tyler

-- 
"The Congress shall have Power . . . To promote the Progress of Science
and useful Arts, by securing for limited Times to Authors and Inventors
the exclusive Right to their respective Writings and Discoveries."
   -- Article I, Section 8, U.S. Constitution

Re: ssh session are hanging when firewall is restarted

[Jan Engelhardt]

On Thursday 2011-08-25 08:04, Grant Taylor wrote:

> On 8/24/2011 08:42, Adishesh M wrote:
>> what is the problem with this above rule. we used this rule to drop
>> bad tcp packets. when firewall is restarted using "service iptables
>> restart", ssh sessions are hanging.
>
> I don't think there is any thing wrong with the rule at all.  I think the
> problem is how you are thinking about the connection.
>
> You are looking for connections that are new to the connection tracking
> sub-system that do not have a SYN flag set.
>
> An already established SSH connection will not need to send a SYN packet, but
> will still appear "new" to the connection tracking sub-system after you
> re-start the firewall.

It depends on _what_ actually is restarted. Changing just the ruleset 
does not affect CT entries.

Re: ssh session are hanging when firewall is restarted

[Pandu Poluan]

Why do you need to restart iptables?

iptables is *not* a daemon-based service. It's always on in the
kernel. All invocation of the iptables command act *immediately*

Rgds,


On 2011-08-24, Adishesh M <adisheshsm@gmail.com> wrote:
> Hi,
> When we insert below rules into the ip tables, ssh sessions are
> hanging ( infact all tcp connection are terminated).
>
> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP”.
>
> what is the problem with this above rule. we used this rule to drop
> bad tcp packets. when firewall is restarted using "service iptables
> restart", ssh sessions are hanging.
>
>
> Rule used for testing.
>
> ssh session hangs
> <set 1>
> --------------------------
> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP
> iptables -A INPUT -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  INPUT -d 10.255.13.157   -j DROP
>
>
> ssh session hangs
> <set 2>
> ----------------------------
> iptables -N TEST_LAN_1
> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
> state --state NEW -j DROP
> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>
>
>
> ssh session does not hang
> <set 3>
> ---------------------------------------
> iptables -N TEST_LAN_1
> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>
>
> ssh session does not hang
> <set 4>
> ---------------------------------------
> iptables -A INPUT -d 10.255.13.157 -m state --state
> RELATED,ESTABLISHED  -j ACCEPT
> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -A  INPUT -d 10.255.13.157   -j DROP
>
>
> steps to reproduce the this issue
> -----------------------------------------------
>     iptables -F
>     iptables  -X
>     <Insert any one set of rules from set 1 or set 2 >
>     service ip6tables stop
>     service iptables save
>     iptables -L -n
>     service iptables restart
>     iptables -L -n
>
> Thanks and regards,
> Adishesh
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: ssh session are hanging when firewall is restarted

[Adishesh M]

Hi,

I was doing other tests and come cross this issue.
we have not observed this issue on fedora 14.  Only in RHEL 6.1 this
issue is observed.
Solution for this issue may be available in latest netfiler versions
but not yet integrated in RHEL 6.


Thanks and regards,
Adishesh


On Thu, Aug 25, 2011 at 3:45 PM, Pandu Poluan <pandu@poluan.info> wrote:
> Why do you need to restart iptables?
>
> iptables is *not* a daemon-based service. It's always on in the
> kernel. All invocation of the iptables command act *immediately*
>
> Rgds,
>
>
> On 2011-08-24, Adishesh M <adisheshsm@gmail.com> wrote:
>> Hi,
>> When we insert below rules into the ip tables, ssh sessions are
>> hanging ( infact all tcp connection are terminated).
>>
>> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>> state --state NEW -j DROP”.
>>
>> what is the problem with this above rule. we used this rule to drop
>> bad tcp packets. when firewall is restarted using "service iptables
>> restart", ssh sessions are hanging.
>>
>>
>> Rule used for testing.
>>
>> ssh session hangs
>> <set 1>
>> --------------------------
>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>> state --state NEW -j DROP
>> iptables -A INPUT -d 10.255.13.157 -m state --state
>> RELATED,ESTABLISHED  -j ACCEPT
>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>> iptables -A  INPUT -d 10.255.13.157   -j DROP
>>
>>
>> ssh session hangs
>> <set 2>
>> ----------------------------
>> iptables -N TEST_LAN_1
>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>> state --state NEW -j DROP
>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>> RELATED,ESTABLISHED  -j ACCEPT
>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>>
>>
>>
>> ssh session does not hang
>> <set 3>
>> ---------------------------------------
>> iptables -N TEST_LAN_1
>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>> RELATED,ESTABLISHED  -j ACCEPT
>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>>
>>
>> ssh session does not hang
>> <set 4>
>> ---------------------------------------
>> iptables -A INPUT -d 10.255.13.157 -m state --state
>> RELATED,ESTABLISHED  -j ACCEPT
>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>> iptables -A  INPUT -d 10.255.13.157   -j DROP
>>
>>
>> steps to reproduce the this issue
>> -----------------------------------------------
>>     iptables -F
>>     iptables  -X
>>     <Insert any one set of rules from set 1 or set 2 >
>>     service ip6tables stop
>>     service iptables save
>>     iptables -L -n
>>     service iptables restart
>>     iptables -L -n
>>
>> Thanks and regards,
>> Adishesh
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>
> --
> --
> Pandu E Poluan - IT Optimizer
> My website: http://pandu.poluan.info/
>

Re: ssh session are hanging when firewall is restarted

[Tyler J. Wagner]

Adishesh,

This is not a netfilter issue. This is an issue with RHEL 6.1, and the fact
that it is unloading and reloading the netfilter module when you invoke
"restart".

Instead, just do this:

iptables-restore /etc/sysconfig/iptables

Regards,
Tyler

On 2011-08-25 11:34, Adishesh M wrote:
> Hi,
> 
> I was doing other tests and come cross this issue.
> we have not observed this issue on fedora 14.  Only in RHEL 6.1 this
> issue is observed.
> Solution for this issue may be available in latest netfiler versions
> but not yet integrated in RHEL 6.
> 
> 
> Thanks and regards,
> Adishesh
> 
> 
> On Thu, Aug 25, 2011 at 3:45 PM, Pandu Poluan <pandu@poluan.info> wrote:
>> Why do you need to restart iptables?
>>
>> iptables is *not* a daemon-based service. It's always on in the
>> kernel. All invocation of the iptables command act *immediately*
>>
>> Rgds,
>>
>>
>> On 2011-08-24, Adishesh M <adisheshsm@gmail.com> wrote:
>>> Hi,
>>> When we insert below rules into the ip tables, ssh sessions are
>>> hanging ( infact all tcp connection are terminated).
>>>
>>> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP”.
>>>
>>> what is the problem with this above rule. we used this rule to drop
>>> bad tcp packets. when firewall is restarted using "service iptables
>>> restart", ssh sessions are hanging.
>>>
>>>
>>> Rule used for testing.
>>>
>>> ssh session hangs
>>> <set 1>
>>> --------------------------
>>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP
>>> iptables -A INPUT -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED  -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A  INPUT -d 10.255.13.157   -j DROP
>>>
>>>
>>> ssh session hangs
>>> <set 2>
>>> ----------------------------
>>> iptables -N TEST_LAN_1
>>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP
>>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED  -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>>>
>>>
>>>
>>> ssh session does not hang
>>> <set 3>
>>> ---------------------------------------
>>> iptables -N TEST_LAN_1
>>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED  -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP
>>>
>>>
>>> ssh session does not hang
>>> <set 4>
>>> ---------------------------------------
>>> iptables -A INPUT -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED  -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A  INPUT -d 10.255.13.157   -j DROP
>>>
>>>
>>> steps to reproduce the this issue
>>> -----------------------------------------------
>>>     iptables -F
>>>     iptables  -X
>>>     <Insert any one set of rules from set 1 or set 2 >
>>>     service ip6tables stop
>>>     service iptables save
>>>     iptables -L -n
>>>     service iptables restart
>>>     iptables -L -n
>>>
>>> Thanks and regards,
>>> Adishesh
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>>
>> --
>> --
>> Pandu E Poluan - IT Optimizer
>> My website: http://pandu.poluan.info/
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
"The bourgeoisie are hated from both ends: by the proles, because they
have all the money, and by the intelligentsia, because of their
tendency to spend it on lawn ornaments."
   -- Neal Stephenson, Cryptonomicon