Debian - Iptables (and other server services): my rules "change by themselves

cocchiararo · 12-30-2010, 06:14 PM

Hello guys

I come to you after failing to find an answer either by googling or trying "home made workarrounds"

For more than a year i have been using the following hardware as a home server:

atlon64 3500+
2gb ddr400
hdd 160gb
hdd 1tb (for my home pcs backup)
onboard LAN: internet (right now i have ADSL, with a huawei MT882 in bridge mode, my server "dials")
4 gigabit ethernet cards: bridged, acting as a gigabit switch (rigt now i only use 2 of them for pcs, one for a wifi router, the other one is free)

The server runs Debian 5.0.* with: apache, iptables, dnsmasq (dns and dhcp), vnc, phpmyadmin, mysql, torrentflux, jdownloader, SQUID, SANE (new addition, problems started way before it), and probably more stuff.

It also shares an Epson printer/scanner, but i failed to properly share the scanner, so i use it through VNC (phpSANE more or less worked, but not fully).

My problem is that for some reason, at random times, my iptables rules are changed/flushed, and replaced by this:

Code:

alpha:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  loopback/8           anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  10.0.0.0/24          anywhere
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
DROP       all  --  192.168.1.0/24       anywhere
DROP       all  --  10.0.0.0/24          anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             host89.190-139-215.telecom.net.ar
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.1.0/24       192.168.1.0/24
ACCEPT     all  --  10.0.0.0/24          192.168.1.0/24
ACCEPT     all  --  192.168.1.0/24       10.0.0.0/24
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  10.0.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                           LISHED
DROP       all  --  anywhere             192.168.1.0/24
DROP       all  --  anywhere             10.0.0.0/24
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             192.168.1.0/24
ACCEPT     all  --  anywhere             10.0.0.0/24
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
LOG        all  --  anywhere             192.168.1.0/24      LOG level warning
DROP       all  --  anywhere             192.168.1.0/24
LOG        all  --  anywhere             10.0.0.0/24         LOG level warning
DROP       all  --  anywhere             10.0.0.0/24
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  host89.190-139-215.telecom.net.ar  anywhere
DROP       all  --  anywhere             anywhere

The server keeps working, and i only notice if i try to ssh/vnc/something from outside to my custom ports for those protocols, and i fail, then i try on the stock ones, and it works... (i left the default ports on each configuration, but redirected them using iptables).
Another chance for noticing, is when my brother is unable to host a warcraft3 game, and asks me to reload the iptables rules (he now knows what he has to ask :P )

I have no idea whats going on

i even aded a cronjob in crontab (for the root user) to reload the rules every 30 minutes, then 15, then 5 (i also made it log something, so i was sure it was working), but it worked for a while (on each periodicity), and then stoped working too, so now im back at manual reloading.

All my pcs have their own firewall too, just in case.

EricTRA · 12-31-2010, 01:42 AM

Hello,

That's quite a complete post, but one thing I see missing. What did you find in the logs? Open a tail -f on the logs involved and reload the iptables rules, see what happens. Also, did you at anytime install an IPS system? An intrusion prevention system is one of those programs that dynamically changes your iptables rules.

Kind regards,

Eric

cocchiararo · 12-31-2010, 05:08 AM

I am sure I never installed an ips system, at least not knowing I was doing that.

Now I feel ashamed, I thought about looking at "some logs", but failed to identify the ones that were useful for this case.

My own rules stick for a while tho.

I thought about setting a cronjob that dumped iptables rules periodically so that I could learn when they were changed, our how long did my rules "last", buy haven't done so yet.

cocchiararo · 12-31-2010, 05:09 AM

I am sure I never installed an ips system, at least not knowing I was doing that.

Now I feel ashamed, I thought about looking at "some logs", but failed to identify the ones that were useful for this case.

My own rules stick for a while tho.

I thought about setting a cronjob that dumped iptables rules periodically so that I could learn when they were changed, our how long did my rules "last", buy haven't done so yet.

cocchiararo · 01-08-2011, 03:41 PM

I was able to log a change on my iptables rules, january 6th, between 15:40 and 15:45

I extracted iptables rules in both formats (iptables -L and iptables-save), and also some logs that recorded "stuff" between that time.

i noticed that my ppp/pppoe conection went down for a few seconds (it does that :P).

I tried manually disconectin the phone line from the ADSL modem, but it did not cause the same effect.

I attached a small zip file (renamed to .log :P) with all the relevant files.