LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-29-2011, 09:06 AM   #1
golden_boy615
Member
 
Registered: Dec 2008
Distribution: Ubuntu Fedora
Posts: 444

Rep: Reputation: 17
unwanted blocking ip address and session log out in ubuntu 10.04 server (Zentyal)


hello
I have UBUNTU server 10.04 LTS with 3 NIC "eth0" local and eth1,2 as internet connection and it acts as firewall, http proxy and samba file server ,I installed Zentyal panel manager for my server for easier management I did not configure any specific rule for my firewall but I have some problem with my clients who wants to connect to my server as gateway or as file server even my self experienced these problems too. these problems are as follow:

1. some time for a few minutes (maximum 10 minutes) my server block some of my clients to access it or internet but just for minutes but it is very annoying.
2. all of my clients those who login to an https servers or login to their mail or those who has some software like team viewer say that they are logging out from their session randomly I mean some of them logging out from their mail(yahoomail or googlemail .... ) or disconnecting from teamviewer connection or as I saw team viewer disconnecting for a few seconds and then comes back again. but I did not set any thing in my firewall or other services. this is my complete iptable rules:


Quote:
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
inospoof all -- anywhere anywhere
iexternalmodules all -- anywhere anywhere
iexternal all -- anywhere anywhere
inoexternal all -- anywhere anywhere
imodules all -- anywhere anywhere
iintservs all -- anywhere anywhere
iglobal all -- anywhere anywhere
ACCEPT icmp !f anywhere anywhere icmp echo-request state NEW
ACCEPT icmp !f anywhere anywhere icmp echo-reply state NEW
ACCEPT icmp !f anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp !f anywhere anywhere icmp source-quench state NEW
ACCEPT icmp !f anywhere anywhere icmp time-exceeded state NEW
ACCEPT icmp !f anywhere anywhere icmp parameter-problem state NEW
idrop all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
fnospoof all -- anywhere anywhere
fredirects all -- anywhere anywhere
fmodules all -- anywhere anywhere
ffwdrules all -- anywhere anywhere
fnoexternal all -- anywhere anywhere
fdns all -- anywhere anywhere
fobjects all -- anywhere anywhere
fglobal all -- anywhere anywhere
ACCEPT icmp !f anywhere anywhere icmp echo-request state NEW
ACCEPT icmp !f anywhere anywhere icmp echo-reply state NEW
ACCEPT icmp !f anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp !f anywhere anywhere icmp source-quench state NEW
ACCEPT icmp !f anywhere anywhere icmp time-exceeded state NEW
ACCEPT icmp !f anywhere anywhere icmp parameter-problem state NEW
fdrop all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ointernal all -- anywhere anywhere
omodules all -- anywhere anywhere
oglobal all -- anywhere anywhere
ACCEPT icmp !f anywhere anywhere icmp echo-request state NEW
ACCEPT icmp !f anywhere anywhere icmp echo-reply state NEW
ACCEPT icmp !f anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp !f anywhere anywhere icmp source-quench state NEW
ACCEPT icmp !f anywhere anywhere icmp time-exceeded state NEW
ACCEPT icmp !f anywhere anywhere icmp parameter-problem state NEW
odrop all -- anywhere anywhere

Chain drop (5 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain fdns (1 references)
target prot opt source destination
ACCEPT udp -- anywhere 4.2.2.4 state NEW udp dpt domain
ACCEPT tcp -- anywhere 4.2.2.4 state NEW tcp dpt domain
ACCEPT udp -- anywhere vnsc-bak.sys.gtei.net state NEW udp dpt domain
ACCEPT tcp -- anywhere vnsc-bak.sys.gtei.net state NEW tcp dpt domain

Chain fdrop (7 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain fglobal (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fmodules (1 references)
target prot opt source destination

Chain fnoexternal (1 references)
target prot opt source destination
fdrop all -- anywhere anywhere state NEW
fdrop all -- anywhere anywhere state NEW

Chain fnospoof (1 references)
target prot opt source destination
fdrop all -- localnet/24 anywhere
fdrop all -- 192.168.1.0/24 anywhere
fdrop all -- 192.168.2.0/24 anywhere

Chain fobjects (1 references)
target prot opt source destination

Chain fredirects (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere linux.local state NEW tcp dpt ssh
ACCEPT tcp -- anywhere RAAD.local state NEW tcp dpt https
ACCEPT tcp -- anywhere 192.168.8.141 state NEW tcp dpt www
ACCEPT udp -- anywhere RAAD.local state NEW udp dpt tinc
ACCEPT tcp -- anywhere RAAD.local state NEW tcp dpt tinc
ACCEPT icmp -- anywhere 192.168.1.1 state NEW
ACCEPT tcp -- anywhere RAAD.raad.com state NEW tcp dpt 5090
ACCEPT tcp -- anywhere solmate-2.local state NEW tcp dpt mysql
ACCEPT udp -- anywhere RAAD.local state NEW udp dpt www
ACCEPT tcp -- anywhere RAAD.local state NEW tcp dpt www
ACCEPT udp -- anywhere Teymouri-PC.local state NEW udp dpt www
ACCEPT tcp -- anywhere Teymouri-PC.local state NEW tcp dpt www
ACCEPT tcp -- anywhere solmate-2.local state NEW tcp dpt www
ACCEPT tcp -- anywhere minimbusd.local state NEW tcp dpt 502
ACCEPT tcp -- anywhere solmate-2.local state NEW tcp dpt ssh
ACCEPT tcp -- anywhere Teymouri-PC.local state NEW tcp dpt ssh

Chain ftoexternalonly (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
fdrop all -- anywhere anywhere

Chain idrop (6 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain iexternal (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp dpt tinc state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt tinc state NEW
ACCEPT udp -- anywhere anywhere udp dpt 465 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ssmtp state NEW
ACCEPT udp -- anywhere anywhere udp dpt 25 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt smtp state NEW
ACCEPT udp -- anywhere anywhere udp dpt imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imaps state NEW
ACCEPT udp -- anywhere anywhere udp dpt domain state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt imap2 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imap2 state NEW
ACCEPT icmp !f anywhere anywhere icmp echo-request state NEW
ACCEPT icmp !f anywhere anywhere icmp echo-reply state NEW
ACCEPT icmp !f anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp !f anywhere anywhere icmp source-quench state NEW
ACCEPT icmp !f anywhere anywhere icmp parameter-problem state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt http-alt state NEW
ACCEPT udp -- anywhere anywhere udp dpt pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt pop3 state NEW
ACCEPT udp -- anywhere anywhere udp dpt tftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 69 state NEW
ACCEPT udp -- anywhere anywhere udp dpt submission state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt submission state NEW
ACCEPT udp -- anywhere anywhere udp dpt 3389 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 3389 state NEW
ACCEPT udp -- anywhere anywhere udp dpt 20 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ftp-data state NEW
ACCEPT udp -- anywhere anywhere udp dpt fsp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt www state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ssmtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imap2 state NEW
ACCEPT udp -- anywhere anywhere udp dpts 10000 20000 state NEW
ACCEPT udp -- anywhere anywhere udp dpt sip state NEW
ACCEPT udp -- anywhere anywhere udp dpt 5036 state NEW
ACCEPT udp -- anywhere anywhere udp dpt iax state NEW
drop udp -- anywhere anywhere udp dpt radius state NEW

Chain iexternalmodules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt route
ACCEPT udp -- anywhere anywhere udp dpt openvpn

Chain iglobal (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp dpt ntp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 8110 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt xmpp-client state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 5223 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ftp-data state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt www state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 4190 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ssmtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt imap2 state NEW
ACCEPT udp -- anywhere anywhere udp dpt domain state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt bootps state NEW
ACCEPT udp -- anywhere anywhere udp dpt tftp state NEW
ACCEPT udp -- anywhere anywhere udp dpts 10000 20000 state NEW
ACCEPT udp -- anywhere anywhere udp dpt sip state NEW
ACCEPT udp -- anywhere anywhere udp dpt 5036 state NEW
ACCEPT udp -- anywhere anywhere udp dpt iax state NEW
ACCEPT udp -- anywhere anywhere udp dpt radius state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ipp state NEW
ACCEPT udp -- anywhere anywhere udp dpt netbios-dgm state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt netbios-dgm state NEW
ACCEPT udp -- anywhere anywhere udp dpt netbios-ns state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt netbios-ns state NEW
ACCEPT udp -- anywhere anywhere udp dpt microsoft-ds state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt microsoft-ds state NEW
ACCEPT udp -- anywhere anywhere udp dpt netbios-ssn state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt netbios-ssn state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt 8888 state NEW
drop tcp -- anywhere anywhere tcp dpt ldap state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt https state NEW

Chain iintservs (1 references)
target prot opt source destination

Chain imodules (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt route
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt 3128

Chain inoexternal (1 references)
target prot opt source destination
idrop all -- anywhere anywhere state NEW
idrop all -- anywhere anywhere state NEW

Chain inointernal (0 references)
target prot opt source destination

Chain inospoof (1 references)
target prot opt source destination
idrop all -- localnet/24 anywhere
idrop all -- 192.168.1.0/24 anywhere
idrop all -- 192.168.2.0/24 anywhere

Chain log (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain odrop (1 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain oglobal (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW

Chain ointernal (1 references)
target prot opt source destination
ACCEPT udp -- anywhere 4.2.2.4 state NEW udp dpt domain
ACCEPT tcp -- anywhere 4.2.2.4 state NEW tcp dpt domain
ACCEPT udp -- anywhere vnsc-bak.sys.gtei.net state NEW udp dpt domain
ACCEPT tcp -- anywhere vnsc-bak.sys.gtei.net state NEW tcp dpt domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt domain

Chain omodules (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere state NEW udp spt sip
ACCEPT udp -- anywhere anywhere state NEW udp spts 10000 20000
ACCEPT udp -- anywhere anywhere udp dpt route
ACCEPT tcp -- anywhere anywhere tcp dpt www
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-dgm
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-dgm
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-ssn
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-ssn
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp spt microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp spt microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp dpt microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-dgm
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-dgm
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp spt netbios-ssn
ACCEPT udp -- anywhere anywhere state NEW udp spt netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt netbios-ssn
ACCEPT udp -- anywhere anywhere state NEW udp dpt netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp spt microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp spt microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp dpt microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt https
so what is wrong I can not find any thing in my knowledge .
please help.

thanks a lot
 
Old 07-01-2011, 02:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Quote:
Originally Posted by golden_boy615 View Post
(..) I did not configure any specific rule for my firewall (..) some time for a few minutes (maximum 10 minutes) my server block some of my clients to access it or internet (..) all of my clients those who login to an https servers or login to their mail or those who has some software like team viewer say that they are logging out from their session randomly (..) or disconnecting (..) for a few seconds and then comes back again. but I did not set any thing in my firewall or other services. (..) I can not find any thing in my knowledge .
Couple of unordered remarks:
- have clients ensure there's no routing or firewall problems on their side too (not all things may be server-related),
- do the same for your server to their client address and their chosen destination (like remote webmail),
- best post 'iptables -t filter -nvL' instead, or better: the contents of the configuration file that holds the firewall rules,
- some rules make no sense,
- using "-j LOG" rules is the best and simplest way to diagnose traffic flowing through the firewall,
- ensure there's no service problems (check logs?),
- ensure there's no other applications blocking network traffic (like fail2ban or equivalent),
- ensure you understand applications and iptables (frozentux tutorial) as using a web-based management panel is no substitute for requisite admin knowledge.
 
Old 07-02-2011, 02:28 AM   #3
golden_boy615
Member
 
Registered: Dec 2008
Distribution: Ubuntu Fedora
Posts: 444

Original Poster
Rep: Reputation: 17
- have clients ensure there's no routing or firewall problems on their side too (not all things may be server-related)
they are all windows and all of their firewall are disabled.
- best post 'iptables -t filter -nvL' instead, or better: the contents of the configuration file that holds the firewall rules,
Quote:
iptables -t filter -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4584K 520M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1503 81586 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2170K 406M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
619K 46M inospoof all -- * * 0.0.0.0/0 0.0.0.0/0
544K 39M iexternalmodules all -- * * 0.0.0.0/0 0.0.0.0/0
544K 39M iexternal all -- * * 0.0.0.0/0 0.0.0.0/0
295K 22M inoexternal all -- * * 0.0.0.0/0 0.0.0.0/0
295K 22M imodules all -- * * 0.0.0.0/0 0.0.0.0/0
258K 20M iintservs all -- * * 0.0.0.0/0 0.0.0.0/0
258K 20M iglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW
0 0 idrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
1767 89474 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1044K 224M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
36830 2299K fnospoof all -- * * 0.0.0.0/0 0.0.0.0/0
35292 2203K fredirects all -- * * 0.0.0.0/0 0.0.0.0/0
33991 2108K fmodules all -- * * 0.0.0.0/0 0.0.0.0/0
33991 2108K ffwdrules all -- * * 0.0.0.0/0 0.0.0.0/0
29233 1860K fnoexternal all -- * * 0.0.0.0/0 0.0.0.0/0
29233 1860K fdns all -- * * 0.0.0.0/0 0.0.0.0/0
21179 1322K fobjects all -- * * 0.0.0.0/0 0.0.0.0/0
21179 1322K fglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW
1 52 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4584K 520M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
345 15640 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2103K 506M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
597K 43M ointernal all -- * * 0.0.0.0/0 0.0.0.0/0
522K 37M omodules all -- * * 0.0.0.0/0 0.0.0.0/0
468K 34M oglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW
4 288 odrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain drop (5 references)
pkts bytes target prot opt in out source destination
77159 7598K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fdns (1 references)
pkts bytes target prot opt in out source destination
8000 535K ACCEPT udp -- * * 0.0.0.0/0 4.2.2.4 state NEW udp dpt 53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.2.2.4 state NEW tcp dpt 53
54 3756 ACCEPT udp -- * * 0.0.0.0/0 4.2.2.2 state NEW udp dpt 53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.2.2.2 state NEW tcp dpt 53

Chain fdrop (7 references)
pkts bytes target prot opt in out source destination
1539 95428 drop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ffwdrules (1 references)
pkts bytes target prot opt in out source destination
29232 1860K RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
4758 248K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fglobal (1 references)
pkts bytes target prot opt in out source destination
21178 1322K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fmodules (1 references)
pkts bytes target prot opt in out source destination

Chain fnoexternal (1 references)
pkts bytes target prot opt in out source destination
0 0 fdrop all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 fdrop all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain fnospoof (1 references)
pkts bytes target prot opt in out source destination
1432 89857 fdrop all -- !eth0 * 192.168.8.0/24 0.0.0.0/0
0 0 fdrop all -- !eth1 * 192.168.1.0/24 0.0.0.0/0
106 5519 fdrop all -- !eth2 * 192.168.2.0/24 0.0.0.0/0

Chain fobjects (1 references)
pkts bytes target prot opt in out source destination

Chain fredirects (1 references)
pkts bytes target prot opt in out source destination
1 48 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.204 state NEW tcp dpt 22
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.1 state NEW tcp dpt 443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.141 state NEW tcp dpt 80
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.8.1 state NEW udp dpt 655
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.1 state NEW tcp dpt 655
871 72444 ACCEPT icmp -- eth1 * 0.0.0.0/0 192.168.1.1 state NEW
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.111 state NEW tcp dpt 5090
166 8632 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.134 state NEW tcp dpt 3306
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.8.1 state NEW udp dpt 80
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.1 state NEW tcp dpt 80
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.8.200 state NEW udp dpt 80
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.200 state NEW tcp dpt 80
261 13564 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.134 state NEW tcp dpt 80
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.133 state NEW tcp dpt 502
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.134 state NEW tcp dpt 22
2 104 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.8.200 state NEW tcp dpt 22

Chain ftoexternalonly (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain idrop (6 references)
pkts bytes target prot opt in out source destination
75617 7502K drop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain iexternal (1 references)
pkts bytes target prot opt in out source destination
185K 14M RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
110K 7990K RETURN all -- tap0 * 0.0.0.0/0 0.0.0.0/0
248K 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 655 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 655 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 465 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 465 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 25 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 993 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 993 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 53 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 143 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 143 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 8080 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 110 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 69 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 69 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 587 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 587 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 3389 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 3389 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 20 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 20 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 443 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 993 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 465 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 143 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts 10000 20000 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 5060 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 5036 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 4569 state NEW
0 0 drop udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 1812 state NEW

Chain iexternalmodules (1 references)
pkts bytes target prot opt in out source destination
185K 14M RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
110K 7990K RETURN all -- tap0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- tap0 * 0.0.0.0/0 0.0.0.0/0 udp dpt 520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 1194

Chain iglobal (1 references)
pkts bytes target prot opt in out source destination
258K 20M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 123 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 8110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 5222 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 5223 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 20 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 4190 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 993 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 465 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 143 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 53 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 67 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 69 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts 10000 20000 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 5060 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 5036 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 4569 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 1812 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 631 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 138 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 138 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 137 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 137 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 445 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 445 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt 139 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 139 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 8888 state NEW
0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 389 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 22 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 443 state NEW

Chain iintservs (1 references)
pkts bytes target prot opt in out source destination

Chain imodules (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- tap0 * 0.0.0.0/0 0.0.0.0/0 udp dpt 520
36936 1924K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 3128

Chain inoexternal (1 references)
pkts bytes target prot opt in out source destination
0 0 idrop all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 idrop all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain inointernal (0 references)
pkts bytes target prot opt in out source destination

Chain inospoof (1 references)
pkts bytes target prot opt in out source destination
74898 7418K idrop all -- !eth0 * 192.168.8.0/24 0.0.0.0/0
628 75345 idrop all -- !eth1 * 192.168.1.0/24 0.0.0.0/0
91 8487 idrop all -- !eth2 * 192.168.2.0/24 0.0.0.0/0

Chain log (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain odrop (1 references)
pkts bytes target prot opt in out source destination
4 288 drop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain oglobal (1 references)
pkts bytes target prot opt in out source destination
468K 34M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain ointernal (1 references)
pkts bytes target prot opt in out source destination
73381 5215K ACCEPT udp -- * * 0.0.0.0/0 4.2.2.4 state NEW udp dpt 53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.2.2.4 state NEW tcp dpt 53
208 14810 ACCEPT udp -- * * 0.0.0.0/0 4.2.2.2 state NEW udp dpt 53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.2.2.2 state NEW tcp dpt 53
1121 83478 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 53

Chain omodules (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 5060
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spts 10000 20000
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 udp dpt 520
53210 3193K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt 80
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 137
5 450 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 137
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 137
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 137
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 138
667 159K ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 138
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 138
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 138
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 139
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 139
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 139
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 139
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 445
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 445
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 445
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 445
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 137
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 137
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 137
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 137
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 138
658 157K ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 138
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 138
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 138
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 139
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 139
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 139
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 139
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp spt 445
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp spt 445
0 0 ACCEPT tcp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 445
0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt 445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt 443

- some rules make no sense,
what rule do you mean?
- using "-j LOG" rules is the best and simplest way to diagnose traffic flowing through the firewall,
I will do it thank you for your notice.
- ensure there's no service problems (check logs?),
there is no service problem.
- ensure there's no other applications blocking network traffic (like fail2ban or equivalent),
I have no other application related to firewall or some thing like that.
- ensure you understand applications and iptables (frozentux tutorial) as using a web-based management panel is no substitute for requisite admin knowledge.
Thanks for your advise .

any more information anybody wants for better guidance?
waiting for any help.
 
Old 07-02-2011, 08:28 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
That strikes me as a exceedingly complex firewall and without following unSpawn's advice to start tracking packets through it, it is going to be very difficult to figure out where the problem is.
 
Old 07-02-2011, 09:32 AM   #5
golden_boy615
Member
 
Registered: Dec 2008
Distribution: Ubuntu Fedora
Posts: 444

Original Poster
Rep: Reputation: 17
thanks but please tell me how can I track it through the logs where should I start?
 
Old 07-02-2011, 09:42 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by golden_boy615 View Post
thanks but please tell me how can I track it through the logs where should I start?

unSpawn already told you, you need to use the iptables LOG feature to figure this out. And you need to understand that there isn't going to be an easy or fast answer here. That firewall is so complex that you're going to be spending a fair bit of time figuring this out.
 
Old 07-02-2011, 10:11 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
One other thought....

Have you investigated if your hardware is up to the task? When these outages occur, what is taking up CPU time? Have you done any load testing? It could be that everything is working fine, but when you have a lot of customers trying to do stuff, the hardware simply isn't up to the task.
 
Old 07-02-2011, 11:03 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
...in addition to what Hangdog42 already wrote:
Quote:
Originally Posted by golden_boy615 View Post
- some rules make no sense,
what rule do you mean?
Those chains and rules that perform the same function as the main chain's set policy. Any chain that has rules leaving gaping holes (ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW) and still have successive per-port ACCEPT rules. I would guess that result is a combination of using a web-based management panel and not knowing iptables.


It's odd you insist there are no client-side problems because by not making clients perform network diagnostics you miss out on information that could help you (like 'ssh -vvv' output) and you remain blind to what happens on their end. Reading up on eBox I find that it comprises of a whole cornucopia of "modules" that also include an IDS etc, etc so I'm not sure you do not run that (might have some form of active defense enabled?) and saying there are no service problems (like logs and 'sshd -ddd' output could show) doesn't mean it's a firewall problem by definition as as your firewall rule set is simple and straightforward, meaning it doesn't include more advanced connection checks and whatnot. I suggest finding the file eBox uses to store its firewall rule set in and posting its contents.
 
Old 07-03-2011, 03:29 AM   #9
golden_boy615
Member
 
Registered: Dec 2008
Distribution: Ubuntu Fedora
Posts: 444

Original Poster
Rep: Reputation: 17
finally I find some thing, this is my syslog file content :
Quote:
Jul 3 11:38:12 RAAD kernel: [413340.809836] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1f:16:08:d8:25:08:00 SRC=192.168.8.54 DST=255.255.255.255 LEN=110 TOS=0x00 PREC=0x00 TTL=128 ID=25557 PROTO=UDP SPT=1047 DPT=1211 LEN=90 MARK=0x1
Jul 3 11:38:12 RAAD kernel: [413340.809860] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1f:16:08:d8:25:08:00 SRC=192.168.8.54 DST=255.255.255.255 LEN=110 TOS=0x00 PREC=0x00 TTL=128 ID=25557 PROTO=UDP SPT=1047 DPT=1211 LEN=90 MARK=0x1
Jul 3 11:38:13 RAAD kernel: [413341.383687] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25492 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:13 RAAD kernel: [413341.383704] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25492 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:14 RAAD kernel: [413342.133675] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25493 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:14 RAAD kernel: [413342.133691] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25493 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:23 RAAD kernel: [413351.513440] ebox-firewall drop IN=eth1 OUT= MAC=01:00:5e:00:00:01:70:1a:04:be:28:7c:08:00 SRC=192.168.8.80 DST=224.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=44958 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2704
Jul 3 11:38:23 RAAD kernel: [413351.513457] ebox-firewall drop IN=eth2 OUT= MAC=01:00:5e:00:00:01:70:1a:04:be:28:7c:08:00 SRC=192.168.8.80 DST=224.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=44958 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2704
Jul 3 11:38:24 RAAD kernel: [413352.883959] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25494 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:24 RAAD kernel: [413352.883982] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25494 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:25 RAAD kernel: [413353.633463] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25495 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:25 RAAD kernel: [413353.633490] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25495 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:26 RAAD kernel: [413354.383462] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25496 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:26 RAAD kernel: [413354.383482] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25496 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:27 RAAD kernel: [413355.627274] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4076 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:27 RAAD kernel: [413355.627295] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4076 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:27 RAAD kernel: [413355.627750] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4077 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:27 RAAD kernel: [413355.627770] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4077 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:28 RAAD kernel: [413356.376629] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4101 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:28 RAAD kernel: [413356.376647] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4101 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:29 RAAD kernel: [413357.877866] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4107 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:31 RAAD kernel: [413359.377579] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:17:17:47:0e:08:00 SRC=192.168.8.20 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4111 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:32 RAAD kernel: [413360.809988] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1f:16:08:d8:25:08:00 SRC=192.168.8.54 DST=255.255.255.255 LEN=110 TOS=0x00 PREC=0x00 TTL=128 ID=25558 PROTO=UDP SPT=1047 DPT=1211 LEN=90 MARK=0x1
Jul 3 11:38:37 RAAD kernel: [413365.133764] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25497 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:37 RAAD kernel: [413365.133785] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25497 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:37 RAAD kernel: [413365.883262] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25498 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:37 RAAD kernel: [413365.883278] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25498 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:38 RAAD kernel: [413366.633232] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25499 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x1
Jul 3 11:38:42 RAAD kernel: [413370.278306] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:7d:97:0a:f8:08:00 SRC=192.168.8.11 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=34951 PROTO=UDP SPT=137 DPT=137 LEN=58
Jul 3 11:38:42 RAAD kernel: [413370.278322] ebox-firewall drop IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:7d:97:0a:f8:08:00 SRC=192.168.8.11 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=34951 PROTO=UDP SPT=137 DPT=137 LEN=58
Jul 3 11:38:42 RAAD kernel: [413370.284818] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:7d:97:0a:f8:08:00 SRC=192.168.8.11 DST=192.168.8.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=34965 PROTO=UDP SPT=137 DPT=137 LEN=58
Jul 3 11:38:45 RAAD kernel: [413373.489980] ebox-firewall drop IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:26:18:b7:5c:b5:08:00 SRC=192.168.8.200 DST=224.0.0.251 LEN=106 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=86
Jul 3 11:38:45 RAAD kernel: [413373.490000] ebox-firewall drop IN=eth2 OUT= MAC=01:00:5e:00:00:fb:00:26:18:b7:5c:b5:08:00 SRC=192.168.8.200 DST=224.0.0.251 LEN=106 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=86
Jul 3 11:38:49 RAAD kernel: [413377.383554] ebox-firewall drop IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:34:08:04:2a:79:77:08:00 SRC=192.168.8.181 DST=192.168.8.255 LEN=78 TOS=0x00
I fount that my firewall drops all of the broad casting and as I saw in zentyal log it blocks every UDP protocol for 53,137,138,5353,1211 destination ports (as you can saw it in this log too). do you think that it may cause my firewall to block those IP addresses for some minutes that send too much of this requests???

thanks for your help until now.
 
Old 07-03-2011, 08:30 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Quote:
Originally Posted by golden_boy615 View Post
I fount that my firewall drops all of the broad casting and as I saw in zentyal log it blocks every UDP protocol for 53,137,138,5353,1211 destination ports (as you can saw it in this log too). do you think that it may cause my firewall to block those IP addresses for some minutes that send too much of this requests?
Nowhere in your firewall rule set is any rate limiting in use so there can be no question of "sending too much of this requests".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Zentyal/Ebox v ClearOS v SME Server .... spoovy Linux - Server 7 06-03-2013 04:15 AM
LXer: Zentyal: Linux & the Cloud Can Beat Windows Small Business Server LXer Syndicated Linux News 0 01-14-2011 01:50 PM
Blocking a specific IP address from server duzap Linux - Security 2 05-08-2010 01:08 PM
Ubuntu 9.04 fails to log on (regardless of session) Parent5446 Ubuntu 4 04-30-2009 02:29 PM
Sendmail: Blocking unwanted senders infernal Linux - Security 1 10-28-2001 12:56 AM


All times are GMT -5. The time now is 10:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration