LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-31-2014, 02:42 PM   #1
action_owl
Member
 
Registered: Jan 2009
Location: 127.0.0.1
Distribution: Fedora, CentOS, NetBSD
Posts: 115

Rep: Reputation: 17
Smile Why is my iptables configuration not allowing traffic on localhost?


My iptables config is preventing munin from generating graphs. munin needs TCP port 4949 open on loopback. I don't understand WHY my iptables config isn't working as I explicitly ACCEPT INPUT and OUTPUT on the loopback. Can anyone tell me what's wrong here? I know that I can use: "A INPUT -p tcp -m tcp -s 127.0.0.1 -d 127.0.0.1 --dport 4949 -j ACCEPT" but I want ALL traffic on loopback to pass through.

Code:
*filter
 
# Drop everything by default
:INPUT DROP [0:0]
 
# We are not routing packets
:FORWARD DROP [0:0]
 
# Don't filter output
:OUTPUT ACCEPT [0:0]
 
# Add the fail2ban chain
:fail2ban-SSH - [0:0]
 
# Drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# Reject a syn-flood attack
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# Drop XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# We want our response packets...
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Anything over the Loopback is OK
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
 
# Send packets for port 22 to fail2ban, it may drop them
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A fail2ban-SSH -j RETURN
 
# If fail2ban didn't drop it let it on through
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 
# Open Web server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

COMMIT

Last edited by action_owl; 03-31-2014 at 03:57 PM.
 
Old 03-31-2014, 03:38 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Quote:
Originally Posted by action_owl View Post
My iptables config is preventing munin from generating graphs. munin needs TCP port 4949 open on loopback. I don't understand WHY my iptables config isn't working as I explicitly ACCEPT INPUT and OUTPUT on the loopback. Can anyone tell me what's wrong here? I know that I can use: "A INPUT -p tcp -m tcp -s 127.0.0.1 -d 127.0.0.1 --dport 4949 -j ACCEPT" but I want ALL traffic on loopback to pass through.
Loopback traffic can come from (and be directed towards) any address in the 127.0.0.0/8 network, but you're right; an interface match ("-i lo") is better.

Are you saying that with your current setup, telnet 127.0.0.1 4949 fails to connect to the service? And that it works once you add a specific rule for incoming traffic to 127.0.0.1?

I can't find anything in your ruleset that would block loopback traffic in general, although there are some minor errors and the ordering is less than optimal. Your INPUT and FORWARD policies are DROP;
Code:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
In the filter ruleset, you first drop all TCP packets with no flags, which should be OK:
Code:
# Drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Then you have an impossible rule blocking non-SYN TCP packets which state is "NEW". The problem is, no TCP packet without the SYN flag set will ever match the "NEW" state, so while this rule doesn't do any damage, it's pointless and should be removed:
Code:
# Reject a syn-flood attack
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Then TCP packets with every flag set are dropped:
Code:
# Drop XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
...and only NOW do you handle "ESTABLISHED" and "RELATED" packets, which means all these packets have to go through the above tests for no reason:
Code:
# We want our response packets...
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Same goes for the loopback rules; they should have been much closer to the top of the ruleset. Having said that, the rules should still work:
Code:
# Anything over the Loopback is OK
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
Try the telnet test, and experiment by re-ordering the rules and perhaps try a minimal ruleset with only the "lo" and ESTABLISHED/RELATED state rules.
 
1 members found this post helpful.
Old 03-31-2014, 03:47 PM   #3
action_owl
Member
 
Registered: Jan 2009
Location: 127.0.0.1
Distribution: Fedora, CentOS, NetBSD
Posts: 115

Original Poster
Rep: Reputation: 17
Thanks Ser, I really appreciate the detailed explanation I have really been trying to figure out how to to this as correctly as possible. I will make your suggestions and try the telnet test.

*update

port 4949 passed the telnet test so something else must be wrong. In my haste to try and fix the issue I must have fixed the issue by some other means and thought that it was the firewall. So my rules are indeed OK, thanks for helping me confirm that!

Last edited by action_owl; 03-31-2014 at 03:56 PM.
 
  


Reply

Tags
iptables, loopback


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to deny all traffic with iptables except localhost BlackHawk Linux - Security 9 05-15-2011 08:19 AM
Iptables command for allowing traffic across two subnets tazschic Linux - Newbie 2 08-30-2009 08:54 PM
Iptables - Allowing BitTorrent & aMule Traffic mistersnorfles Linux - Networking 2 08-20-2007 09:08 AM
allowing traffic in some ports igordonin Linux - Networking 10 12-11-2006 08:46 AM
iptables allowing all LAN traffic tebucky Linux - Security 1 11-04-2004 11:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration