Iptables firewall script stop working occassionally
Dear friends,
I have a few proxy servers with iptables firewall script on it, for some reason i faced the following problems fequently: 1) iptables script has been loaded and worked initially but somehow stop working after some time 2) modprobe ip_conntrack_ip to enable ftp, but after sometime the ftp stop working again 3) https connection stopped working also after some time the firewall script loaded (maybe 1 or 2 days) For all the above problems, all i need to do is to service iptables stop then run the firewall script again. As for 2), i just need to service iptables stop, modprobe ip_conntrack_ip, then run firewall script. Same goes for 3), just stop iptables and run script again. Everything will work as normal again after i do that, but then its not very efficient if i have to do those things all the time because users cannot tolerate having timeout. I dont see anything suspicious in /var/log/messages, because of that i dont really know what cause the problem coz when i loaded the firewall script, there is no error at all. Restart iptables solve the problem but why.... Thanks for taking time reading my thread, Regards Y |
Did the change occur after a reboot? If not, do you know roughly what time the script reset (does it seem to occur the same time of day)? Are the machines on this network using static IP addresses or are they dynamically assigned (e.g. DHCP)?
|
Hi Capt_caveman,
Thanks for reply. Not neccessary happen after reboot. But maybe you have pointed out something there, all the servers that have this problem use dynamic IP in the firewall script....but what could be the problem if using dynamic ips? thanks alot for your help. |
Nothing specific right now, but I've seen a number of people with similar issues that went unresolved and it has always seemed like that may be the cause. Could be that you're blocking portions of DHCP traffic and DHCP leases are failing to renew, but I don't think restarting iptables would solve that. I'll have to tinker on my test LAN to see if recreate it.
First, could you check several things. To ensure that this isn't an issue of the conntrack table filling up, could you post the contents of /proc/sys/net/ipv4/ip_conntrack_max and the output of: Code:
wc -l /proc/net/ip_conntrack Also post output of: Code:
iptables -vL |
Hi Captain Caveman,
Thanks a lot for your reply. I am waiting for the server to stuck again and then i can copy down the ip_conntrack logs. hmmm...the conntract table gets occupied will affect the running iptables? I supposed that could be a possiblity too....what are the ways to prevent it pilling up? i just changed the IP table a bit without ping, coz i read that ping failure can result in pilling up conntrack table... I will report the outcome of ip_conntrack table when the server stuck again, thanks Captain! Regards Y |
The conntrack table has a maximum number of connections that it can maintain. This maximum is defined in /proc/sys/net/ipv4/ip_conntrack_max. Once the max is reached the system will start dropping packets, though you should get log messages. Restarting iptables flushes the conntrack table, so that can cure the symptoms of a full conntrack table problem. Again don't know until you can post the output those commands.
|
Dear Capt_Caveman,
Here are the outputs: for wc -l /proc/net/ip_conntrack, tcp 6 431588 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32771 dport=32770 src=127.0.0.1 dst=127.0.0.1 sport=32770 dport=32771 [ASSURED] use=1 tcp 6 430804 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32791 dport=32790 src=127.0.0.1 dst=127.0.0.1 sport=32790 dport=32791 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32813 dport=32812 src=127.0.0.1 dst=127.0.0.1 sport=32812 dport=32813 [ASSURED] use=1 udp 17 15 src=60.53.38.106 dst=202.188.0.133 sport=32771 dport=53 [UNREPLIED] src=202.188.0.133 dst=60.53.32.118 sport=53 dport=32771 use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32795 dport=32794 src=127.0.0.1 dst=127.0.0.1 sport=32794 dport=32795 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32779 dport=32778 src=127.0.0.1 dst=127.0.0.1 sport=32778 dport=32779 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32789 dport=32788 src=127.0.0.1 dst=127.0.0.1 sport=32788 dport=32789 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32809 dport=32808 src=127.0.0.1 dst=127.0.0.1 sport=32808 dport=32809 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.3.1 dst=192.168.3.253 sport=1063 dport=22 src=192.168.3.253 dst=192.168.3.1 sport=22 dport=1063 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32805 dport=32804 src=127.0.0.1 dst=127.0.0.1 sport=32804 dport=32805 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32783 dport=32782 src=127.0.0.1 dst=127.0.0.1 sport=32782 dport=32783 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32781 dport=32780 src=127.0.0.1 dst=127.0.0.1 sport=32780 dport=32781 [ASSURED] use=1 udp 17 26 src=60.53.38.106 dst=202.188.1.5 sport=32771 dport=53 [UNREPLIED] src=202.188.1.5 dst=60.53.32.118 sport=53 dport=32771 use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32815 dport=32814 src=127.0.0.1 dst=127.0.0.1 sport=32814 dport=32815 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32773 dport=32772 src=127.0.0.1 dst=127.0.0.1 sport=32772 dport=32773 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32807 dport=32806 src=127.0.0.1 dst=127.0.0.1 sport=32806 dport=32807 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32799 dport=32798 src=127.0.0.1 dst=127.0.0.1 sport=32798 dport=32799 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32775 dport=32774 src=127.0.0.1 dst=127.0.0.1 sport=32774 dport=32775 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32817 dport=32816 src=127.0.0.1 dst=127.0.0.1 sport=32816 dport=32817 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32803 dport=32802 src=127.0.0.1 dst=127.0.0.1 sport=32802 dport=32803 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32793 dport=32792 src=127.0.0.1 dst=127.0.0.1 sport=32792 dport=32793 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32801 dport=32800 src=127.0.0.1 dst=127.0.0.1 sport=32800 dport=32801 [ASSURED] use=1 udp 17 10 src=192.168.3.146 dst=207.217.126.41 sport=2518 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2518 use=1 udp 17 16 src=192.168.3.146 dst=207.217.126.41 sport=2629 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2629 use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32787 dport=32786 src=127.0.0.1 dst=127.0.0.1 sport=32786 dport=32787 [ASSURED] use=1 udp 17 21 src=192.168.3.146 dst=207.217.126.41 sport=2666 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2666 use=1 tcp 6 430804 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32811 dport=32810 src=127.0.0.1 dst=127.0.0.1 sport=32810 dport=32811 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32797 dport=32796 src=127.0.0.1 dst=127.0.0.1 sport=32796 dport=32797 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32785 dport=32784 src=127.0.0.1 dst=127.0.0.1 sport=32784 dport=32785 [ASSURED] use=1 tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32819 dport=32818 src=127.0.0.1 dst=127.0.0.1 sport=32818 dport=32819 [ASSURED] use=1 |
Dear Capt_Caveman,
Heres the output for # iptables -vL Chain INPUT (policy DROP 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 67587 34M SHUN all -- any any anywhere anywhere 8412 864K ACCEPT all -- lo any anywhere anywhere 59175 34M IN_FIREWALL all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT INPUT: ' 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 5 packets, 390 bytes) pkts bytes target prot opt in out source destination 209K 29M SHUN all -- any any anywhere anywhere 10350 14M IN_NETWORK all -- ppp0 any anywhere anywhere 198K 15M OUT_NETWORK all -- eth1 any anywhere anywhere 29 1342 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT FORWARD: ' 0 0 ACCEPT all -- any any 192.168.3.35 anywhere 77 3630 DROP all -- any any anywhere anywhere Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 74154 35M SHUN all -- any any anywhere anywhere 8412 864K ACCEPT all -- any lo anywhere anywhere 65742 34M OUT_FIREWALL all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT OUTPUT: ' 0 0 DROP all -- any any anywhere anywhere Chain BADFLAGS (11 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT BADFLAGS: ' 0 0 DROP all -- any any anywhere anywhere Chain BAD_IP (4 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT BAD_IP: ' 0 0 DROP all -- any any anywhere anywhere Chain IN_FIREWALL (1 references) pkts bytes target prot opt in out source destination 10 605 IN_ICMP icmp -- any any anywhere anywhere 55667 33M TCP_FLAGS tcp -- any any anywhere anywhere 1246 59916 SYN_FLOOD tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN 0 0 ACCEPT udp -- any any anywhere 60.53.38.106 udp dpt:5060 421 60942 ACCEPT udp -- any any anywhere 60.53.38.106 udp dpts:10001:65535 58742 33M IN_IP_CHECK all -- any any anywhere anywhere 54151 33M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 3 180 ACCEPT tcp -- any any 192.168.3.0/24 anywhere tcp dpt:ssh state NEW 1 60 ACCEPT tcp -- any any 211.188.18.19 anywhere tcp dpt:ssh state NEW 0 0 ACCEPT tcp -- any any tm.net.my anywhere tcp dpt:ssh state NEW 0 0 ACCEPT tcp -- any any anywhere 60.53.38.106 tcp dpt:ftp 0 0 ACCEPT tcp -- any any 60.53.38.106 anywhere tcp spt:ftp-data 1169 56056 ACCEPT tcp -- any any anywhere sttu.shin tcp dpt:squid 5 300 ACCEPT tcp -- any any anywhere 60.53.38.106 tcp dpt:10000 27 1882 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 1 48 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 476 47356 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT IN_FIREWALL: ' 3385 325K DROP all -- any any anywhere anywhere Chain IN_ICMP (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any 192.168.3.0/24 anywhere icmp echo-request 0 0 ACCEPT icmp -- any any 192.168.3.0/24 anywhere icmp echo-reply 0 0 ACCEPT icmp -- any any 192.168.6.0/24 anywhere icmp echo-request 0 0 ACCEPT icmp -- any any 192.168.6.0/24 anywhere icmp echo-reply 1 56 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 9 549 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT In ICMP: ' 9 549 DROP all -- any any anywhere anywhere Chain IN_IP_CHECK (1 references) pkts bytes target prot opt in out source destination 0 0 BAD_IP all -- ppp0 any 65.55.35.116 anywhere 0 0 BAD_IP all -- ppp0 any 192.168.3.0/24 anywhere 0 0 BAD_IP all -- eth1 any 65.55.35.116 anywhere Chain IN_NETWORK (1 references) pkts bytes target prot opt in out source destination 0 0 IN_ICMP icmp -- any any anywhere anywhere 9834 14M TCP_FLAGS tcp -- any any anywhere anywhere 0 0 SYN_FLOOD tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN 9834 14M ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED 516 67080 ACCEPT udp -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:5060 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:10001:65535 0 0 ACCEPT udp -- any any anywhere sttu.shin udp dpt:domain 0 0 ACCEPT tcp -- any any anywhere sttu.shin tcp dpt:http flags:SYN,RST,ACK/SYN Chain OUT_FIREWALL (1 references) pkts bytes target prot opt in out source destination 0 0 OUT_ICMP icmp -- any any anywhere anywhere 65229 34M TCP_FLAGS tcp -- any any anywhere anywhere 64052 34M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:5060 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:10001:65535 1690 103K OUT_IP_CHECK all -- any any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:telnet 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pop3 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:netbios-ns:netbios-ssn 1552 93120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 81 4860 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 52 3771 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp spt:squid 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp spt:ftp-data 3 576 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT OUT_FIREWALL: ' 5 760 DROP all -- any any anywhere anywhere Chain OUT_ICMP (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere 192.168.3.0/ 24 icmp echo-request 0 0 ACCEPT icmp -- any any anywhere 192.168.3.0/ 24 icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere 192.168.6.0/ 24 icmp echo-request 0 0 ACCEPT icmp -- any any anywhere 192.168.6.0/ 24 icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT Out ICMP: ' 0 0 DROP all -- any any anywhere anywhere Chain OUT_IP_CHECK (1 references) pkts bytes target prot opt in out source destination 1685 102K RETURN all -- any ppp0 65.55.35.116 anywhere 5 760 RETURN all -- any eth1 sttu.shin anywhere 0 0 BAD_IP all -- any any anywhere anywhere Chain OUT_NETWORK (1 references) pkts bytes target prot opt in out source destination 0 0 OUT_ICMP icmp -- any any anywhere anywhere 5527 299K TCP_FLAGS tcp -- any any anywhere anywhere 5489 297K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pop3 14 672 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 547 30853 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:socks 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:1503 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:h323hostcall 6 288 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:4000 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:4000 192K 15M DROP udp -- any any anywhere anywhere state NEW udp dpts:netbios-ns:netbios-ssn Chain SHUN (3 references) pkts bytes target prot opt in out source destination Chain SYN_FLOOD (2 references) pkts bytes target prot opt in out source destination 1244 59820 RETURN tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 5/sec burst 10 0 0 RETURN !tcp -- any any anywhere anywhere 0 0 RETURN tcp -- any any anywhere anywhere tcp flags:!SYN,RST,ACK/SYN 2 96 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT SYN_FLOOD: ' 2 96 DROP all -- any any anywhere anywhere Chain TCP_FLAGS (4 references) pkts bytes target prot opt in out source destination 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,ACK/FIN 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:PSH,ACK/PSH 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:ACK,URG/URG 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,RST/FIN,RST 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG 0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 209K packets, 16M bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- ppp0 any anywhere 65.55.35.116 udp dpt:5060 to:192.168.3.109 2 180 DNAT udp -- ppp0 any anywhere 65.55.35.116 udp dpts:10001:65535 to:192.168.3.109 0 0 DNAT tcp -- ppp0 any anywhere 65.55.35.116 tcp dpt:domain to:192.168.3.253 1 48 DNAT tcp -- ppp0 any anywhere 65.55.35.116 tcp dpt:http to:192.168.3.253 Chain POSTROUTING (policy ACCEPT 19 packets, 1667 bytes) pkts bytes target prot opt in out source destination 2994 178K SNAT all -- any ppp0 anywhere anywhere to:65.55.35.116 Chain OUTPUT (policy ACCEPT 2418 packets, 146K bytes) pkts bytes target prot opt in out source destination |
Dear Captain Caveman,
Thats all the output from the command. IF there is anything bad, please help me to correct..thanks Captain! Regards Y |
All times are GMT -5. The time now is 09:12 AM. |