LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-30-2004, 10:02 PM   #1
susje
LQ Newbie
 
Registered: Dec 2004
Posts: 17

Rep: Reputation: 0
Iptables timeout and sometimes clients cannot contact server


Dear experts,

I configure my firewall and it allows traffics that I meant to. However, sometimes (not very often) when my clients try to send or receive mails from the server they will get error messages such as timeout or server cannot be contacted etc. But when they try again it works.

After I stop the iptables service they don't see such problems. So I thought it maybe a performance issue. I have been searching for the web and improve my iptables config. Now I can see a significant speed increased. However, the same problem still occur.

Bandwidth usage is definitely not an issue since it is only used as an email server. Also, it is a local server and it's not a big company.

----------------------------------------------------------
Here is my iptables config:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DENY [0:0]
:OUTPUT ACCEPT [799:54264]
:logdrop - [0:0]
:services - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp any -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -j services
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -j logdrop
-A logdrop -j LOG --log-prefix "[REJECT]"
-A logdrop -j REJECT --reject-with icmp-host-unreachable
-A services -p tcp -m tcp --dport 21 -j ACCEPT
-A services -p tcp -m tcp --dport 22 -j ACCEPT
-A services -p tcp -m tcp --dport 80 -j ACCEPT
-A services -p tcp -m tcp --dport 25 -j ACCEPT
-A services -p tcp -m tcp --dport 110 -j ACCEPT
-A services -p tcp -m tcp --dport 995 -j ACCEPT
COMMIT
# Completed on Tue Dec 28 17:16:17 2004
# Generated by iptables-save v1.2.8 on Tue Dec 28 17:16:17 2004
*nat
:PREROUTING ACCEPT [2:88]
:POSTROUTING ACCEPT [3:257]
:OUTPUT ACCEPT [3:257]
COMMIT
----------------------------------------------------------

Sometimes when I use putty and ssh to the server the connection can't be establish at first too.

In addition, my ssh connection will timeout with iptables service on. I can see many people posting the same question on the net but no one really gives any answer to it. If I want to keep my ssh connection alive, how can this be solved? ( I have already set the keep alive parameter in my sshd_config file...)

I still recieve daily complaints. Any help will be appreciated!

susje
 
Old 12-31-2004, 08:52 AM   #2
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
I am not positive but I think that it may be the one rule about your connection states. You are only accepting related and established. You are not doing anything with new connections. Established indicates that there has already been a two-way exchange of packets. Related indicates that the packet is associated with a new connection that is related to an established connection. So, if it is the first time that a particular client is signing on to check for mail, it won't see it as established. You might try adding a rule to parse any new connections through the firewall rules and if it is flaky to drop it. I would leave your existing rule but try adding a new one to check the new connections. The "new" rule could do things like check for DOS attacks, viruses, etc. If it isn't one of those then pass it on.

Like I said, I am not positive about this but it might be a thing to think about. Good luck and repost when you find the solution.
 
Old 01-03-2005, 12:53 AM   #3
susje
LQ Newbie
 
Registered: Dec 2004
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks ScooterB

I understand what you mean. I thought the line:

-A INPUT -i eth0 -m state --state NEW -j services

would already pass all the new connections to the channel "services". and the rules in "services" would take care of the connections. Wouldn't it?

I'm a newbie in linux.....Can please someone tells me if my firewall config is making any sense?

THANKS in advance

susje
 
Old 01-04-2005, 08:41 PM   #4
susje
LQ Newbie
 
Registered: Dec 2004
Posts: 17

Original Poster
Rep: Reputation: 0
I have updated my iptables but the problem still exists.....sigh.....

Do you think this may not be a firewall related problem? But when I ping my server for a long time packetloss is 0 %. It really seems like the problem occurs when I try to establish a connection only, and not very often.
 
Old 01-05-2005, 12:26 AM   #5
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Upon closer inspection, I think you may need to open port 20. I'm not an "expert" like you're asking for, but I have read up on ftp not too long ago. If I remember correctly, ftp can often require port 20 for control signals and such. The actual data is transmitted on port 21, but there can be problems if 20 is not available.

This is to the best of my recollection and may be incomplete or wrong.
 
Old 01-05-2005, 07:57 AM   #6
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
My apologies. I glossed over your line about the NEW connections. The only other thing I can see might be that you need to open port 53 for DNS. The server may have problems trying to resolve the source IP address or destination IP addresses. Some other things you might consider adding are some new chains for viruses, spammers and what i call BadIP's. BadIP's are the guys who port scans on you to find out if your open or what not. Your server daily log should tell you these. My policy has been to add them to my list of BadIP's. If they turn out to be legit, then you can always take them off. For a source of ports to lock down and spammers take a look at the SANS site and look for the "Top Ten". The site is http://isc.sans.org/top10.php and should be looked at weekly if you can. other than those things I would be puzzled as to why you are having trouble. One thing that did occur to me as I was writing this is what procedure are you going through after you update your firewall? My procedure is to first "flush the old tables" (# iptables -F), then do a list to make sure that they are all gone ( # iptables -L), and then to do a restart so that your new firewall is implemented; ( # service iptables restart). I don't know if this is the "proper" way to do it, but it works for me. Try those things and then repost.
 
Old 01-05-2005, 11:44 PM   #7
susje
LQ Newbie
 
Registered: Dec 2004
Posts: 17

Original Poster
Rep: Reputation: 0
Dear all,

Sorry for not stating it clearly; when I said "update iptables", I mean I upgraded my iptables version. I thought maybe my iptables module is old (my server is running in Fedora I). But after upgrading it to a new version the problem still exists.

I tried what you are suggesting, by adding DNS port, but it didn't help my problem....

So I tried removing all the rules, and set channel INPUT to Accept and surprisingly the problem is still there!

Now I'm investigating if it's a network issue by using ethreal. After my luck of trying to establish connections for many times, I'm finally able to reproduce the problem once. Here is the log from ethreal:

--------------------------------------------------------------------------------
No. Time Source Destination Protocol Info
1 0.000000 192.168.10.152 [Server IP addr] TCP 7305 > pop3 [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
2 0.000697 [Server IP addr] 192.168.10.152 TCP pop3 > 7305 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
3 0.000731 192.168.10.152 [Server IP addr] TCP 7305 > pop3 [ACK] Seq=1 Ack=1 Win=65535 Len=0
4 0.001174 [Server IP addr] 192.168.10.152 TCP pop3 > 7305 [RST] Seq=1 Ack=1364370923 Win=0 Len=0
5 3.994243 [Server IP addr] 192.168.10.152 TCP pop3 > 7305 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

--------------------------------------------------------------------

In "Frame 4", if the connection successes the server should responds with pop3 protocol instead of [RST] (a reset packet)

I have no idea why it is behaving like this......
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap_bind Can't contact LDAP server mesh2005 Linux - Networking 17 06-19-2014 08:44 AM
iptables and IRC clients. qwijibow Linux - Newbie 1 05-02-2004 11:41 PM
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81) Jingle Linux - Software 4 01-08-2004 12:41 PM
traceroute timeout, "operation timed out when attempting to contact" in Mozilla brianabroad Linux - Networking 1 11-08-2003 09:58 AM
Iptables And Vpn Timeout ddr Linux - Security 14 02-27-2002 10:13 AM


All times are GMT -5. The time now is 01:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration