LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-26-2009, 03:01 AM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Rep: Reputation: 39
Strange IPTables or Perhaps its not IPtables problem?


Hi All,
I seem to be having a problem with an application i'm running when i enable the firewall. The application works as part of a cluster and has constant communications running between two nodes. To make life easy all i did between the two nodes as firewall rules is the following:-
iptables -A INPUT -i bond0 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT

OK, now to me these rules if run on both servers will make sure each server can connect to any port using any protocol (tcp,udp,icmp), and then I'm logging any packets that are otherwise dropped. The rules above are as part of a greater set of rules but these are more or less the first set of rules in the list and therefore any communications between the hosts should not be dropped at all.

However i can't see any packets being dropped that may have stopped this application from working properly. However if i'm wrong in thinking that the above rules do allow all protocols and ports open to the hosts specified then that could be my problem?

Cheers
 
Old 01-27-2009, 11:57 AM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

Quote:
I seem to be having a problem with an application i'm running when i enable the firewall. The application works as part of a cluster and has constant communications running between two nodes. To make life easy all i did between the two nodes as firewall rules is the following:-
iptables -A INPUT -i bond0 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT
iptables -A INPUT -i bond0 -s x.x.x.x -j ACCEPT
i'm not sure about this, pls explain more details,
the -i bond0 refers to which devices? 2 or more NIC on single server or maybe you have any other perspective?
and the -s 127/8 points to what/where? are you trying to filter ip spoofing?

Quote:
However if i'm wrong in thinking that the above rules do allow all protocols and ports open to the hosts specified then that could be my problem?
yup, generally speaking - i think it is.
i see that you had only ACCEPT action from your posted rules for those x.x.x.x sources, so how can iptables block/DROP any traffic as you required to?
 
Old 01-27-2009, 01:03 PM   #3
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by rossonieri#1 View Post
hi,


i'm not sure about this, pls explain more details,
the -i bond0 refers to which devices? 2 or more NIC on single server or maybe you have any other perspective?
and the -s 127/8 points to what/where? are you trying to filter ip spoofing?


yup, generally speaking - i think it is.
i see that you had only ACCEPT action from your posted rules for those x.x.x.x sources, so how can iptables block/DROP any traffic as you required to?
Hi there,
Yes you are correct bond0 refers to eth0 and eth1 network interfaces. These run in an active passive set-up (only one running at any one time).

127.0.0.1/8 is standard localhost and i'm eusuring the localhost can route packets to itself. Exactly my question i accept all packets between these hosts and log anything that is dropped. And no packets between the hosts are dropped at any point (that is only a tiny snippet of the rules). And yet with the firewall on the application between the hosts doesn't run and with iptables off the application runs fine. I've set-up no limits on number of packets to be sent in amount of time or anything of this nature.

However this no longer really matters, but i still would have liked to have got to the bottom of the problem.

Cheers,
MJ
 
Old 01-28-2009, 04:22 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

Quote:
127.0.0.1/8 is standard localhost and i'm eusuring the localhost can route packets to itself.
ya - but you've put it in wrong interface i think
should be on loopback interface.

and yours :
Code:
iptables -A INPUT -i bond0 -s 127.0.0.1 -j ACCEPT
this is very dangerous thing to do in a live/production network

Quote:
my question i accept all packets between these hosts and log anything that is dropped.
you should LOG the bad packet first prior to DROP/REJECT, if you DROP them first then you cant LOG them.
 
Old 01-28-2009, 07:54 AM   #5
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Quote:
you should LOG the bad packet first prior to DROP/REJECT, if you DROP them first then you cant LOG them
Yep i know that thanks, thats my point they're not logged and they should be because all log statements come before any drop statements. Thats why this is so much of a mystery.

Yes well spotted, 127/8 should be on loopback, didnt think about that one, and in fact can probably not even required to put anything in for the loopback interface as is only local traffic anyway.

I'd forget about it, i don't think i will be able to get to the bottom of it which is rather annoying. It doesn't make sence, but at the same time we're not going to be using this application anymore so it doesn't matter.
Cheers,
MJ
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
adsl+iptables+port forward+"-m tcp" strange problem icry0000 Linux - Networking 3 07-31-2005 09:31 PM
strange x server problem with my iptables def. Metaloid Linux - Networking 3 07-15-2004 02:31 PM
Strange problem about iptables DNAT. zufeng Linux - Networking 1 06-28-2003 11:09 AM
Strange iptables firewall problem. Bomber Linux - Security 5 01-15-2002 06:33 PM


All times are GMT -5. The time now is 03:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration