iptables causes delay and blocks irrationally
i've been having a problem with iptables for quite a while now, and it actually causes me to inactivate iptables..This is the setup:
i have a server running slackware 9.1 and iptables 1.2.8. The server is connected to a router/switch which handles the (dsl) connection. Ports 21, 22, 25, 80, 110, 143 and 10000 are forwarded to the server. As you can see i use webmin (port 10000) to administer many features on the server. Using webmin, i have opened up the ports as above on incoming. new, established and related connections are accepted. the last rule runs a chain that simply rejects everything. that's the incoming packets. Default on output is to accept everything, and no rules are set. The problem is that i cannot create any connections from the server. i can't even ping hosts on the LAN. DNS information is unavailable. Everything is blocked on outgoing, which is weird because everything should be accepted. when i connect to the server on ssh or ftp, it generally takes a couple of seconds before i can log in. http appears to work though. I could really use some help to resolve this issue. I've tried google and various forums but a solution is still to be suggested. Cheers. /edit: these are the results of iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:10000 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:imap state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 state NEW,RELATED,ESTABLISHED rejection all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain rejection (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable |
I think the iptables state rules might be a little goofy.
You are correctly allowing packets with a NEW state into the ports for which you want acces. But you are also only allowing ESTABLISHED and RELATED traffic only via those ports. The thing is that for most services, you connect to a well know port, but your ESTABLISHED and RELATED communication typically go through some high-port (in the range specified in /proc/sys/net/ipv4/ip_local_range). As a result, you would typically allow all ESTABLISHED and RELATED traffic in your INPUT chain. So, try this: Flush your iptables with "iptables -F && iptables -X", then allow all packets with an ESTABLISHED or RELATED state, the allow NEW packets to the services you want. Maybe something like this: Code:
#Start w/ stuff you want to allow |
Quick patch to the code in my reply
This line: Code:
iptables -A INPUT -m limit --limit 3/minute -j LOG "REJECTED INPUT: " Code:
iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix "REJECTED INPUT: " |
hey, thanks dcostakos! That really helped. Now i've lost the delay with incoming connections.. I still can't ping or connect from the server though...
hmm. |
suddenly, pinging and everything else looks fine from the iptabled box.. thanks alot. you my man.. :)
|
All times are GMT -5. The time now is 04:21 AM. |