LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-21-2004, 10:40 AM   #1
niehls
Member
 
Registered: Jun 2002
Location: Sweden
Distribution: slack, redhat
Posts: 91

Rep: Reputation: 15
iptables causes delay and blocks irrationally


i've been having a problem with iptables for quite a while now, and it actually causes me to inactivate iptables..This is the setup:

i have a server running slackware 9.1 and iptables 1.2.8. The server is connected to a router/switch which handles the (dsl) connection. Ports 21, 22, 25, 80, 110, 143 and 10000 are forwarded to the server. As you can see i use webmin (port 10000) to administer many features on the server. Using webmin, i have opened up the ports as above on incoming. new, established and related connections are accepted. the last rule runs a chain that simply rejects everything. that's the incoming packets. Default on output is to accept everything, and no rules are set.

The problem is that i cannot create any connections from the server. i can't even ping hosts on the LAN. DNS information is unavailable. Everything is blocked on outgoing, which is weird because everything should be accepted.

when i connect to the server on ssh or ftp, it generally takes a couple of seconds before i can log in. http appears to work though.

I could really use some help to resolve this issue. I've tried google and various forums but a solution is still to be suggested.

Cheers.

/edit: these are the results of iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:10000 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dptop3 state NEW,RELATED,ESTABLISHED
rejection all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain rejection (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable


Last edited by niehls; 08-21-2004 at 11:15 AM.
 
Old 08-21-2004, 12:09 PM   #2
dcostakos
Member
 
Registered: Aug 2004
Posts: 44

Rep: Reputation: 15
I think the iptables state rules might be a little goofy.

You are correctly allowing packets with a NEW state into the ports for which you want acces. But you are also only allowing ESTABLISHED and RELATED traffic only via those ports. The thing is that for most services, you connect to a well know port, but your ESTABLISHED and RELATED communication typically go through some high-port (in the range specified in /proc/sys/net/ipv4/ip_local_range). As a result, you would typically allow all ESTABLISHED and RELATED traffic in your INPUT chain.

So, try this:

Flush your iptables with "iptables -F && iptables -X", then allow all packets with an ESTABLISHED or RELATED state, the allow NEW packets to the services you want. Maybe something like this:
Code:
#Start w/ stuff you want to allow
# Allow established,related traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# you will typically want to allow everything on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW --dport 22 -j ACCEPT
#... // allow other services

# reject everything else but log some of it so you can see what problems may be occuring
# NB: you could also set a default input policy of DROP
iptables -A INPUT -m limit --limit 3/minute -j LOG "REJECTED INPUT: "
iptables -A INPUT -j REJECT
 
Old 08-21-2004, 12:12 PM   #3
dcostakos
Member
 
Registered: Aug 2004
Posts: 44

Rep: Reputation: 15
Quick patch to the code in my reply

This line:
Code:
iptables -A INPUT -m limit --limit 3/minute -j LOG "REJECTED INPUT: "
Should read:
Code:
iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix "REJECTED INPUT: "
Sorry.
 
Old 08-21-2004, 12:28 PM   #4
niehls
Member
 
Registered: Jun 2002
Location: Sweden
Distribution: slack, redhat
Posts: 91

Original Poster
Rep: Reputation: 15
hey, thanks dcostakos! That really helped. Now i've lost the delay with incoming connections.. I still can't ping or connect from the server though...

hmm.
 
Old 08-21-2004, 01:16 PM   #5
niehls
Member
 
Registered: Jun 2002
Location: Sweden
Distribution: slack, redhat
Posts: 91

Original Poster
Rep: Reputation: 15
suddenly, pinging and everything else looks fine from the iptabled box.. thanks alot. you my man..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables Firewall delay SirBlackKnight Linux - Security 8 03-27-2009 03:27 PM
bad blocks bong.mau Linux - General 1 11-16-2005 02:17 PM
iptables blocks access to network leupi Linux - Networking 3 03-29-2005 09:23 AM
Delay Introduced By Iptables nirav.jani Linux - Security 4 02-15-2005 08:40 AM
Quota and blocks... wolftechmn Linux - General 1 12-01-2003 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration