[SOLVED] iptables issue

resave · 05-11-2011, 05:43 AM

Hi,
My config works fine when enabled but after an hour the site stops responding at all. When I restart, flush or disable iptables it works fine again. Wondered if anyone could see any glaring errors I've made?
Thanks
Simon

# Generated by iptables-save v1.3.5 on Tue May 10 17:06:48 2011
*mangle
:PREROUTING ACCEPT [6034:13920296]
:INPUT ACCEPT [6034:13920296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5869:13570517]
:POSTROUTING ACCEPT [5869:13570517]
COMMIT
# Completed on Tue May 10 17:06:48 2011
# Generated by iptables-save v1.3.5 on Tue May 10 17:06:48 2011
*filter
:INPUT DROP [51:2988]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5868:13570341]
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -s 109.104.100.96 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 194.75.251.162 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p udp -m udp --dport 20 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p udp -m udp --dport 20 -j ACCEPT
-A INPUT -s 194.75.251.162 -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -s 109.104.100.96 -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 46.252.192.220 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 46.252.192.220 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -s 46.252.192.220 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -s 46.252.192.220 -p udp -m udp --dport 20 -j ACCEPT
COMMIT
# Completed on Tue May 10 17:06:48 2011

gorrillamcd · 05-13-2011, 04:22 PM

What does it do when it stops responding? None of the rules apply to DNS. Is that still working? You might try doing a packet capture from the internet side of the box to see what's going on when a request is made.

resave · 05-14-2011, 02:59 AM

That was the problem, no dns entries. No sample scripts I looked at had talked about it. Thanks very much

gorrillamcd · 05-14-2011, 03:28 PM

Don't forget to mark it as solved, even though technically you solved it. I just jogged your memory