LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptables --policy (login slow) (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-policy-login-slow-4175530711/)

szejiekoh 01-11-2015 02:15 PM
iptables --policy (login slow)
 
Dear all,

This is my current iptables (with default policy = Accept) and no rules.
Code:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 77072 packets, 7890K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 70306 packets, 129M bytes)
 pkts bytes target    prot opt in    out    source              destination       
[root@racnode1 ~]#
I have decided to allow only incoming network connection from my own subnet and hence

Code:
[root@racnode1 ~]# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  178  9055 ACCEPT    all  --  any    any    192.168.0.0/24      anywhere           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 186 packets, 316K bytes)
 pkts bytes target    prot opt in    out    source              destination       
[root@racnode1 ~]#
Noted that my default policy is still ACCEPT, hence I

Code:
[root@racnode1 ~]# iptables --policy INPUT DROP
===============================================================

Upon this, I have 2 issues

a) my iptables -L -v command can't display fully, i am stuck at below

Quote:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
b) my ssh login is very slow

Quote:
login as: root
-- waited quite sometime before prompting me for password
===============================================================

If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.

Why ?

Thanks and look forward to your advises.

Regards,
Noob ;(

ali.abry 01-11-2015 04:35 PM
iptables --policy (login slow)
 
don't now the reason but there's problem with your input policy
if you want to let packets from your subnet in , you should put input policy to 'reject' and then tell explicitly what things can get in

unSpawn 01-11-2015 05:49 PM
Quote:
Originally Posted by szejiekoh (Post 5299273)
If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.
Why ?
Because you have created an incomplete rule set. Make your rule set look like what's below, save to file called "/etc/ruleset.new" then use 'iptables-save > /etc/ruleset.old' to create a backup and 'iptables-restore < /etc.ruleset.new' to load the new rule set:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
.. then ameliorate at will (after reading your distributions firewall documentation or https://www.frozentux.net/documents/iptables-tutorial/).

szejiekoh 01-11-2015 11:40 PM
Quote:
Originally Posted by unSpawn (Post 5299382)
Because you have created an incomplete rule set. Make your rule set look like what's below, save to file called "/etc/ruleset.new" then use 'iptables-save > /etc/ruleset.old' to create a backup and 'iptables-restore < /etc.ruleset.new' to load the new rule set:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
.. then ameliorate at will (after reading your distributions firewall documentation or https://www.frozentux.net/documents/iptables-tutorial/).
Hi unspawn,

Code:
vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Mon Jan 12 03:00:23 2015
*filter
:INPUT DROP [9:1131]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2757:6482519]
-A INPUT -s 192.168.0.0/24 -j ACCEPT
COMMIT
# Completed on Mon Jan 12 03:00:23 2015

Can I know in what way is my iptable above incomplete ?

Regards,
Alan

unSpawn 01-12-2015 12:55 PM
Quote:
Originally Posted by szejiekoh (Post 5299474)
Can I know in what way is my iptable above incomplete ?
Sure, compare it with mine and you see there's a loop back device statement ("lo") missing and no use of statefulness for new, established and related connections. Your machine, as a client inside a network, will send DHCP, DNS and other queries (state: new) to other hosts for which it needs to accept the answer (state: established). And even though you (now) may trust your network it's good to limit exposure, hence only the accessible TCP/22 port. Even if you do not (want to) understand it all (right now) the Frozentux iptables tutorial really is worth even a quick glance over.

szejiekoh 01-13-2015 02:05 PM
Quote:
Originally Posted by unSpawn (Post 5299788)
Sure, compare it with mine and you see there's a loop back device statement ("lo") missing and no use of statefulness for new, established and related connections. Your machine, as a client inside a network, will send DHCP, DNS and other queries (state: new) to other hosts for which it needs to accept the answer (state: established). And even though you (now) may trust your network it's good to limit exposure, hence only the accessible TCP/22 port. Even if you do not (want to) understand it all (right now) the Frozentux iptables tutorial really is worth even a quick glance over.
Hi unSpawn,

Thanks for pointing it out. I tried your configuration and comment it line by line to see the impact, it seems to me that the problem why i am not able to display iptables -L -v completely is due to this missing line

Code:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Once i have added it, everything works fine even with the rest of the lines commented.

Code:
# Generated by iptables-save v1.4.7 on Mon Jan 12 03:00:23 2015
*filter
:INPUT DROP [9:1131]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2757:6482519]
#-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
#-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
#-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
#-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 12 03:00:23 2015
I am going to read more about what is conntrack and ctstate as well as the link given by you.
Thank you so much

unSpawn 01-13-2015 06:08 PM
Quote:
Originally Posted by szejiekoh (Post 5300403)
Thank you so much
You're welcome.

*Also note it is better to run 'iptables-save' instead of 'iptables -L -v' because:
- it doesn't require address and port resolution (note a lot of applications have a "-n" switch or equivalent: see for example 'man iptables' or 'man netstat'),
- it shows you all rules in all tables (raw, mangle, etc, etc) and
- it is a list of the actual rules in use (/etc/sysconfig/iptables is just a file on disk and rules can be modified on the fly and without restarting iptables).


All times are GMT -5. The time now is 11:03 PM.