LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-11-2015, 03:15 PM   #1
szejiekoh
LQ Newbie
 
Registered: Jun 2014
Posts: 28

Rep: Reputation: Disabled
iptables --policy (login slow)


Dear all,

This is my current iptables (with default policy = Accept) and no rules.
Code:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 77072 packets, 7890K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 70306 packets, 129M bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#
I have decided to allow only incoming network connection from my own subnet and hence

Code:
[root@racnode1 ~]# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  178  9055 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 186 packets, 316K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#
Noted that my default policy is still ACCEPT, hence I

Code:
[root@racnode1 ~]# iptables --policy INPUT DROP
===============================================================

Upon this, I have 2 issues

a) my iptables -L -v command can't display fully, i am stuck at below

Quote:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
b) my ssh login is very slow

Quote:
login as: root
-- waited quite sometime before prompting me for password
===============================================================

If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.

Why ?

Thanks and look forward to your advises.

Regards,
Noob ;(
 
Old 01-11-2015, 05:35 PM   #2
ali.abry
Member
 
Registered: Feb 2013
Posts: 74

Rep: Reputation: Disabled
iptables --policy (login slow)

don't now the reason but there's problem with your input policy
if you want to let packets from your subnet in , you should put input policy to 'reject' and then tell explicitly what things can get in
 
Old 01-11-2015, 06:49 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by szejiekoh View Post
If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.
Why ?
Because you have created an incomplete rule set. Make your rule set look like what's below, save to file called "/etc/ruleset.new" then use 'iptables-save > /etc/ruleset.old' to create a backup and 'iptables-restore < /etc.ruleset.new' to load the new rule set:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
.. then ameliorate at will (after reading your distributions firewall documentation or https://www.frozentux.net/documents/iptables-tutorial/).
 
1 members found this post helpful.
Old 01-12-2015, 12:40 AM   #4
szejiekoh
LQ Newbie
 
Registered: Jun 2014
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Because you have created an incomplete rule set. Make your rule set look like what's below, save to file called "/etc/ruleset.new" then use 'iptables-save > /etc/ruleset.old' to create a backup and 'iptables-restore < /etc.ruleset.new' to load the new rule set:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
.. then ameliorate at will (after reading your distributions firewall documentation or https://www.frozentux.net/documents/iptables-tutorial/).
Hi unspawn,

Code:
vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Mon Jan 12 03:00:23 2015
*filter
:INPUT DROP [9:1131]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2757:6482519]
-A INPUT -s 192.168.0.0/24 -j ACCEPT
COMMIT
# Completed on Mon Jan 12 03:00:23 2015

Can I know in what way is my iptable above incomplete ?

Regards,
Alan
 
1 members found this post helpful.
Old 01-12-2015, 01:55 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by szejiekoh View Post
Can I know in what way is my iptable above incomplete ?
Sure, compare it with mine and you see there's a loop back device statement ("lo") missing and no use of statefulness for new, established and related connections. Your machine, as a client inside a network, will send DHCP, DNS and other queries (state: new) to other hosts for which it needs to accept the answer (state: established). And even though you (now) may trust your network it's good to limit exposure, hence only the accessible TCP/22 port. Even if you do not (want to) understand it all (right now) the Frozentux iptables tutorial really is worth even a quick glance over.
 
1 members found this post helpful.
Old 01-13-2015, 03:05 PM   #6
szejiekoh
LQ Newbie
 
Registered: Jun 2014
Posts: 28

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Sure, compare it with mine and you see there's a loop back device statement ("lo") missing and no use of statefulness for new, established and related connections. Your machine, as a client inside a network, will send DHCP, DNS and other queries (state: new) to other hosts for which it needs to accept the answer (state: established). And even though you (now) may trust your network it's good to limit exposure, hence only the accessible TCP/22 port. Even if you do not (want to) understand it all (right now) the Frozentux iptables tutorial really is worth even a quick glance over.
Hi unSpawn,

Thanks for pointing it out. I tried your configuration and comment it line by line to see the impact, it seems to me that the problem why i am not able to display iptables -L -v completely is due to this missing line

Code:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Once i have added it, everything works fine even with the rest of the lines commented.

Code:
# Generated by iptables-save v1.4.7 on Mon Jan 12 03:00:23 2015
*filter
:INPUT DROP [9:1131]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2757:6482519]
#-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
#-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
#-A INPUT ! -s 192.168.0.0/24 -j LOG --log-prefix "IN_rej "
#-A INPUT ! -s 192.168.0.0/24 -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 12 03:00:23 2015
I am going to read more about what is conntrack and ctstate as well as the link given by you.
Thank you so much
 
Old 01-13-2015, 07:08 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by szejiekoh View Post
Thank you so much
You're welcome.

*Also note it is better to run 'iptables-save' instead of 'iptables -L -v' because:
- it doesn't require address and port resolution (note a lot of applications have a "-n" switch or equivalent: see for example 'man iptables' or 'man netstat'),
- it shows you all rules in all tables (raw, mangle, etc, etc) and
- it is a list of the actual rules in use (/etc/sysconfig/iptables is just a file on disk and rules can be modified on the fly and without restarting iptables).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Best iptables policy byran cheung Linux - Newbie 1 02-07-2014 06:59 AM
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 04:55 AM
Iptables and implementing a policy sportsman667 Linux - Security 2 11-04-2007 06:30 AM
iptables says 'bad policy name' Tom Douglas Linux - Kernel 2 07-22-2007 04:42 PM
iptables: Bad policy name rioguia Linux - Security 10 01-10-2003 12:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration