LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-19-2003, 04:46 PM   #1
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Rep: Reputation: 0
Red face Iptables -L view very slow after 4-5 days on Linuxbox(Router)


Hi Guys,

I am using Debian Linux as a firewall Server and running Iptables. After 4-5 days on my linuxbox(router) with 2 network cards, my iptables almost wont work and when i wirte Iptables -L , it shows my rules very very slow and also the main thing is that I am unable to ping outside world(internet). My iptables script are:

#!/bin/sh
#
IPT="/sbin/iptables"

INT="eth0"

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
#echo 1 > /proc/sys/net/ipv4/ip_forward


$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP


# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.1.0 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall


$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

$IPT -A INPUT -j dropwall


Any help is appreciated. Thanks in advance..............
 
Old 10-20-2003, 10:49 AM   #2
phoeniXflame
Member
 
Registered: Feb 2003
Location: Somewhere, UK
Distribution: Slack, OpenBSD, Debian, SuSE
Posts: 189

Rep: Reputation: 30
try ...

Code:
iptables -nL
bypassing any dns resolving speeds the listing up considerably
 
Old 10-20-2003, 03:39 PM   #3
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy

I am using ADSL connection with dynamic IP on my Debian Linux .... After almost 4 days, i lost my internet connection and am not able to browse or ping the outside world........and when i restart my computer, it stated to work again... but again after 4 days, the same problem........... Is there a problem in my firewall rules or something else............
 
Old 10-20-2003, 06:01 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I was having a similar problem and added my ISP's DNS IP addresses to my /etc/resolv.conf file and that solved the problem.
 
Old 10-21-2003, 01:21 AM   #5
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
Actually I have installed Dnrd for the DNS resolution
and I use:
nameserver 127.0.0.1 in my /etc/reslov.conf file.
but i will try to put my ISP's DNS ip addresse to my /etc/resolv.conf file and I hope it will work and will let u know soon.

anyway thanks for your suggestion..............
 
Old 10-24-2003, 11:22 PM   #6
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
Well it is almost 3 days now, and no problem yet........
 
Old 10-27-2003, 12:03 AM   #7
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
again today the same problem after 5 days............ i am not able to connect to the internet.............. i had my isp ip's on /etc/resolve.conf file ... but sad, not helpful.... any ideas
 
Old 10-27-2003, 07:57 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Upfront disclaimer: I'm guessing.

Is it possible the problem is outside your network? You say you can't connect, but is it that you can't connect via names or you can't connect at all? So if you tried to pull up a web page using the IP address rather than the name, does that work? What I'm driving at : is it possible that your ISP is changing the IP address of their DNS and your system isn't picking it up?

Alternatively, is it possible your IP from your ISP expires and your system isn't renewing the lease or picking up a new one?

You also might try running a few traceroutes every day while your computer is up to see if you can identify the slow points.

Like I said, I'm guessing at this point.
 
Old 10-27-2003, 05:42 PM   #9
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
I found the problem... It is actually that my firewall server disconnects from the internet and connect again automatically with different ip address (i am using dynamic ip) I want to figure out, why my computer gets disconnected automatically after almost 4 or 5 days.
 
Old 10-28-2003, 01:17 AM   #10
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
Exclamation

Greetings!


Your ISP might disconnect you after a certain time; mine for example has a 24h disconnect to prevent people from hosting any web/ftp/whatever servers. You could rerun the firewall script after your IP changed, that could make you able to connect again. At least it works for me. If it also works for you, try to add an entry to the end of the /etc/ppp/ip-up script to execute your firewall script. That way your box should always update the tables whenever it (re)connects to your ISP.

About your firewall script in general...
Code:
#echo 1 > /proc/sys/net/ipv4/ip_forward
You should remove the comment (#) at the beginning of this line as it enables forwarding. It seems to work already for you, nevertheless I think you should activate it explicitly.
Code:
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
You are dropping incoming connections by default which is good. However you should also consider setting the default output policy to drop. As your box seems to be a dedicated firewall/router, it shouldn't really need to connect to the outside world, except for DNS (and http if you're running a proxy). That way it should be harder for anyone to abuse your box to DoS/flood/portscan, should they ever gain access.

Just my $0.02.


Bye!
 
Old 10-29-2003, 11:36 PM   #11
riaz2000
LQ Newbie
 
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11

Original Poster
Rep: Reputation: 0
yah good thinking and suggestion to stop outbound access and also i will put my firewall scipt in the end of /etc/ppp/ip-up file ........

thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linuxbox->router->printserver->printer xviddivxoggmp3 Red Hat 12 08-02-2004 02:59 AM
Setting up linuxbox as a router for windowsbox (my modle on the inside) Lechium Linux - Newbie 8 06-20-2004 04:25 AM
my linuxbox has gone so slow :( wogga Linux - Software 3 05-31-2004 09:19 AM
linuxbox as router and another router? ldin Linux - Networking 2 02-17-2004 02:00 PM
linuxbox router earl Linux - Networking 3 11-01-2003 11:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration