Mike Sheinberg on 31 Jan 2011 11:13:40 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question

Oh man... you guys were totally right. For some reason I thought that iptables automatically allowed existing connections back inwards. I tried doing DNS lookups and it was being blocked.

This server gets hit with a lot of random crap though (people trying to brute force, look for HTTP php backdoors, etc...) - I really don't see a need to log all that - though I may reverse that stance soon when I likely hit a wall during future network troubleshooting.

Thanks for all the assistance!
-Mike

On Mon, Jan 31, 2011 at 12:38 PM, Julien Vehent <julien@linuxwall.info> wrote:
I was going to give the same answer as David: you're dropping  DNS responses. The '-n' switch in the iptables command line specifically asks to not attempt reverse dns lookups, so you get the 'instant' behavior back.

In addition to David's rule, I would add that a default DROP policy is not very practical because you cannot log what you drop.
Instead, you should consider adding a DROP rule at the end of your ruleset (thus applied to everything that isn't accepted by the preceding rules) containing a jump to a custom chain that logs before dropping packets. Such as:

-----
#create the custom chain to log and drop
iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "NETFILTER DROP => "\
       --log-level debug
iptables -A LOGDROP -j DROP

#send unaccepted packets to LOGDROP
iptables -A INPUT -i $NETCARD -j LOGDROP
iptables -A FORWARD -i $NETCARD -j LOGDROP
iptables -A OUTPUT -o $NETCARD -j LOGDROP
-----

source: http://wiki.linuxwall.info/doku.php/en:ressources:articles:netfilter_advance

Your /var/log/syslog will then nicely fill up with lots of dropped packets :)


Julien




On 01/31/2011 12:03 PM, David Coulson wrote:
 Mike-

It runs slowly because you are dropping DNS responses. One of the first
rules in INPUT should be 'if this is an established or related
connection, let it back in'

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

That will solve your issue, or you can do 'iptables -Ln' which disables
DNS lookups. Most likely you want to add the state rule, since pretty
much any outbound connection won't work.

David

On 1/31/2011 11:57 AM, Mike Sheinberg wrote:
Hey potential iptables wranglers,

*** DISCLAIMER IPTABLES NEWBIE ****

I'm trying to setup a new firewall config on a web server and was
curious about something I noticed. Specifically, after I changed the
INPUT chain policy to default DROP it seems that whenever I do an
'iptables -L' it takes a good 30 seconds to dump to output. Previously
this only took about 1 second. Is there something funky in my config
that may cause something like this?

Here's my current dump of /etc/sysconfig/iptables:

   # Generated by iptables-save v1.3.5 on Mon Jan 31 10:36:35 2011
   *filter
   :INPUT DROP [33:5345]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [129:15384]
   :fail2ban-ApacheAuth - [0:0]
   :fail2ban-ApachePHPbot - [0:0]
   :fail2ban-BadBots - [0:0]
   :fail2ban-SSH - [0:0]
   -A INPUT -s *XXXXXXXXXXXXX* -j ACCEPT
   -A INPUT -s *XXXXXXXXXXX*/255.255.255.224 <http://255.255.255.224>

   -j ACCEPT
   -A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApacheAuth
   -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
   -A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApachePHPbot
   -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
   -A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443
   -j ACCEPT
   -A INPUT -i lo -j ACCEPT
   -A OUTPUT -d *XXXXXXXX*/255.255.255.224 <http://255.255.255.224>

   -j ACCEPT
   -A fail2ban-ApacheAuth -j RETURN
   -A fail2ban-ApachePHPbot -j RETURN
   -A fail2ban-BadBots -j RETURN
   -A fail2ban-SSH -s *XXXXXXXXXX* -j DROP
   -A fail2ban-SSH -j RETURN
   COMMIT
   # Completed on Mon Jan 31 10:36:35 2011


A couple of things to point out, I'm using fail2ban so I have some
extra chains in there that it added. The top two INPUT rules are IPs
of the servers that need access to everything (that's why they are
first). I didn't build this config by hand but instead added rules
manually in CLI and then did 'service iptables save'. Oh yeah... I'm
on CentOS 5.5 if it's relevant to anyone. The blanked out *XXXX*s are

IP addresses (not hostname).

I saw similar issues of this in Google but wasn't able to peg down an
answer.

Thanks!
Mike


___________________________________________________________________________
Philadelphia Linux Users Group         --http://www.phillylinux.org
Announcements -http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug