Mailing List Archive

Maxim Veksler wrote:
> Hello,
>
> Follwing a recent theread on this list, I've configued my firewall to
> allow incoming traffic from specific IP's only. Now I can't ssh
> outside, could some please explain why this happening ?
>
> The system is redhat 4.
>
> [root@prd-001 ~]# iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- xxx.114.183.1 anywhere
> ACCEPT all -- yyy.8.145.182 anywhere
> ACCEPT all -- zzz.68.137.158 anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> [root@prd-001 ~]# iptables-save
> # Generated by iptables-save v1.2.11 on Wed Aug 8 19:26:51 2007
> *filter
> :INPUT DROP [110564:24802104]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [637061:352312072]
> -A INPUT -s xxx.114.183.1 -j ACCEPT
> -A INPUT -s yyy.8.145.182 -j ACCEPT
> -A INPUT -s zzz.68.137.158 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> COMMIT
> # Completed on Wed Aug 8 19:26:51 2007
>
>
> Trying to ssh to "aaa.bbb.216.35" fails with timeout, looking at
> tcpdump on the otherside shows no TCP handshack is made.
>

You don't allow the return packets in. Add a -m state --state
ESTABLISHED,RELATED match as the first rule in your INPUT chain.

HTH,
M4

On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
> Maxim Veksler wrote:
> > Hello,
> >
> > Follwing a recent theread on this list, I've configued my firewall to
> > allow incoming traffic from specific IP's only. Now I can't ssh
> > outside, could some please explain why this happening ?
> >
> > The system is redhat 4.
> >
>
> You don't allow the return packets in. Add a -m state --state
> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
>

That was it, thank you very much.
How could I've debug it myself ?

> HTH,
> M4
>
>


--
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

Maxim Veksler wrote:
> On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
>
>> Maxim Veksler wrote:
>>
>>> Hello,
>>>
>>> Follwing a recent theread on this list, I've configued my firewall to
>>> allow incoming traffic from specific IP's only. Now I can't ssh
>>> outside, could some please explain why this happening ?
>>>
>>> The system is redhat 4.
>>>
>>>
>> You don't allow the return packets in. Add a -m state --state
>> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
>>
>>
>
> That was it, thank you very much.
> How could I've debug it myself ?
>

Good question!

Add LOG rules for dropped traffic. Get out wireshark (formerly ethereal)
to see what goes on at the line. Read up on how to construct good
rulesets and maybe even on IP (no sorry, I don't have any links).

HTH,
M4

On 8/9/07, Martijn Lievaart <m@rtij.nl> wrote:
> Maxim Veksler wrote:
> > On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
> >
> >> Maxim Veksler wrote:
> >>
> >>> Hello,
> >>>
> >>> Follwing a recent theread on this list, I've configued my firewall to
> >>> allow incoming traffic from specific IP's only. Now I can't ssh
> >>> outside, could some please explain why this happening ?
> >>>
> >>> The system is redhat 4.
> >>>
> >>>
> >> You don't allow the return packets in. Add a -m state --state
> >> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
> >>
> >>
> >
> > That was it, thank you very much.
> > How could I've debug it myself ?
> >
>
> Good question!
>

Thank you.

> Add LOG rules for dropped traffic.

I would appreciate an example for this tip.

> Get out wireshark (formerly ethereal)

Got it, tcpdump -w /tmp/iptables_lock.cap, it seems that iptables hook
drops the packet before libpcap has a chance on seeing it.

> to see what goes on at the line. Read up on how to construct good
> rulesets

Would very much appreciate good links here.

and maybe even on IP (no sorry, I don't have any links).
>

rfc791, that's for IP. Please correct me if I'm wrong but you meant
read on TCP because IP is stateless and has no verification what so
ever buildin, the only tracking IP does is for fragmentation and
reconstruction of packets. I don't think this was the case here and
further more I don't see how --state ESTABLISHED,RELATED could have
any effect on it. Again, please correct me if I'm wrong.

> HTH,

It does !

> M4
>
>

Thank you.

--
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

Maxim Veksler wrote:
>
>> Add LOG rules for dropped traffic.
>>
>
> I would appreciate an example for this tip.
>

At the end of any of the {INPUT,OUTPUT,FORWARD} chains where policy is
DROP, add the rule

-j LOG --log-prefix "(default): "
-j DROP

(that last one is optional, it duplicates the policy. But it is
considered good style, plus you have counters on this rule, another
debugging aid).

Another good way to debug such things is to add specific log rules at
the top of all chains:

-A INPUT -s aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "
-A INPUT -d aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "

>
>> Get out wireshark (formerly ethereal)
>>
>
> Got it, tcpdump -w /tmp/iptables_lock.cap, it seems that iptables hook
> drops the packet before libpcap has a chance on seeing it.
>

No, tcpdump/wireshark/ethereal sees the packets before netfilter on
input and after netfilter on output. I think you did something else
wrong here.

I personally never run a gui on my firewalls, but do have the X
libraries installed. That way I can ssh -X into the box and run
wireshark on it.

>
>> to see what goes on at the line. Read up on how to construct good
>> rulesets
>>
>
> Would very much appreciate good links here.
>

I don't know any, but the documentation section of www.netfilter.org is
a good start. I still want to write a document/site on writing good
iptables rules, but don't have the time. Maybe I should make the time.

Anyway Rusty Russels unreliable packet filtering guide is a good read
for the basics, especially on the -m state.

>> and maybe even on IP (no sorry, I don't have any links).

>
> rfc791, that's for IP. Please correct me if I'm wrong but you meant
> read on TCP because IP is stateless and has no verification what so
> ever buildin, the only tracking IP does is for fragmentation and
> reconstruction of packets. I don't think this was the case here and
> further more I don't see how --state ESTABLISHED,RELATED could have
> any effect on it. Again, please correct me if I'm wrong.
>

No, you're quite right.

HTH,
M4