Hello:
When I installed CentOS 4.4 (from the ServerCD) on my server, I told it not to install a firewall and I disabled SELinux. The server is a SuperMicro 5015P-TR.
I set up my own /etc/init.d/firewall with these rules:
#!/bin/sh # Firewall script # # Source function library . /etc/init.d/functions
RETVAL=0
# Some definitions (Will need to change ETH0_IP to match your configuration) ETH0_IP=38.114.192.86
# See how we were called. case "$1" in start) echo -n "Starting firewall: " /sbin/modprobe ip_conntrack_ftp
# Set the default policies to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP
# Flush any existing rules /sbin/iptables -F
# Allow loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp protocol packets /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
# Allow ssh connections from the outside world /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# Allow this sever to access DNS /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p udp --sport 1024: --dport domain -j ACCEPT /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p udp --sport domain --dport 1024: -j ACCEPT
# Log any packets that are left /sbin/iptables -A INPUT -j LOG --log-prefix "INPUT " /sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT " /sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD "
RETVAL=$? echo [ $RETVAL = 0 ] && touch /var/lock/subsys/firewall ;; stop) echo -n "Shutting down firewall: "
# Flush the rules /sbin/iptables -F
# Set the default policies to accept /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT
RETVAL=$? echo [ $RETVAL = 0 ] && rm -f /var/lock/subsys/firewall ;; *) echo "Usage: firewall {start|stop}" exit 1 esac
exit $RETVAL
Now, I can ssh to it only from the other machines in the same rack.
When I try to ssh to it from outside, I get this error in the /var/log/messages file:
Feb 17 23:01:26 tweb kernel: OUTPUT IN= OUT=eth0 SRC=38.114.192.86 DST=24.175.73.85 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=1118 WINDOW=5840 RES=0x00 ACK SYN URGP=0
If I log into the machine and try to ping an external IP, I get no response and nothing in the messages file.
Is there some security setting on CentOS 4.4 that limits connectivity?
Thanks, Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details.
On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote:
Hello:
When I installed CentOS 4.4 (from the ServerCD) on my server, I told it not to install a firewall and I disabled SELinux. The server is a SuperMicro 5015P-TR.
I set up my own /etc/init.d/firewall with these rules:
#!/bin/sh # Firewall script # # Source function library . /etc/init.d/functions
RETVAL=0
# Some definitions (Will need to change ETH0_IP to match your configuration) ETH0_IP=38.114.192.86
# See how we were called. case "$1" in start) echo -n "Starting firewall: " /sbin/modprobe ip_conntrack_ftp
# Set the default policies to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # Flush any existing rules /sbin/iptables -F # Allow loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT # Allow ssh connections from the outside world /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024:--dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ?
Can you also consider giving us the result of `iptables -L -v -n --line- numbers` ? That gives a better view of what the system is using as iptables rules ...
<snip>
Fabian:
Added RELATED to the rule did not help.
I am attaching the output of iptables -L -v -n --line-numbers.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Fabian Arrotin Sent: Saturday, February 17, 2007 10:04 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 4.4 blocking outbound connections?
On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote:
Hello:
When I installed CentOS 4.4 (from the ServerCD) on my server, I told it not to install a firewall and I disabled SELinux. The server is a SuperMicro 5015P-TR.
I set up my own /etc/init.d/firewall with these rules:
#!/bin/sh # Firewall script # # Source function library . /etc/init.d/functions
RETVAL=0
# Some definitions (Will need to change ETH0_IP to match your
configuration)
ETH0_IP=38.114.192.86
# See how we were called. case "$1" in start) echo -n "Starting firewall: " /sbin/modprobe ip_conntrack_ftp
# Set the default policies to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # Flush any existing rules /sbin/iptables -F # Allow loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT # Allow ssh connections from the outside world /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024:--dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ?
Can you also consider giving us the result of `iptables -L -v -n --line- numbers` ? That gives a better view of what the system is using as iptables rules ...
<snip>
Fabian:
This is annoying. I was playing around with the rules and things started working. I put the rules back to what I had before and things still work.
I don't like it when things do that. Makes me wonder if it will switch back on its own.
Thanks, Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Fabian Arrotin Sent: Saturday, February 17, 2007 10:04 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 4.4 blocking outbound connections?
On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote:
Hello:
When I installed CentOS 4.4 (from the ServerCD) on my server, I told it not to install a firewall and I disabled SELinux. The server is a SuperMicro 5015P-TR.
I set up my own /etc/init.d/firewall with these rules:
#!/bin/sh # Firewall script # # Source function library . /etc/init.d/functions
RETVAL=0
# Some definitions (Will need to change ETH0_IP to match your
configuration)
ETH0_IP=38.114.192.86
# See how we were called. case "$1" in start) echo -n "Starting firewall: " /sbin/modprobe ip_conntrack_ftp
# Set the default policies to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # Flush any existing rules /sbin/iptables -F # Allow loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT # Allow ssh connections from the outside world /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024:--dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ?
Can you also consider giving us the result of `iptables -L -v -n --line- numbers` ? That gives a better view of what the system is using as iptables rules ...
<snip>
Fabian:
I rebooted the machine to see what would happen. It went back to not accepting the connections again.
If I turn off the firewall, everything works fine.
I believe there is something flaky in the iptables implementation of CentOS 4.4 from what I am seeing.
Any ideas?
Thanks, Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Neil Aggarwal Sent: Saturday, February 17, 2007 2:34 PM To: 'CentOS mailing list' Subject: RE: [CentOS] CentOS 4.4 blocking outbound connections?
Fabian:
This is annoying. I was playing around with the rules and things started working. I put the rules back to what I had before and things still work.
I don't like it when things do that. Makes me wonder if it will switch back on its own.
Thanks, Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Fabian Arrotin Sent: Saturday, February 17, 2007 10:04 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 4.4 blocking outbound connections?
On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote:
Hello:
When I installed CentOS 4.4 (from the ServerCD) on my server, I told it not to install a firewall and I disabled SELinux. The server is a SuperMicro 5015P-TR.
I set up my own /etc/init.d/firewall with these rules:
#!/bin/sh # Firewall script # # Source function library . /etc/init.d/functions
RETVAL=0
# Some definitions (Will need to change ETH0_IP to match your
configuration)
ETH0_IP=38.114.192.86
# See how we were called. case "$1" in start) echo -n "Starting firewall: " /sbin/modprobe ip_conntrack_ftp
# Set the default policies to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # Flush any existing rules /sbin/iptables -F # Allow loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT # Allow ssh connections from the outside world /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024:--dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ?
Can you also consider giving us the result of `iptables -L -v -n --line- numbers` ? That gives a better view of what the system is using as iptables rules ...
<snip>
Neil Aggarwal wrote:
Fabian:
I rebooted the machine to see what would happen. It went back to not accepting the connections again.
If I turn off the firewall, everything works fine.
I believe there is something flaky in the iptables implementation of CentOS 4.4 from what I am seeing.
Any ideas?
I often write my rules as chains that end in a -j LOG --prefix "chainX" then a -j REJECT, and this helps identify where my traffic is failing. I can then later switch off the logging and turn the rejecting to dropping. Below is a particularly lean example, but it shows a method by which you can get detailed feedback on how your chains match certain packets that you pass to them.
#!/bin/bash #fail=DROP fail=REJECT log=1 ...
[ $log -eq 1 ] && iptables -A INPUT -j LOG --log-prefix 'start:' iptables -N my0ssh iptables -A my0ssh -p tcp -m tcp --m state --state NEW -j RETURN [ $log -eq 1 ] && iptables -A my0ssh -j LOG --log-prefix "my0ssh no match" ... iptables -A INPUT -j my0ssh iptables -J LOG --log-prefix 'fall-thru-failure:' iptables -A INPUT -j $fail
Jed:
Thanks for trying to help. That is a good idea.
I eventually figured out it was the IPMI card interfering with the packets destined to eth0.
Neil
-- Neil Aggarwal, (214)986-3533, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jed Reynolds Sent: Wednesday, February 21, 2007 10:34 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 4.4 blocking outbound connections?
Neil Aggarwal wrote:
Fabian:
I rebooted the machine to see what would happen. It went back to not accepting the connections again.
If I turn off the firewall, everything works fine.
I believe there is something flaky in the iptables implementation of CentOS 4.4 from what I am seeing.
Any ideas?
I often write my rules as chains that end in a -j LOG --prefix "chainX" then a -j REJECT, and this helps identify where my traffic is failing. I can then later switch off the logging and turn the rejecting to dropping. Below is a particularly lean example, but it shows a method by which you can get detailed feedback on how your chains match certain packets that you pass to them.
#!/bin/bash #fail=DROP fail=REJECT log=1 ...
[ $log -eq 1 ] && iptables -A INPUT -j LOG --log-prefix 'start:' iptables -N my0ssh iptables -A my0ssh -p tcp -m tcp --m state --state NEW -j RETURN [ $log -eq 1 ] && iptables -A my0ssh -j LOG --log-prefix "my0ssh no match" ... iptables -A INPUT -j my0ssh iptables -J LOG --log-prefix 'fall-thru-failure:' iptables -A INPUT -j $fail
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Fabian Arrotin -
Jed Reynolds -
Neil Aggarwal