[CentOS] iptables starts blocking outbound http traffic
neil at JAMMConsulting.com
Thu Nov 6 14:33:59 UTC 2008
I have a machine running CentOS 5 x86_64.
It is running apache httpd and tomcat.
For some reason, after running for a few days,
web requests stop responding. It happened again
this morning. I check the syslog and see a HUGE
number of logs like this:
OUTPUT IN= OUT=eth0 SRC=[MyIP] DST=[OutsideIP] LEN=532 TOS=0x00 PREC=0x00
TTL=64 ID=52669 DF PROTO=TCP SPT=80 DPT=54697 WINDOW=61 RES=0x00 ACK PSH FIN
Here are my iptables commands for http connections (I have the default
policy set to drop):
# Allow http connections from the outside world
/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport
http -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
1024: -m state --state ESTABLISHED -j ACCEPT
Here are some strange things:
1. I have the exact same rules running on two other servers which do
not give me any trouble.
2. If I stop and restart httpd and tomcat, the problem goes away. This
suggests the firewall is not a problem.
Any ideas what is going on?
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.
More information about the CentOS