FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Install
Reload this Page Firewall is loosing it's marbles

 
 
LinkBack Thread Tools
 
Old 03-24-2008, 12:31 PM
McCarty Ronald
 
Default Firewall is loosing it's marbles
Travis,What was the particular issue? *Running DHCP / iptables isn't that uncommon of a setup, so it would be interesting to hear the particulars.Best regards,--ron

On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:From: Waldher, Travis R
Sent: Friday, March 14, 2008 8:48 AM
To: Getting started with Red Hat Linux
Subject: Firewall is loosing it's marbles

I've got a pretty strict firewall setup on a machine that acts as a gateway between a production environment and a test > > >
environment.

Users will log in to the box to access the test environment, the box is running RHEL5.* Once in, it's like the roach motel, no one > gets back out to the real world from the test world.

My firewall is working fine, but it seems to loose it's marbles and deny ssh but still allow pings from the outside after a day or > two.* Wiping out the tables and re-applying them corrects the issue but obviously this is a poor solution.

Has anyone else seen iptables partially stop working like this?

Answer: Firewall + DHCP = no worky so well.




_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe


_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe
 
Old 03-24-2008, 05:48 PM
"Waldher, Travis R"
 
Default Firewall is loosing it's marbles
Honestly, I’m
not sure.Â* Here’s the table, it’s been holding strong since I
went to static IP’s.Â* Host names and IP’s modified to protect
the guilty.


Â*


Chain INPUT
(policy DROP)


targetÂ*Â*Â*Â*
prot opt
sourceÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
destination


ACCEPTÂ*Â*Â*Â*
allÂ* --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhere


ACCEPTÂ*Â*Â*Â*
tcpÂ* --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED


ACCEPTÂ*Â*Â*Â*
icmp --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* icmp
echo-reply state NEW,RELATED,ESTABLISHED


ACCEPTÂ*Â*Â*Â*
icmp --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* icmp
echo-request state NEW,RELATED,ESTABLISHED


DROPÂ*Â*Â*Â*Â*Â*
allÂ* --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*anywhere


ACCEPTÂ*Â*Â*Â*
allÂ* --Â* 192.168.1.0/24Â*Â*Â*Â* anywhere


ACCEPTÂ*Â*Â*Â*
allÂ* --Â* 192.168.2.0/25Â*Â*Â*Â*Â* anywhere


Â*


Chain FORWARD
(policy DROP)


targetÂ*Â*Â*Â*
prot opt
sourceÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
destination


Â*


Chain OUTPUT
(policy DROP)


targetÂ*Â*Â*Â*
prot opt sourceÂ*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â*Â*destination


ACCEPTÂ*Â*Â*Â*
allÂ* --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhere


ACCEPTÂ*Â*Â*Â*
tcpÂ* --Â* host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* tcp
spt:ssh dpts:login:65535 state ESTABLISHED


ACCEPTÂ*Â*Â*Â*
icmp --Â* host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* icmp
echo-reply state NEW,RELATED,ESTABLISHED


ACCEPTÂ*Â*Â*Â*
icmp --Â* host01Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* icmp
echo-request state NEW,RELATED,ESTABLISHED


DROPÂ*Â*Â*Â*Â*Â*
allÂ* --Â*
anywhereÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*
anywhere


ACCEPTÂ*Â*Â*Â*
allÂ* --Â* 192.168.1.0/24Â*Â*Â*Â* anywhere


ACCEPTÂ*Â*Â*Â*
allÂ* --Â* 192.168.2.0/25Â*Â*Â*Â*Â* anywhere


Â*


Host01(eth0)
would essentially be on the internet, eth1 on 192.168.1 and eth2 on 192.168.2 –
all dhcp.Â* It will allow SSH to come in.Â* Once on the box you are
free to roam 192.168.1 and 192.168.2.Â* But, what you can’t do is get
back out to the internet once your in.Â* It’s the roach motel.


Â*


What would
happen, I would set the tables up and approximately 24 hours later the tables
would be completely trashed.Â* I could still ping host01 from the internet,
but I couldn’t ssh in.Â* Reapplying my rules after zero’ing out
the tables was the only thing that cleared it up.


Â*


What made me
wonder about DHCP was looking at the DHCP requests on the private side of the
network just suddenly started producing errors.Â* The private side was also
screwed up in iptables.Â* I took that, figured going to static wouldn’t
hurt as a test, and what do you know, it’s been stable since.


Â*


I agree DHCP +
Firewall is pretty common, but perhaps my implementation of firewall was too
uncommon for the software to handle it.


Â*








From: McCarty Ronald
[mailto:mccarty@yournetguard.com]

Sent: Monday, March 24, 2008 6:32 AM

To: Getting started with Red Hat Linux

Subject: Re: Firewall is loosing it's marbles






Â*


Travis,




Â*






What was the particular issue? Â*Running DHCP / iptables
isn't that uncommon of a setup, so it would be interesting to hear the
particulars.






Â*






Best regards,






Â*






--ron


Â*






On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:













From: Waldher, Travis R






Sent: Friday, March 14, 2008 8:48 AM






To: Getting started with Red Hat Linux






Subject: Firewall is loosing it's marbles






Â*






I've got a pretty strict firewall setup on a machine that
acts as a gateway between a production environment and a test > > >






environment.






Â*






Users will log in to the box to access the test environment,
the box is running RHEL5.Â* Once in, it's like the roach motel, no one >
gets back out to the real world from the test world.






Â*






My firewall is working fine, but it seems to loose it's
marbles and deny ssh but still allow pings from the outside after a day or >
two.Â* Wiping out the tables and re-applying them corrects the issue but
obviously this is a poor solution.






Â*






Has anyone else seen iptables partially stop working like
this?






Answer: Firewall + DHCP = no worky so well.









_______________________________________________

Redhat-install-list mailing list

Redhat-install-list@redhat.com

https://www.redhat.com/mailman/listinfo/redhat-install-list

To Unsubscribe Go To ABOVE URL or send a message to:

redhat-install-list-request@redhat.com

Subject: unsubscribe




Â*











_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe
 

Thread Tools




All times are GMT. The time now is 04:21 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -