FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Install

 
 
LinkBack Thread Tools
 
Old 03-24-2008, 12:31 PM
McCarty Ronald
 
Default Firewall is loosing it's marbles

Travis,What was the particular issue? *Running DHCP / iptables isn't that uncommon of a setup, so it would be interesting to hear the particulars.Best regards,--ron

On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:From: Waldher, Travis R
Sent: Friday, March 14, 2008 8:48 AM
To: Getting started with Red Hat Linux
Subject: Firewall is loosing it's marbles

I've got a pretty strict firewall setup on a machine that acts as a gateway between a production environment and a test > > >
environment.

Users will log in to the box to access the test environment, the box is running RHEL5.* Once in, it's like the roach motel, no one > gets back out to the real world from the test world.

My firewall is working fine, but it seems to loose it's marbles and deny ssh but still allow pings from the outside after a day or > two.* Wiping out the tables and re-applying them corrects the issue but obviously this is a poor solution.

Has anyone else seen iptables partially stop working like this?

Answer: Firewall + DHCP = no worky so well.




_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe


_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe
 
Old 03-24-2008, 05:48 PM
"Waldher, Travis R"
 
Default Firewall is loosing it's marbles

Honestly, I’m
not sure.¬* Here‚Äôs the table, it‚Äôs been holding strong since I
went to static IP‚Äôs.¬* Host names and IP‚Äôs modified to protect
the guilty.


¬*


Chain INPUT
(policy DROP)


target¬*¬*¬*¬*
prot opt
source¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
destination


ACCEPT¬*¬*¬*¬*
all¬* --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere


ACCEPT¬*¬*¬*¬*
tcp¬* --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED


ACCEPT¬*¬*¬*¬*
icmp --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* icmp
echo-reply state NEW,RELATED,ESTABLISHED


ACCEPT¬*¬*¬*¬*
icmp --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* icmp
echo-request state NEW,RELATED,ESTABLISHED


DROP¬*¬*¬*¬*¬*¬*
all¬* --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬*anywhere


ACCEPT¬*¬*¬*¬*
all¬* --¬* 192.168.1.0/24¬*¬*¬*¬* anywhere


ACCEPT¬*¬*¬*¬*
all¬* --¬* 192.168.2.0/25¬*¬*¬*¬*¬* anywhere


¬*


Chain FORWARD
(policy DROP)


target¬*¬*¬*¬*
prot opt
source¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
destination


¬*


Chain OUTPUT
(policy DROP)


target¬*¬*¬*¬*
prot opt source¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬*¬*¬*¬*¬*destination


ACCEPT¬*¬*¬*¬*
all¬* --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere


ACCEPT¬*¬*¬*¬*
tcp¬* --¬* host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* tcp
spt:ssh dpts:login:65535 state ESTABLISHED


ACCEPT¬*¬*¬*¬*
icmp --¬* host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* icmp
echo-reply state NEW,RELATED,ESTABLISHED


ACCEPT¬*¬*¬*¬*
icmp --¬* host01¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* icmp
echo-request state NEW,RELATED,ESTABLISHED


DROP¬*¬*¬*¬*¬*¬*
all¬* --¬*
anywhere¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
anywhere


ACCEPT¬*¬*¬*¬*
all¬* --¬* 192.168.1.0/24¬*¬*¬*¬* anywhere


ACCEPT¬*¬*¬*¬*
all¬* --¬* 192.168.2.0/25¬*¬*¬*¬*¬* anywhere


¬*


Host01(eth0)
would essentially be on the internet, eth1 on 192.168.1 and eth2 on 192.168.2 ‚Äď
all dhcp.¬* It will allow SSH to come in.¬* Once on the box you are
free to roam 192.168.1 and 192.168.2.¬* But, what you can‚Äôt do is get
back out to the internet once your in.¬* It‚Äôs the roach motel.


¬*


What would
happen, I would set the tables up and approximately 24 hours later the tables
would be completely trashed.¬* I could still ping host01 from the internet,
but I couldn‚Äôt ssh in.¬* Reapplying my rules after zero‚Äôing out
the tables was the only thing that cleared it up.


¬*


What made me
wonder about DHCP was looking at the DHCP requests on the private side of the
network just suddenly started producing errors.¬* The private side was also
screwed up in iptables.¬* I took that, figured going to static wouldn‚Äôt
hurt as a test, and what do you know, it’s been stable since.


¬*


I agree DHCP +
Firewall is pretty common, but perhaps my implementation of firewall was too
uncommon for the software to handle it.


¬*








From: McCarty Ronald
[mailto:mccarty@yournetguard.com]

Sent: Monday, March 24, 2008 6:32 AM

To: Getting started with Red Hat Linux

Subject: Re: Firewall is loosing it's marbles






¬*


Travis,




¬*






What was the particular issue? ¬*Running DHCP / iptables
isn't that uncommon of a setup, so it would be interesting to hear the
particulars.






¬*






Best regards,






¬*






--ron


¬*






On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:













From: Waldher, Travis R






Sent: Friday, March 14, 2008 8:48 AM






To: Getting started with Red Hat Linux






Subject: Firewall is loosing it's marbles






¬*






I've got a pretty strict firewall setup on a machine that
acts as a gateway between a production environment and a test > > >






environment.






¬*






Users will log in to the box to access the test environment,
the box is running RHEL5.¬* Once in, it's like the roach motel, no one >
gets back out to the real world from the test world.






¬*






My firewall is working fine, but it seems to loose it's
marbles and deny ssh but still allow pings from the outside after a day or >
two.¬* Wiping out the tables and re-applying them corrects the issue but
obviously this is a poor solution.






¬*






Has anyone else seen iptables partially stop working like
this?






Answer: Firewall + DHCP = no worky so well.









_______________________________________________

Redhat-install-list mailing list

Redhat-install-list@redhat.com

https://www.redhat.com/mailman/listinfo/redhat-install-list

To Unsubscribe Go To ABOVE URL or send a message to:

redhat-install-list-request@redhat.com

Subject: unsubscribe




¬*











_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@redhat.com
Subject: unsubscribe
 

Thread Tools




All times are GMT. The time now is 05:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org