IPTables Established connection problem.

From: Doubletwist (dontspam.doubletwist@spack.nu)
Date: 12/17/01 

From: Doubletwist <dontspam.doubletwist@spack.nu>
Date: 17 Dec 2001 19:37:32 GMT

I posted a couple weeks ago about IPTables possibly losing state.
I've tried everything suggested and nothing seems to help.

As noted earlier, originally everything worked great for several months.
Then I compiled a newer kernel [2.4.10] and started having these issues.
  I went back to the original kernel [2.4.5] but that didn't fix the
problem.

My established connections still freeze if I have firewalling [iptables]
turned on.
But I have no problem making new connections [luckily this allows me to
ssh in an turn off iptables].

I've tried recompiling the kernel, and making the iptables stuff as
modules [originally had kernel compiled with no modules support].
I've updated iptables to the latest [v1.2.4]

The logging is not showing anything too unusual. At least nothing that
shows up every time the connection locks [that's how it appears to the
open connection].

I've tried multiple firewall scripts to see if it was something in the
way it was set up, but that didn't help either.

Please help. This machine has been firewall-less for some time now ;(

Slackware 8.0 custom kernel 2.4.16 [originally on 2.4.5] iptables loaded
as modules

Listed below is my firewall script as it now stands. [IP's changed to
protect the guilty :)]

Thanks in advance for your help

Doubletwist

____________________________________

#!/bin/sh
#This is the location of the iptables command
IPT="/usr/local/sbin/iptables"

case "$1" in
          stop)
         echo "Shutting down firewall..."
         $IPT -F
         $IPT -P INPUT ACCEPT
         $IPT -P OUTPUT ACCEPT
         $IPT -P FORWARD ACCEPT
         $IPT -X
         $IPT -Z
        ;;
        reload|restart)
        echo "Restarting firewall..."
        $0 stop
        $0 start
        ;;
        status)
        $IPT -L -n --line-numbers
        ;;
        start)
         echo "Starting Firewall..."

IFACE="eth0"
IPADDR="205.1.1.180"
NAMESERVER1="207.155.184.72"
NAMESERVER2="207.155.183.73"
NAMESERVER3="192.122.209.42"
BROADCAST="205.1.1.191"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"

#Flush everything, start from scratch
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F
$IPT -X
$IPT -Z

#Setup sysctl controls which affect tcp/ip

#Disable IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Disable Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Reverse path filtering
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
#Some nics don't like. Comment out if necessary
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DOS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

##Set Basic rules
#
#Set default action DROP policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#Kill ANY stupid packets
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags#-Zero-length (illegal) or
over-length TCP and IP options,i
#
or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html
#$IPT -A INPUT -m unclean -j DROP
#$IPT -A FORWARD -m unclean -j DROP
#$IPT -A OUTPUT -m unclean -j DROP
## ABOVE commented out because it fails on load

#Kill invalid packets (illegal combination of flags)
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP

#Allow all connections on the internal interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

#Kill connections to the local interface from outside world
$IPT -A INPUT -d 127.0.0.0/8 -j REJECT

#SynFlood protection
$IPT -N SYN
$IPT -A INPUT -i eth0 -p tcp --syn -j SYN
$IPT -A SYN -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A SYN -j DROP

#Make sure NEW tcp connections are SYN packets
$IPT -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

#FRAGMENTS
#Log fragments to see if we get any and deny them
$IPT -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPT -A INPUT -i eth0 -f -j DROP

#SPOOFING
#Refuce packest that pretend to be from your IP address
$IPT -A INPUT -i eth0 -s $IPADDR -j DROP

#Refuse packest claiming to be from private networks
$IPT -A INPUT -i eth0 -s $CLASS_A -j DROP
$IPT -A INPUT -i eth0 -s $CLASS_B -j DROP
$IPT -A INPUT -i eth0 -s $CLASS_C -j DROP
$IPT -A INPUT -i eth0 -s $CLASS_D_MULTICAST -j DROP
$IPT -A INPUT -i eth0 -s $CLASS_E_RESERVED_NET -j DROP

#DROP packest claiming to be to the loopback
$IPT -A INPUT -i eth0 -d $LOOPBACK -j DROP

#DROP broadcast address packets
$IPT -A INPUT -i eth0 -d $BROADCAST -j DROP

##ICMP
#ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j
ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP

#Allow all other icmp
$IPT -A INPUT -p icmp -j ACCEPT

#Allow established connections

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#From here on we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest so we don't DoS ourself with rejections.
#We don't limit normal packets (!SYN) by allowing the rest
##Basic services

#ftp-data
$IPT -A INPUT -p tcp --dport 20 -j ACCEPT

#ftp
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT

#SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

#SMTP One per second limit -burst rate of ten
$IPT -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s --limit-burst
10 -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 --syn -j DROP
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT

#DNS
#$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
#$IPT -A INPUT -p udp --dport 53 -j ACCEPT

#http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

#pop3
#$IPT -A INPUT -p tcp --dport 110 -j ACCEPT

#https
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

#identd
$IPT -A INPUT -p tcp --dport 113 -j ACCEPT

#IMAP/IMAPS Allow only IMAPSSL!
$IPT -A INPUT -p tcp --dport 993 -j ACCEPT

#Samba [from Known networks only.]
#work
$IPT -A INPUT -p tcp --dport 139 -s 209.2.1.0/25 -j ACCEPT
$IPT -A INPUT -p udp -s 209.2.1.0/25 -j ACCEPT
#Home DSL
$IPT -A INPUT -p tcp --dport 139 -s 66.9.1.37/32 -j ACCEPT
$IPT -A INPUT -p udp -s 66.9.1.27/32 -j ACCEPT

#Traceroute depend in finding a rejected port. DROP the ones it uses
$IPT -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log IDENT it gets hit all the time
$IPT -A INPUT -p tcp --dport 113 -j REJECT

##Catch all rules
#log
#iptables reverts to these if it hasn't matched any of the previous rules
$IPT -A INPUT -m limit --limit 5/second -j LOG --log-prefix "Firewalled
packet:"
#reject
$IPT -A INPUT -p all -j DROP

#Accept if it's outbound
$IPT -A OUTPUT -j ACCEPT

   ;;
*)
        echo "Useage: rc.firewall (start|stop|restart|status)"
        exit 1
esac
exit 0

Relevant Pages

  • Iptables - attack - please help
    ... incoming packets discarded ... ICMP messages received ... 36 active connections openings ... iptables -N specific-rule-set ...
    (comp.os.linux.security)
  • Re: IPTables Port Forwarding
    ... ESTABLISHED and RELATED connections: ... packets will go back through your firewall). ... Then the client gets an answer from "192.168.1.50", ... iptables -t nat -F ...
    (Debian-User)
  • Re: iptables dropping legitimate packets?
    ... There's nothing wrong with the iptables file, ... now that the PC is running FC3 I am seeing dropped packets ... The packets, however, are not inbound sessions. ... > many concurrent connections, the state table is getting too large. ...
    (Fedora)
  • Re: iptable in fc5
    ... I have a question about iptables in fc5. ... and rquotad to fixed ports ... Once a connection table entry is established all subsequent packets will be accepted when the ESTABLISHED,RELATED... ... If you allow all state NEW packets you are not acting like a firewall because you are allowing any and all connections. ...
    (Fedora)
  • Re: iptables file format -- this has gotten long; mea culpa.
    ... > to use iptables. ... These rules received no packets and therefore no bytes. ... $IPT -P OUTPUT DROP # Set default policy to DROP ...
    (linux.redhat.misc)