Strange iptables behaviour (success/failure depends on presence of "harmless" logging line)

To: debian-firewall@lists.debian.org
Subject: Strange iptables behaviour (success/failure depends on presence of "harmless" logging line)
From: Jonathan Matthews <jaycee.removeifnotspam@jaycee.uklinux.net>
Date: Tue, 3 Jun 2003 17:00:55 +0000
Message-id: <[🔎] 20030603170055.GA2117@bigdaddy>

[ SUMMARY: Why does adding a "harmless" logging line to my iptables 
script let traffic pass (the desired behaviour) that is otherwise 
stopped? ]

(Apologies for the repost from deb-user - just thought it might be more 
suitable here ...)

I'm having problems doing port forwarding through my old 486/25sx NAT 
box here.  The only reason I mention its spec/age is that I'm having 
difficulty seeing what the issue is if it isn't a timing one.

I've attached my firewall script.  Any general or non-related comments 
are welcome, but the specific issue I have is that (after adding some 
forwarding lines to enable me to bypass the rather nasty "it's for 
performance reasons, not for security" http proxy at work so that I can 
connect to my home ssh server) the success or failure of the extra 
iptables filters seems to depend on whether I have the following line 
commented out or not:

$IT --append drop-and-log --jump LOG --log-level info --log-prefix "Firewall: "

where IT=/sbin/iptables, of course.

When it's commented out, all external traffic (e.g. pinging 
www.google.com) doesn't return, but when it's active the traffic passes 
fine.  As it should.

The four lines (1 logging one, as above, and 3 "forward port 443 through 
into the lan" ones) are marked with ##### comments immediately before 
them for your ease of identification.  I've included the whole file 
(it's only 3kb) because something this strange probably means I've 
fscked up somewhere /else/.

Can anyone throw me a fricking clue - PLEASE?

Cheers!
  jc

PS Yes, I realise that I don't have to have the internal server running 
on port 443, but it's late and I've run out of coffee ...

#!/bin/bash
#
IT="/sbin/iptables"

INTIP="192.168.0.1"
INTIFACE="eth0"
INTNET="192.168.0.0/24"
EXTIP="$3"
EXTIFACE="$2"

DNS_SERVERS=""

# what policy shall we follow when we've run out of ideas?
POL="drop-and-log"

# tell the kernel what we're going to be doing
#echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/conf/$EXTIFACE/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/$INTIFACE/rp_filter

# set all chains to DROP - we'll never reach these ordinarily,
# but they'll be useful when packets coming in while this
# script is running, and the rules aren't all in place
$IT --policy OUTPUT  DROP
$IT --policy INPUT   DROP
$IT --policy FORWARD DROP

# flush all chains, all tables
$IT --table filter --flush
$IT --table nat    --flush

# delete user chains
$IT --delete-chain

# create new chains
$IT --new-chain drop-and-log
$IT --new-chain int-in
$IT --new-chain int-out
$IT --new-chain ext-in
$IT --new-chain ext-out

# start adding rules
# drop-and-log chain

##### LOSE THE "#" AT THE START OF THE NEXT LINE, AND EVERYTHING WORKS 
##### FINE!!!

#$IT --append drop-and-log --jump LOG --log-level info --log-prefix "Firewall: "
$IT --append drop-and-log --jump DROP

# input chain
$IT --append INPUT --jump ext-in --in-interface $EXTIFACE
$IT --append INPUT --jump int-in --in-interface $INTIFACE
$IT --append INPUT --jump ACCEPT --in-interface lo
$IT --append INPUT --jump $POL

# output chain
$IT --append OUTPUT --jump ext-out --out-interface $EXTIFACE
$IT --append OUTPUT --jump int-out --out-interface $INTIFACE
$IT --append OUTPUT --jump ACCEPT  --out-interface lo
$IT --append OUTPUT --jump $POL

# forward chain
$IT --append FORWARD --jump ACCEPT --in-interface $EXTIFACE --out-interface $INTIFACE --match state --state ESTABLISHED,RELATED
$IT --append FORWARD --jump ACCEPT --in-interface $INTIFACE --out-interface $EXTIFACE


##### LINE ADDED #1

$IT --append FORWARD --jump ACCEPT --in-interface $EXTIFACE --out-interface $INTIFACE --protocol TCP --destination-port 443 --match state --state NEW,ESTABLISHED,RELATED
$IT --append FORWARD --jump $POL

# ext-in chain

$IT --append ext-in --jump ACCEPT --match state --state ESTABLISHED,RELATED


##### LINE ADDED #2

# accept connections to the ssh server running internally
$IT --append ext-in --jump ACCEPT --protocol TCP --destination-port 443

$IT --append ext-in --jump $POL

# ext-out

$IT --append ext-out --jump ACCEPT --source $EXTIP --destination ! $INTNET
$IT --append ext-out --jump $POL

# int-in

# nasty hack to firewall off di's laptop,
# except for routing to the 'net.
$IT --append int-in --jump $POL   --source 192.168.0.129 --destination $INTNET

# standard int-in chain
$IT --append int-in --jump ACCEPT --source $INTNET
$IT --append int-in --jump $POL

# int-out

$IT --append int-out --jump ACCEPT --destination $INTNET
$IT --append int-out --jump $POL

# masquerade stuff going out on the external interface
$IT --table nat --append POSTROUTING --jump MASQUERADE --out-interface $EXTIFACE


##### LINE ADDED #3

# forward traffic to bigdaddy
$IT --table nat --append PREROUTING --jump DNAT --protocol TCP --destination $EXTIP --destination-port 443 --in-interface $EXTIFACE --to 192.168.0.3:443

# enable forwarding - done last for security
echo "1" > /proc/sys/net/ipv4/ip_forward

Reply to:

Prev by Date: Re: Too slow connection
Next by Date: Martian packets
Previous by thread: Re: Too slow connection
Next by thread: Martian packets
Index(es):
- Date
- Thread