2.4.18 netfilter NAT problem
Hello,
When I came back from vacation I've found that my small home server
started having a problem with NAT/Masquerading.
The server is a smal woody box with kernel 2.4.18 and an iptables
configuration for firewall and NATting the other two home computers to
access the net thru my ADSL connection.
The problem is that a natted connection hangs after some data has been
transmitted: if I ssh to an external host from the server, the session
works fine for hours; if I ssh to an external host from a box behind the
server, the connection hangs after I performed a few operations.
For example, I can start mutt, but the connection hangs between when it
writes "scanning messages" and when it displays the messages; I can't
use reportbug, nor jabber.
I've tried rebooting the server (maybe in this last month the netfilter
code hit some race condition?), but with no luck.
Where should I search now?
I've attached my firewall script.
Bye, Enrico
#!/bin/sh
DATAFILE=/etc/ppp/netdata
case "$1" in
start)
if [ ! -r $DATAFILE ]
then
echo "$DATAFILE not found: failsafe stop" >&2
$0 stop
exit 1
fi
. $DATAFILE
if [ -z "$OUT_IP" -o -z "$OUT_IFACE" ]
then
echo "$DATAFILE did not export IP and interface: failsafe stop" >&2
$0 stop
exit 1
fi
# Example data read from $DATAFILE:
# OUT_IFACE=ppp0
# OUT_IP=80.116.79.148
# OUT_PEER=192.168.100.1
# OUT_TAG=
# Moduli speciali
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Configurazione sysctl
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -t mangle -F
tc qdisc del dev ppp0 root
# Apre loopback
iptables -A INPUT -i lo -j ACCEPT
# Apre eth0
iptables -A INPUT -i eth0 -j ACCEPT
# Apre eth1
iptables -A INPUT -i eth1 -j ACCEPT
# Attiva il masquerading
iptables -t nat -A POSTROUTING -o $OUT_IFACE -j MASQUERADE
## Apre le porte locali
# Deny totale degli spaccaballe
for i in 65.116.32.194
do
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -s $i -j DROP
done
# Deny degli spaccaballe che pingano a lungo
for i in 165.91.1.102 193.204.5.62
do
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -s $i --protocol icmp -j DROP
done
# Apre UDP per DDT
#iptables -A INPUT -d $OUT_IP -i $OUT_IFACE --protocol udp --dport 1052 -j LOG --log-prefix "Accept DDT: " -m limit --limit 5/minute
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE --protocol udp --dport 1052 -j ACCEPT
# Apre le risposte alle connessioni dall'interno all'esterno
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Apre le connessioni dall'esterno verso le porte locali che servono
for PORT in 22 80 443 11412
do
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j LOG --log-prefix "Accept TCP:$PORT: "
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
done
# Stessa cosa, ma loggando poco
for PORT in 113
do
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j LOG --log-prefix "Accept TCP:$PORT: " -m limit --limit 5/minute
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
done
# Stessa cosa, ma senza loggare
for PORT in 6346
do
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
done
# Accetta i multicast del peer
iptables -A INPUT -i $OUT_IFACE -s $OUT_PEER -d 224.0.0.1 -j ACCEPT
## Apre il forward
# Accetta dalle interfacce locali
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Da fuori, forwarda solo il traffico in risposta alle interfacce locali
iptables -A FORWARD -i $OUT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Caccia via silenziosamente un po' di robazza
# netbios-ssn
iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol udp --dport 137 -j DROP
# Logga quello che viene cacciato via
iptables -A INPUT -j LOG --log-prefix "Rejected: "
#iptables -A INPUT -s ! 151.36.47.254 -j LOG --log-prefix "Rejected: "
# Attiva IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
;;
stop)
# Configurazione sysctl
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# A firewall chiuso, lavora solo via ssh
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -t mangle -F
tc qdisc del dev ppp0 root
# Apre loopback
iptables -A INPUT -i lo -j ACCEPT
# Apre eth0
iptables -A INPUT -i eth0 -j ACCEPT
# Apre eth1
iptables -A INPUT -i eth1 -j ACCEPT
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1;
;;
esac
Reply to: