[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

2.4.18 netfilter NAT problem

Hello,

When I came back from vacation I've found that my small home server
started having a problem with NAT/Masquerading.

The server is a smal woody box with kernel 2.4.18 and an iptables
configuration for firewall and NATting the other two home computers to
access the net thru my ADSL connection.

The problem is that a natted connection hangs after some data has been
transmitted: if I ssh to an external host from the server, the session
works fine for hours; if I ssh to an external host from a box behind the
server, the connection hangs after I performed a few operations.

For example, I can start mutt, but the connection hangs between when it
writes "scanning messages" and when it displays the messages; I can't
use reportbug, nor jabber.

I've tried rebooting the server (maybe in this last month the netfilter
code hit some race condition?), but with no luck.

Where should I search now?

I've attached my firewall script.

Bye, Enrico

#!/bin/sh

DATAFILE=/etc/ppp/netdata


case "$1" in
	start)
		if [ ! -r $DATAFILE ]
		then
			echo "$DATAFILE not found: failsafe stop" >&2
			$0 stop
			exit 1
		fi

		. $DATAFILE

		if [ -z "$OUT_IP" -o -z "$OUT_IFACE" ]
		then
			echo "$DATAFILE did not export IP and interface: failsafe stop" >&2
			$0 stop
			exit 1
		fi

		# Example data read from $DATAFILE:
		# OUT_IFACE=ppp0
		# OUT_IP=80.116.79.148
		# OUT_PEER=192.168.100.1
		# OUT_TAG=

		# Moduli speciali
		modprobe ip_conntrack
		modprobe ip_conntrack_ftp
		modprobe ip_conntrack_irc

		# Configurazione sysctl
		echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

		iptables -P INPUT DROP
		iptables -P OUTPUT ACCEPT
		iptables -P FORWARD DROP
		iptables -F
		iptables -t mangle -F
		tc qdisc del dev ppp0 root

		
		# Apre loopback
		iptables -A INPUT -i lo -j ACCEPT

		# Apre eth0
		iptables -A INPUT -i eth0 -j ACCEPT

		# Apre eth1
		iptables -A INPUT -i eth1 -j ACCEPT

		# Attiva il masquerading
		iptables -t nat -A POSTROUTING -o $OUT_IFACE -j MASQUERADE
		 
		## Apre le porte locali

		# Deny totale degli spaccaballe
		for i in 65.116.32.194
		do
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -s $i -j DROP
		done

		# Deny degli spaccaballe che pingano a lungo
		for i in 165.91.1.102 193.204.5.62
		do
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -s $i --protocol icmp -j DROP
		done

		# Apre UDP per DDT
		#iptables -A INPUT -d $OUT_IP -i $OUT_IFACE --protocol udp --dport 1052 -j LOG --log-prefix "Accept DDT: " -m limit --limit 5/minute
		iptables -A INPUT -d $OUT_IP -i $OUT_IFACE --protocol udp --dport 1052 -j ACCEPT

		# Apre le risposte alle connessioni dall'interno all'esterno
		iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		# Apre le connessioni dall'esterno verso le porte locali che servono
		for PORT in 22 80 443 11412
		do
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j LOG --log-prefix "Accept TCP:$PORT: "
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
		done
		# Stessa cosa, ma loggando poco
		for PORT in 113
		do
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j LOG --log-prefix "Accept TCP:$PORT: " -m limit --limit 5/minute
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
		done
		# Stessa cosa, ma senza loggare
		for PORT in 6346
		do
			iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol tcp --dport $PORT -j ACCEPT
		done

		# Accetta i multicast del peer
		iptables -A INPUT -i $OUT_IFACE -s $OUT_PEER -d 224.0.0.1 -j ACCEPT

		## Apre il forward

		# Accetta dalle interfacce locali
		iptables -A FORWARD -i eth0 -j ACCEPT
		iptables -A FORWARD -i eth1 -j ACCEPT

		# Da fuori, forwarda solo il traffico in risposta alle interfacce locali
		iptables -A FORWARD -i $OUT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

		# Caccia via silenziosamente un po' di robazza
		# netbios-ssn
		iptables -A INPUT -d $OUT_IP -i $OUT_IFACE -m state --state NEW --protocol udp --dport 137 -j DROP

		# Logga quello che viene cacciato via
		iptables -A INPUT -j LOG --log-prefix "Rejected: "
		#iptables -A INPUT -s ! 151.36.47.254 -j LOG --log-prefix "Rejected: "

		# Attiva IP forwarding
		echo 1 > /proc/sys/net/ipv4/ip_forward
	;;
	stop)
		# Configurazione sysctl
		echo 0 > /proc/sys/net/ipv4/ip_forward
		echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

		# A firewall chiuso, lavora solo via ssh
		iptables -P INPUT DROP
		iptables -P OUTPUT ACCEPT
		iptables -P FORWARD DROP
		iptables -F
		iptables -t mangle -F
		tc qdisc del dev ppp0 root

		# Apre loopback
		iptables -A INPUT -i lo -j ACCEPT

		# Apre eth0
		iptables -A INPUT -i eth0 -j ACCEPT

		# Apre eth1
		iptables -A INPUT -i eth1 -j ACCEPT
	;;
	restart)
		$0 stop
		$0 start
	;;
	*)
		echo "Usage: $0 {start|stop|restart}"
		exit 1;
	;;
esac
Reply to: