[CLUE-Tech] IPTABLES and connection stalls?

ian iguy at ionsphere.org
Fri Jun 15 07:10:18 MDT 2001 

On Thu, Jun 14, 2001 at 10:12:44AM -0600, Joe 'Zonker' Brockmeier wrote:
> On Thu, 14 Jun 2001, ian wrote:
> 
> > Clue-Techies,
> > 
> > I recently upgraded to RedHat 7.1 and in process upgraded from IPCHAINS to IPTABLES due to 
> > "changed working environment of IPCHAINS".
> > 
> > First the question:
> > Has anyone had any connection time out problems using IPTABLES with NAT?
> > 
> > Background:
> 
> *snip*
> 
> > Any suggestions?
> 
> It'd be helpful if we could see what your configuration is. Can you run
> "iptables -L" or "iptables -L nat" and send the output? You might also
> want to include the rules that you're loading. If you've got a script
> with all of those, it'd be helpful.

The iptables configuration is attached to this email.  I'm always tweaking
it as things come in.

> I'm guessing that there's a misconfiguration somewhere. You might also
> try the iptables mailing list here: http://lists.samba.org/pipermail/netfilter/

Planning on it.  In digging through the archives I haven't seen anyone
mention anything like that.

> Also, if I recall correctly, there was a problem that wasn't directly
> related to Netfilter/iptables - if you have enabled "TCP Explicit 
> Congestion Notification support" in your kernel you may have problems
> connecting to some sites. If you're finding that the problem is hard
> to reproduce - ie, sometimes you can reach sites and sometimes you can't -
> then this might be the issue. A lot of folks enabled this because it 
> sounded like a Good Thing(TM) and then found it munged things up. Not
> because the kernel was broken, but because many routers couldn't handle
> it. A quick way to check:
> 
> echo 0 > /proc/sys/net/ipv4/tcp_ecn

Not available on RedHat 7.1

> Zonker

Thanks Zonker.  

ian

-------------- next part --------------
# Generated by iptables-save v1.2.2 on Wed Jun 13 09:55:22 2001
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -s 24.13.155.63 -j ACCEPT 
COMMIT
# Completed on Wed Jun 13 09:55:22 2001
# Generated by iptables-save v1.2.2 on Wed Jun 13 09:55:22 2001
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Jun 13 09:55:22 2001
# Generated by iptables-save v1.2.2 on Wed Jun 13 09:55:22 2001
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:IN_LA - [0:0]
:IN_NOMATCH - [0:0]
:LD - [0:0]
:OUT_NOMATCH - [0:0]
:FOR_NOMATCH - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 24.1.9.25 -d 24.13.155.63 -j ACCEPT 
-A INPUT -s 192.168.1.0/255.255.255.240 -i eth1 -j ACCEPT 
-A INPUT -s 0.0.0.0 -d 255.255.255.255 -i eth1 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 31337 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 31337 -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 33270 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 33270 -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 1234 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 6711 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 16660 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 60001 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 12345:12346 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 12345:12346 -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 1524 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 27665 -m limit --limit 2/min -j LD 
-A INPUT -d 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 27444 -j LD 
-A INPUT -d 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 31335 -j LD 
-A INPUT -d 255.255.255.255 -i eth0 -j LD 
-A INPUT -s 255.255.255.255 -i eth0 -j LD 
-A INPUT -s 0.0.0.0 -i eth0 -j LD 
-A INPUT -d 0.0.0.0 -i eth0 -j LD 
-A INPUT -s 224.0.0.0/255.0.0.0 -j LD 
-A INPUT -d 224.0.0.0/255.0.0.0 -j LD 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 113 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p udp -m udp --dport 113 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 123 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 6346 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 2049 -j LD 
-A INPUT -i eth0 -p udp -m udp --dport 2049 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 6000:6015 -j LD 
-A INPUT -i eth0 -p udp -m udp --dport 6000:6015 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j LD 
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 119 -j LD 
-A INPUT -i eth0 -p tcp -m tcp --dport 515 -j LD 
-A INPUT -d 24.13.155.63 -p icmp -m limit --limit 1/sec -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 22 --dport 513:65535 ! --tcp-flags SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 20 --dport 1023:65535 ! --tcp-flags SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT 
-A INPUT -d 24.13.155.63 -p udp -m udp --dport 1023:65535 -j ACCEPT 
-A INPUT -d 24.13.155.63 -p tcp -m tcp --dport 1023:65535 -j ACCEPT 
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -f -m limit --limit 10/min -j LD 
-A INPUT -j IN_NOMATCH 
-A FORWARD -s 192.168.1.0/255.255.255.240 -o eth0 -j ACCEPT 
-A FORWARD -d 192.168.1.0/255.255.255.240 -j FOR_NOMATCH
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -d 24.1.9.25 -o eth0 -j ACCEPT 
-A OUTPUT -s 192.168.1.1 -o eth1 -j ACCEPT 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 31337 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 31337 -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 33270 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 33270 -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 1234 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 6711 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 16660 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 60001 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 12345:12346 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 12345:12346 -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 1524 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p tcp -m tcp --dport 27665 -m limit --limit 2/min -j LD 
-A OUTPUT -s 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 27444 -j LD 
-A OUTPUT -s 24.13.155.63 -p udp -m limit --limit 2/min -m udp --dport 31335 -j LD 
-A OUTPUT -s 224.0.0.0/255.0.0.0 -j LD 
-A OUTPUT -d 224.0.0.0/255.0.0.0 -j LD 
-A OUTPUT -s 255.255.255.255 -j LD 
-A OUTPUT -d 255.255.255.255 -j LD 
-A OUTPUT -d 0.0.0.0 -j LD 
-A OUTPUT -s 0.0.0.0 -j LD 
-A OUTPUT -s 24.13.155.63 -p icmp -j ACCEPT 
-A OUTPUT -s 24.13.155.63 -j ACCEPT 
-A OUTPUT -j OUT_NOMATCH 
-A IN_LA -j LOG --log-prefix "IN_LA: " --log-level 6 
-A IN_LA -j ACCEPT 
-A IN_NOMATCH -j LOG --log-prefix "IN_NOMATCH: " --log-level 6 
-A IN_NOMATCH -j DROP 
-A LD -j DROP 
-A OUT_NOMATCH -j LOG --log-prefix "OUT_NOMATCH: " --log-level 6 
-A OUT_NOMATCH -j ACCEPT 
-A FOR_NOMATCH -j LOG --log-prefix "FOR_NOMATCH: " --log-level 6
-A FOR_NOMATCH -j DROP
COMMIT
# Completed on Wed Jun 13 09:55:22 2001

More information about the clue-tech mailing list