<div dir="ltr">Do you have conn_track on? without it, the allow related, established line will fail and all return traffic will get dropped. Check /proc/sys/net/netfilter for nf_conntrack_* files. If missing, the kernel is not loading the conn_track module.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 16, 2014 at 9:38 AM, Adrya Stembridge <span dir="ltr"><<a href="mailto:adrya.stembridge@gmail.com" target="_blank">adrya.stembridge@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">My previous INPUT policy was ACCEPT. I'm attempting to limit access to a machine to specific subnets (<a href="http://4.3.2.0/24" target="_blank">4.3.2.0/24</a>), So I added a couple rules for that (including one to allow LDAP traffic over port 636), then set the INPUT policy to DROP. From that point on I can't access any external content. The OUTPUT policy is ACCEPT. If I change the INPUT policy back to ACCEPT, I can again access external content. <div>
<br></div><div>Here's the ruleset: </div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><pre><code>Chain INPUT (policy DROP 461 packets, 81259 bytes)</code></pre></div><div><pre><code>num pkts bytes target prot opt in out source destination </code></pre>
</div><div><pre><code>1 11835 1095K fail2ban-SSH tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22 </code></pre>
</div><div><pre><code>2 2972K 1083M ACCEPT all -- * * <a href="http://4.3.2.0/24" target="_blank">4.3.2.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </code></pre>
</div><div><pre><code>3 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:636 </code></pre>
</div><div><pre><code>4 3747K 436M ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED </code></pre>
</div><div><pre><code>
</code></pre></div><div><pre><code>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</code></pre></div><div><pre><code>num pkts bytes target prot opt in out source destination </code></pre>
</div><div><pre><code>
</code></pre></div><div><pre><code>Chain OUTPUT (policy ACCEPT 89676 packets, 26M bytes)</code></pre></div><div><pre><code>num pkts bytes target prot opt in out source destination </code></pre>
</div><div><pre><code>
</code></pre></div><div><pre><code>Chain fail2ban-SSH (1 references)</code></pre></div><div><pre><code>num pkts bytes target prot opt in out source destination </code></pre></div><div>
<pre><code>1 11776 1092K RETURN all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </code></pre></div></blockquote>
<div><pre><br></pre><pre>Any idea what in here could be causing the holdup? </pre>
<pre><br></pre></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>