[ale] iptables ruleset blocks external traffic... OUTPUT policy is ACCEPT

Adrya Stembridge adrya.stembridge at gmail.com
Fri May 16 13:59:09 EDT 2014


[user at boxen]# ll /proc/sys/net/netfilter
total 0
dr-xr-xr-x 0 root root 0 May 16 13:53 nf_log
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_acct
-r--r--r-- 1 root root 0 May 16 13:53 nf_conntrack_buckets
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_checksum
-r--r--r-- 1 root root 0 May 16 13:53 nf_conntrack_count
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_events
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_events_retry_timeout
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_expect_max
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_generic_timeout
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_icmpv6_timeout
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_icmp_timeout
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_log_invalid
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_max
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_be_liberal
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_loose
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_max_retrans
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_close
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_close_wait
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_established
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_fin_wait
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_last_ack
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_max_retrans
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_syn_recv
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_syn_sent
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_tcp_timeout_time_wait
-rw-r--r-- 1 root root 0 May 16 13:53
nf_conntrack_tcp_timeout_unacknowledged
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_udp_timeout
-rw-r--r-- 1 root root 0 May 16 13:53 nf_conntrack_udp_timeout_stream



On Fri, May 16, 2014 at 10:56 AM, Jim Kinney <jim.kinney at gmail.com> wrote:

> Do you have conn_track on? without it, the allow related, established line
> will fail and all return traffic will get dropped. Check
> /proc/sys/net/netfilter for nf_conntrack_* files. If missing, the kernel is
> not loading the conn_track module.
>
>
> On Fri, May 16, 2014 at 9:38 AM, Adrya Stembridge <
> adrya.stembridge at gmail.com> wrote:
>
>> My previous INPUT policy was ACCEPT.   I'm attempting to limit access to
>> a machine to specific subnets (4.3.2.0/24),   So I added a couple rules
>> for that (including one to allow LDAP traffic over port 636), then set the
>> INPUT policy to DROP.  From that point on I can't access any external
>> content.   The OUTPUT policy is ACCEPT.    If I change the INPUT policy
>> back to ACCEPT, I can again access external content.
>>
>> Here's the ruleset:
>>
>> Chain INPUT (policy DROP 461 packets, 81259 bytes)
>>
>> num   pkts bytes target     prot opt in     out     source               destination
>>
>> 1    11835 1095K fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
>>
>> 2    2972K 1083M ACCEPT     all  --  *      *       4.3.2.0/24           0.0.0.0/0
>>
>> 3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:636
>>
>> 4    3747K  436M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>
>> num   pkts bytes target     prot opt in     out     source               destination
>>
>> Chain OUTPUT (policy ACCEPT 89676 packets, 26M bytes)
>>
>> num   pkts bytes target     prot opt in     out     source               destination
>>
>> Chain fail2ban-SSH (1 references)
>>
>> num   pkts bytes target     prot opt in     out     source               destination
>>
>> 1    11776 1092K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
>>
>>
>> Any idea what in here could be causing the holdup?
>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> --
> James P. Kinney III
>
>
>
>
>
> *Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his own
> tail. It won't fatten the dog. - Speech 11/23/1900 Mark
> Twainhttp://heretothereideas.blogspot.com/
> <http://heretothereideas.blogspot.com/>*
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140516/3a384023/attachment-0001.html>


More information about the Ale mailing list