| View previous topic :: View next topic |
| Author |
Message |
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
 Posted: Sun Jan 09, 2005 8:54 pm Post subject: Network resets every few minutes |
 |
|
I'm running a gentoo box with three NICs in it.
It's currently acting as a NAT firewall with DHCP on the inside (one NIC is not being used)
I'm using fireHOL to design the iptable rules, and it seems to work fine so far. However...every 5-10 minutes...the network seems to just reset. I'm kicked out of putty and my emule client loses connection. This was working fine before I used fireHOL (I copied an iptables script from a website prior). I'm just not sure how to start troubleshooting something like this. My fireHOL script isn't even NEAR complex (20 lines).
Where should I start looking for trouble? (/var/log/messages seems fine...but I may be overlooking something)
THanks! |
|
| Back to top |
|
 |
WarMachine
Apprentice
Joined: 15 Jul 2002
Posts: 181
|
| Posted: Mon Jan 10, 2005 1:33 am Post subject: |
|
|
| post the script/the iptables rules? |
|
| Back to top |
|
|
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
| Posted: Mon Jan 10, 2005 2:10 am Post subject: |
|
|
FireHOL script
| Code: |
green_ips="192.168.2.0/24"
orange_ips="192.168.3.0/24"
dnat to 192.168.2.100:4662 inface red1 dst 192.168.1.178 proto tcp dport 4662
dnat to 192.168.2.100:4663 inface red1 dst 192.168.1.178 proto udp dport 4663
server_emule_ports="tcp/4662 udp/4663"
client_emule_ports="any"
interface green1 green src "${green_ips}"
policy reject
client emule accept
server ssh accept
server dns accept
interface red1 redone # src not "${UNROUTABLE_IPS}"
policy drop
server ident reject with tcp-reset
server emule accept
protection strong
client all accept
#interface red2 redtwo # src not "${UNROUTABLE_IPS}"
# policy drop
# server ident reject with tcp-reset
# protection strong
# client all accept
router red1TOgreen1 inface red1 outface green1
masquerade reverse
route emule accept
client all accept
server ident reject with tcp-reset
|
Resulting IPTables code
| Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
in_green all -- 192.168.2.0/24 anywhere
in_redone all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-unknown:'
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
in_red1TOgreen1 all -- anywhere anywhere
out_red1TOgreen1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `PASS-unknown:'
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
out_green all -- anywhere 192.168.2.0/24
out_redone all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-unknown:'
DROP all -- anywhere anywhere
Chain in_green (1 references)
target prot opt source destination
in_green_emule_c1 all -- anywhere anywhere
in_green_ssh_s2 all -- anywhere anywhere
in_green_dns_s3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG tcp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-green:'
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-green:'
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain in_green_dns_s3 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,ESTABLISHED
Chain in_green_emule_c1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:4662 state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:4663 state ESTABLISHED
Chain in_green_ssh_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED
Chain in_red1TOgreen1 (1 references)
target prot opt source destination
in_red1TOgreen1_emule_s1 all -- anywhere anywhere
in_red1TOgreen1_all_c2 all -- anywhere anywhere
in_red1TOgreen1_irc_c3 all -- anywhere anywhere
in_red1TOgreen1_ftp_c4 all -- anywhere anywhere
in_red1TOgreen1_ident_s5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain in_red1TOgreen1_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_red1TOgreen1_emule_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:4662 state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:4663 state NEW,ESTABLISHED
Chain in_red1TOgreen1_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
Chain in_red1TOgreen1_ident_s5 (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:auth state NEW,ESTABLISHED reject-with tcp-reset
Chain in_red1TOgreen1_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:65535 state ESTABLISHED
Chain in_redone (1 references)
target prot opt source destination
in_redone_ident_s1 all -- anywhere anywhere
in_redone_emule_s2 all -- anywhere anywhere
in_redone_ssh_s3 all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
pr_redone_fragments all -f anywhere anywhere
pr_redone_nosyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
pr_redone_icmpflood icmp -- anywhere anywhere icmp echo-request
pr_redone_synflood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
pr_redone_malxmas tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
pr_redone_malnull tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
pr_redone_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
pr_redone_malbad tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
pr_redone_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
pr_redone_malbad tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
in_redone_all_c4 all -- anywhere anywhere
in_redone_irc_c5 all -- anywhere anywhere
in_redone_ftp_c6 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-redone:'
DROP all -- anywhere anywhere
Chain in_redone_all_c4 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_redone_emule_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:4662 state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:4663 state NEW,ESTABLISHED
Chain in_redone_ftp_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED
Chain in_redone_ident_s1 (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:auth state NEW,ESTABLISHED reject-with tcp-reset
Chain in_redone_irc_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED
Chain in_redone_ssh_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED
Chain out_green (1 references)
target prot opt source destination
out_green_emule_c1 all -- anywhere anywhere
out_green_ssh_s2 all -- anywhere anywhere
out_green_dns_s3 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG tcp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-green:'
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-green:'
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain out_green_dns_s3 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state ESTABLISHED
Chain out_green_emule_c1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:4662 state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:4663 state NEW,ESTABLISHED
Chain out_green_ssh_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED
Chain out_red1TOgreen1 (1 references)
target prot opt source destination
out_red1TOgreen1_emule_s1 all -- anywhere anywhere
out_red1TOgreen1_all_c2 all -- anywhere anywhere
out_red1TOgreen1_irc_c3 all -- anywhere anywhere
out_red1TOgreen1_ftp_c4 all -- anywhere anywhere
out_red1TOgreen1_ident_s5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain out_red1TOgreen1_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_red1TOgreen1_emule_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:4662 state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:4663 state ESTABLISHED
Chain out_red1TOgreen1_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_red1TOgreen1_ident_s5 (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:auth dpts:1024:65535 state ESTABLISHED reject-with tcp-reset
Chain out_red1TOgreen1_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ircd state NEW,ESTABLISHED
Chain out_redone (1 references)
target prot opt source destination
out_redone_ident_s1 all -- anywhere anywhere
out_redone_emule_s2 all -- anywhere anywhere
out_redone_ssh_s3 all -- anywhere anywhere
out_redone_all_c4 all -- anywhere anywhere
out_redone_irc_c5 all -- anywhere anywhere
out_redone_ftp_c6 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-redone:'
DROP all -- anywhere anywhere
Chain out_redone_all_c4 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_redone_emule_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:4662 state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:4663 state ESTABLISHED
Chain out_redone_ftp_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_redone_ident_s1 (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:auth dpts:1024:65535 state ESTABLISHED reject-with tcp-reset
Chain out_redone_irc_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED
Chain out_redone_ssh_s3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED
Chain pr_redone_fragments (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `PACKET FRAGMENTS:'
DROP all -- anywhere anywhere
Chain pr_redone_icmpflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 100/sec burst 50
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `ICMP FLOOD:'
DROP all -- anywhere anywhere
Chain pr_redone_malbad (4 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `MALFORMED BAD:'
DROP all -- anywhere anywhere
Chain pr_redone_malnull (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `MALFORMED NULL:'
DROP all -- anywhere anywhere
Chain pr_redone_malxmas (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `MALFORMED XMAS:'
DROP all -- anywhere anywhere
Chain pr_redone_nosyn (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `NEW TCP w/o SYN:'
DROP all -- anywhere anywhere
Chain pr_redone_synflood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 100/sec burst 50
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `SYN FLOOD:'
DROP all -- anywhere anywhere
|
Hopefully this is what you meant  I'm new to this iptables stuff. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
