RE: dropped SSH sessions with kernels >= 4.14 upon iptables clear then load [REGRESSION][BISECTED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2018.08.14 13:43 Roman Mamedov wrote:
> On Tue, 14 Aug 2018 08:48:18 -0700
> "Doug Smythies" <dsmythies@xxxxxxxxx> wrote:
>
>> Sometimes it is desirable to temporarily disable, or clear,
>> the iptables rule set on a computer being controlled via a
>> secure shell session (SSH). While unwise on an internet facing
>> computer, I also do it often on non-internet accessible computers
>> while testing. Recently, this has become problematic, with the
>> SSH session being dropped upon re-load of the rule set.
>
> This is surprising, I often do this as well (iptables -F of everything while
> policies are set to DROP, then readding rules one by one), and did not notice
> any change, this keeps working fine for me.

I don't know what to say, it is 100% repeatable for me, on multiple
computers. There has to be some traffic on the SSH session while the rules
are disabled for this to occur. Also, the session has to have been started
with the rules in place.

Additionally, and just learned from Florian's e-mail:

/proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

has to be 0.

I am seeing some other odd and infrequent SSH session drops, but haven't
been able to isolate them into a repeatable form to investigate.

> Could you post the relevant iptables rules from your configuration, i.e. the
> ones which act on your SSH connections?

I made the most simple conditions possible. The scripts are in the reference below.
This issue actually arose from someone using ufw (a front end for iptables). My
interest was from attempting to understand some issues I have been observing.
Reference (the scripts are there also):

https://askubuntu.com/questions/1059781/ufw-allows-22-for-ipv4-and-ipv6-but-ssh-disconnects-when-enabling

> Also do you know in which specific
> 4.14 kernel version the change went in? I can't find it in Changelogs for any
> of 4.14.x on kernel.org.

It was the first version, I only ever use the mainline kernel and used it for my
bisection. Since the group of patches was so huge, I assume it was in kernel
4.14-rc1, but am not sure. 

Hope this helps.

... Doug
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux