Hello,
Here is the problem I hope somebody on the list can help me with:
We have been running iptables on a Debian Linux box for some times. It works fine, except that from time to time, one of the server in the farm is denied access through the firewall for a while without any evidenced of what is causing the default nor what fixes it ! Traffic through the firewall from other servers in the farm still flows normally in the meantime. The box is somewhat loaded as it runs a Windows 2000 DC, DNS, DHCP & mail services, but it seems to work fine for what I can tell.
We have both nating & filtering rules as follow (where x.x. & y.y. replace the external & internal network IP ranges):
# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*mangle
:PREROUTING ACCEPT [30062301:24484022112]
:INPUT ACCEPT [4198390:1941057227]
:FORWARD ACCEPT [25793352:22533866498]
:OUTPUT ACCEPT [4637289:2018602790]
:POSTROUTING ACCEPT [30430582:24552464804]
COMMIT
# Completed on Thu Jan 22 14:47:03 2004
# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*filter
:INPUT DROP [9938:1125519]
:FORWARD ACCEPT [25793352:22533866498]
:OUTPUT ACCEPT [3495998:1919643818]
[1335687:165906544] -A INPUT -s y.y.2.0/255.255.255.0 -i eth2 -j ACCEPT
[364:45069] -A INPUT -s y.y.1.0/255.255.255.0 -i eth1 -j ACCEPT
[0:0] -A INPUT -d x.x.2.210 -p udp -m udp --dport 1886 -j ACCEPT
[0:0] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 1886 -j ACCEPT
[0:0] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 1885 -j ACCEPT
[0:0] -A INPUT -d x.x.2.210 -p udp -m udp --dport 1885 -j ACCEPT
[1768:225589] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 10000 -j ACCEPT
[1459:112620] -A INPUT -d x.x.2.210 -p tcp -m tcp --dport 22 -j ACCEPT
[232015:19489204] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 6/sec -j ACCEPT
[2615789:1754070556] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[1370:82126] -A INPUT -i lo -j ACCEPT
[1141232:98954488] -A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 22 14:47:03 2004
# Generated by iptables-save v1.2.6a on Thu Jan 22 14:47:03 2004
*nat
:PREROUTING ACCEPT [592546:39140555]
:POSTROUTING ACCEPT [224874:17450381]
:OUTPUT ACCEPT [284539:21162120]
[0:0] -A PREROUTING -d x.x.2.6 -p tcp -m tcp --dport 80 -j DNAT --to-destination y.y.1.2:80
[0:0] -A PREROUTING -d x.x.2.6 -p tcp -m tcp --dport 443 -j DNAT --to-destination y.y.1.2:443
[2833:132792] -A PREROUTING -d x.x.2.5 -p tcp -m multiport --dports smtp,lotusnote,www,domain,https -j DNAT --to-destination y.y.2.2
[1:79] -A PREROUTING -d x.x.2.5 -p udp -m multiport --dports domain -j DNAT --to-destination y.y.2.2
[0:0] -A PREROUTING -d x.x.2.4 -p tcp -m multiport --dports 1494,443 -j DNAT --to-destination y.y.2.5
[6:288] -A PREROUTING -d x.x.2.3 -p tcp -m multiport --dports 10000,ssh -j DNAT --to-destination y.y.2.4
[0:0] -A POSTROUTING -s y.y.1.2 -o eth0 -j SNAT --to-source x.x.2.6
[0:0] -A POSTROUTING -s y.y.2.2 -o eth0 -j SNAT --to-source x.x.2.5
[433482:23976479] -A POSTROUTING -o eth0 -j SNAT --to-source x.x.2.210
COMMIT
# Completed on Thu Jan 22 14:47:03 2004
Once the struggling server (y.y.2.5) is blocked, removing the filtering rules does not restore the connection. It just seems like the firewall has blacklisted my server although I don't see what could be causing it.
Any suggestion?
Could it be related to the [232015:19489204] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 6/sec -j ACCEPT rule that was set to avoid "ping of death" attacks
Also, I found a file called /etc/init.d/iptables.lock on my system. What is used for?
Thanks in advance to whoever can help...
Olivier.
