IPtables dropping ssh connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I was curious as to whether anyone out there has seen this problem before.

I have a CentOS machine running as a firewall with a bunch of IPtables rules.

Often, as in almost always, after sending largish amounts of data (as
small as listing a directory, sometimes), the ssh session just hangs.
With iptables disabled, this doesn't happen.

Example:
Spew some data:
while : ; do cat /var/log/messages.1;done

Works fine with iptables disabled.

If I enable IPtables,  it dies after a few hundred lines. "dies"
meaning that no keys work, and ~. doesn't do anything for some time.
At some point, I can do a ~. and relogin. Other ssh sessions continue
to work as normal.

I'm coming in on eth1 from a computer on the local network.

# Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007
*nat
:PREROUTING ACCEPT [30:4215]
:POSTROUTING ACCEPT [1:72]
:OUTPUT ACCEPT [3:232]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Tue Jul 24 17:46:18 2007
# Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007
*mangle
:PREROUTING ACCEPT [313:27319]
:INPUT ACCEPT [311:26987]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [191:67145]
:POSTROUTING ACCEPT [191:67145]
COMMIT
# Completed on Tue Jul 24 17:46:18 2007
# Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007
*filter
:FORWARD ACCEPT [0:0]
:ControlSrcDest - [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j ControlSrcDest
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports
2000,1045,1044,6090,427
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPT
# Allow NFS on Fixed ports.
-A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports
111,4000,2049,4001,4002,4003,673,677
-A RH-Firewall-1-INPUT -p udp -m udp -m multiport -j ACCEPT --dports
111,4000,2049,4001,4002,4003,673,677
-A RH-Firewall-1-INPUT -p udp -m udp ! --dport 137:138 -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A ControlSrcDest -i lo -j ACCEPT
# Allow To VPN
-A ControlSrcDest -o eth1 -j ACCEPT
# Allow if src is VPN
-A ControlSrcDest -i eth1 -j ACCEPT
-A ControlSrcDest -j LOG
-A ControlSrcDest -j REJECT --reject-with icmp-net-unreachable
COMMIT
# Completed on Tue Jul 24 17:46:18 2007


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux