Exactly. Because what you want to achieve is not from iptables point problematic at all. Somethig else must be there what poison traffic/connection Nice regards Elvir Kuric 2009/5/7 Slansky Lukas <Lukas.Slansky@xxxxxxx>: > Hello, > as you maybe see there is rule 2 that accepts new connections. Unfortunately we have found that CISCO works really badly with SACK packets and these are then recognized as INVALID and dropped. We still don't know what is wrong and why SACKs are produced by I suspect PIX too. The workaround is and some explanation is mentioned in LKML: http://lkml.org/lkml/2007/7/29/174 > > Now after turning SACKs off seems connection stabile. But we'll try to figure out why are such packets produced. But it will probably take time... > > Thanks, > Lukas > > -----Original Message----- > From: Elvir Kuric [mailto:omasnjak@xxxxxxxxx] > Sent: Wednesday, May 06, 2009 8:37 PM > To: Slansky Lukas > Cc: netfilter@xxxxxxxxxxxxxxx > Subject: Re: PostgreSQL x iptables > > Hi Lukas, > > you should accept NEW connection for traffic you need. Rule "1" accept > only connections which are initiated > from " original host"---host which already sent NEW. > You can to receive all trafic on particular port/from particular host > and I think it will not be problem to make what you want > Also, please take care that is necessary to reload rules ( do iptables > -X -F -Z ) after you change something. > > Take a look into Cisco PIX, maybe there you have some limit > > For iptables reference see man iptables or Oscar Anderson Iptables manual > > Regards/Ahoj > > Elvir Kuric > > On Wed, May 6, 2009 at 11:13 AM, Slansky Lukas <Lukas.Slansky@xxxxxxx> wrote: >> Hello, >> we're using PG and Application Server (JBoss) on separate CentOS servers >> with Cisco PIX in between. On DB side is iptable with following relevant >> rules: >> >> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s >> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT >> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> I was wondering when these rules are not OK for our environment. It >> seems that rules 1 and 2 sometimes (probably for complicated queries) >> pass packets and therefore these packets are rejected by rule 3. Such >> connection is then in some weird state, doesn't communicate (obviously - >> packets are dropped) and psql (or JBoss) connection is blocking for a >> long time (at least few hours). >> >> Everything seems to be OK when I have changed rule 2 to "-A >> RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j >> ACCEPT". >> >> I'm really confused - what other states are possible for iptables except >> ESTABLISHED, RELATED or NEW? In iptables manpage is only INVALID, but >> why is this state emerging? >> >> Any idea? >> >> Lukas >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
