ssh session are hanging when firewall is restarted

Adishesh M <adisheshsm@xxxxxxxxx> · Wed, 24 Aug 2011 19:12:11 +0530

Hi,
When we insert below rules into the ip tables, ssh sessions are
hanging ( infact all tcp connection are terminated).

“iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP”.

what is the problem with this above rule. we used this rule to drop
bad tcp packets. when firewall is restarted using "service iptables
restart", ssh sessions are hanging.

Rule used for testing.

ssh session hangs
<set 1>
--------------------------
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
iptables -A INPUT -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  INPUT -d 10.255.13.157   -j DROP

ssh session hangs
<set 2>
----------------------------
iptables -N TEST_LAN_1
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP

ssh session does not hang
<set 3>
---------------------------------------
iptables -N TEST_LAN_1
iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  TEST_LAN_1 -d 10.255.13.157   -j DROP

ssh session does not hang
<set 4>
---------------------------------------
iptables -A INPUT -d 10.255.13.157 -m state --state
RELATED,ESTABLISHED  -j ACCEPT
iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A  INPUT -d 10.255.13.157   -j DROP

steps to reproduce the this issue
-----------------------------------------------
    iptables -F
    iptables  -X
    <Insert any one set of rules from set 1 or set 2 >
    service ip6tables stop
    service iptables save
    iptables -L -n
    service iptables restart
    iptables -L -n

Thanks and regards,
Adishesh
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html