Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] iptables -P INPUT|OUTPUT|FORWARD DROP shuts down ne
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
guru meditation
n00b
n00b


Joined: 18 Mar 2018
Posts: 24
Location: Planet Earth

PostPosted: Tue Jan 22, 2019 3:29 am    Post subject: [SOLVED] iptables -P INPUT|OUTPUT|FORWARD DROP shuts down ne Reply with quote

… completely, even though other inserted rules allow connections to and from outside to specific ports.

Problem after migrating a webserver from Debian/Ubuntu to Gentoo is following script:

1st I delete the old rules via
-t nat -F
-t filter -F
-X

then I define new rules
-N garbage
-I garbage -p TCP
-I garbage -p UDP
-I garbage -p ICMP

now comes the part that causes problems, the default policy:
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

then come some outgoing conns:
-I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-I INPUT -i eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

and some incoming conns:
-I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-I OUTPUT -o eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

On Ubuntu/Debian, the script is running fine. On my Gentoo box, it just shuts down the entire network with the 'default policy', even when I put the part at the very end of the script.

What I noticed when I saved the rules in both local Debian and Gentoo boxes is that Debian begins with the *filter section, then issues a COMMIT, then follows a *nat section and another COMMIT.
However Gentoo's iptables begins with a *raw, *nat and *mangle section and COMMIT, then the *filter section and another COMMIT.

Just realised… could it be because of wrong interface (eth0/ifwhatever)? Or what is wrong with the script and/or iptables?


Last edited by guru meditation on Wed Jan 23, 2019 12:30 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Tue Jan 22, 2019 4:51 am    Post subject: Reply with quote

What is the output of ip link show on both systems? This will show us the network interface names. If there are no clues there, please post the output of iptables-save -c from both so that we can see the rules as loaded, not just the rules you meant to load.
Back to top
View user's profile Send private message
guru meditation
n00b
n00b


Joined: 18 Mar 2018
Posts: 24
Location: Planet Earth

PostPosted: Wed Jan 23, 2019 12:36 am    Post subject: Reply with quote

Turns out it was 'forgetting' about renaming the network interface from 'eth0' to the appropriate name.

If you shut down network with -P INPUT DROP etc. and then allowing traffic to a non-existent network interface eth0, the network keeps shut while you search for the cause lol.
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 988
Location: Frankfurt, Germany

PostPosted: Wed Jan 23, 2019 12:42 am    Post subject: Reply with quote

That's why I start the Linux kernel with kernel command line parameter 'net.ifnames=0' - to get back the old and beloved network interface names: eth0, eth1, etc.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum