| View previous topic :: View next topic |
| Author |
Message |
guru meditation
Tux's lil' helper
Joined: 18 Mar 2018
Posts: 141
Location: Planet Earth
|
 Posted: Tue Jan 22, 2019 3:29 am Post subject: [SOLVED] iptables -P INPUT|OUTPUT|FORWARD DROP shuts down ne |
 |
|
… completely, even though other inserted rules allow connections to and from outside to specific ports.
Problem after migrating a webserver from Debian/Ubuntu to Gentoo is following script:
1st I delete the old rules via
-t nat -F
-t filter -F
-X
then I define new rules
-N garbage
-I garbage -p TCP
-I garbage -p UDP
-I garbage -p ICMP
now comes the part that causes problems, the default policy:
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
then come some outgoing conns:
-I OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-I INPUT -i eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
and some incoming conns:
-I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-I OUTPUT -o eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
On Ubuntu/Debian, the script is running fine. On my Gentoo box, it just shuts down the entire network with the 'default policy', even when I put the part at the very end of the script.
What I noticed when I saved the rules in both local Debian and Gentoo boxes is that Debian begins with the *filter section, then issues a COMMIT, then follows a *nat section and another COMMIT.
However Gentoo's iptables begins with a *raw, *nat and *mangle section and COMMIT, then the *filter section and another COMMIT.
Just realised… could it be because of wrong interface (eth0/ifwhatever)? Or what is wrong with the script and/or iptables?
Last edited by guru meditation on Wed Jan 23, 2019 12:30 am; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Tue Jan 22, 2019 4:51 am Post subject: |
|
|
| What is the output of ip link show on both systems? This will show us the network interface names. If there are no clues there, please post the output of iptables-save -c from both so that we can see the rules as loaded, not just the rules you meant to load. |
|
| Back to top |
|
|
guru meditation
Tux's lil' helper
Joined: 18 Mar 2018
Posts: 141
Location: Planet Earth
|
| Posted: Wed Jan 23, 2019 12:36 am Post subject: |
|
|
Turns out it was 'forgetting' about renaming the network interface from 'eth0' to the appropriate name.
If you shut down network with -P INPUT DROP etc. and then allowing traffic to a non-existent network interface eth0, the network keeps shut while you search for the cause lol. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Jan 23, 2019 12:42 am Post subject: |
|
|
| That's why I start the Linux kernel with kernel command line parameter 'net.ifnames=0' - to get back the old and beloved network interface names: eth0, eth1, etc. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
