firewall half broken ??!?

I made the attached iptables script about a month or two ago. I haven't had ANY trouble with it at all.

About a week ago, web pages on our development server started loading Very slowly. Most of the time, it would load completely after about 3 minutes (I'm connection from the LAN). Maybe about 30% of the time it will load only about 50% of the page.. ie: all code is there, but only half the images where displayed.

After extensively trouble shooting apache, I determined that there was nothing wrong with it. For sh*ts and giigles I stopped my firewall.. Right away the page started loading instantly again.

Can anyone see what is wrong with my script?

Any idea why it used to work, but now stopped?

#!/bin/sh

#### Remember, this is a FIRST RULE MATCH, NOT last rule matched.

IPTABLES=/sbin/iptables LAN="10.0.0.0/24" SERVER_PREFIX="10.0.0." SERVERS="2 200 221 225 226 230 250" ATT="www.xxx.yyy.zzz" WORLD="0.0.0.0/0"

################################################################### # Set some kern params. Enable () { for file in $@; do echo 1> $file; done } Disable () { for file in $@; do echo 0> $file; done } # disable a few things. Disable /proc/sys/net/ipv4/tcp_sack Disable /proc/sys/net/ipv4/ip_forward Disable /proc/sys/net/ipv4/tcp_timestamps Disable /proc/sys/net/ipv4/conf/*/accept_source_route Disable /proc/sys/net/ipv4/conf/*/accept_redirects Disable /proc/sys/net/ipv4/conf/*/send_redirects # enable a few things. Enable /proc/sys/net/ipv4/tcp_syncookies Enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts Enable /proc/sys/net/ipv4/conf/*/rp_filter Enable /proc/sys/net/ipv4/conf/*/log_martians

function on {

################################################################## ## Clear the firewall. And prepare some tables, default to drop #echo "section 1" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP

$IPTABLES -N FIRE-IN $IPTABLES -N FIRE-OUT $IPTABLES -N SYN-FLOOD $IPTABLES -N PACKETS

# Any one who has full access #$IPTABLES -A INPUT -s 10.0.0.3 -j ACCEPT #$IPTABLES -A OUTPUT -s 10.0.0.3 -j ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -s 127.0.0.1 -j ACCEPT

# Set the order of where our packets are going. $IPTABLES -A INPUT -j FIRE-IN $IPTABLES -A OUTPUT -j FIRE-OUT $IPTABLES -A INPUT -j SYN-FLOOD $IPTABLES -A INPUT -j PACKETS

################################################################### ## Allow localhost to do whatever it wants #echo "section 2" $IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT ## but blcok spoofed attempts $IPTABLES -A FIRE-IN -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed lo interface: " $IPTABLES -A FIRE-IN -s 127.0.0.0/8 -j DROP $IPTABLES -A FIRE-IN -d 127.0.0.0/8 -j LOG --log-prefix "Spoofed lo interface: " $IPTABLES -A FIRE-IN -d 127.0.0.0/8 -j DROP

################################################################## # Ensure that TCP connections start with syn packets #echo "section 3" $IPTABLES -A PACKETS -p tcp -m tcp ! --syn -m state --state NEW -j DROP # Drop un-identified packets $IPTABLES -A PACKETS -m state --state INVALID -j DROP # Drop invalid packets $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags ACK,FIN FIN -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT

################################################################## # Reject big broadcasts #echo "section 4" $IPTABLES -A FIRE-IN -d 224.0.0.0 -j REJECT

################################################################## # allow connections out. -- keep state #echo "section 5" $IPTABLES -A FIRE-IN -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # allow icmp out. and anything out back in $IPTABLES -A FIRE-IN -p icmp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT # Let people ping us, but rate limit it $IPTABLES -A FIRE-IN -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Block Syn Flood attacks $IPTABLES -A FIRE-IN -p tcp -m tcp --syn -j SYN-FLOOD

# Allow session continuation traffic $IPTABLES -A FIRE-IN -m state --state RELATED,ESTABLISHED -j ACCEPT

#################### SYN FLOOD # Block Syn Flood attacks $IPTABLES -A FIRE-IN -p tcp -m tcp --syn -j SYN-FLOOD $IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN #$IPTABLES -A SYN-FLOOD -j LOG --log-prefix "SYN-FLOOD: " $IPTABLES -A SYN-FLOOD -j REJECT

####################################################################################################33 echo "section 6" #### Services for LAN $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 22 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 25 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 80 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 110 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 139 -j ACCEPT # netbios-dgm 138/tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 143 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 161 -j ACCEPT # netbios-dgm 161/tcp/udp $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 443 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 465 -j ACCEPT # smtp -ssl #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 636 -j ACCEPT # lsap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 993 -j ACCEPT # imap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 995 -j ACCEPT # pop3 ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 1241 -j ACCEPT # nessus #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 1512 -j ACCEPT # MS WINS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 2401 -j ACCEPT # CVS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 3306 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 3308 -j ACCEPT # ssh tunnel from db1 #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 8100 -j ACCEPT # old webmail #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 8443 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 137:138 -j ACCEPT # NETBIOS #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --sport 137:138 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 161:162 -j ACCEPT #snmp:snmptrap #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 541 -j ACCEPT ## ????? #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 1512 -j ACCEPT

#### Services for SERVERS for i in $SERVERS do $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 22 -j ACCEPT # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 25 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 80 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 443 -j ACCEPT # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 199 -j ACCEPT # smux # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 636 -j ACCEPT # ldap ssl tcp/udp # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 2401 -j ACCEPT # CVS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 3306 -j ACCEPT # $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 161:162 -j ACCEPT #snmp:snmptrap # $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 541 -j ACCEPT ## ????? $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 20031:20032 -j ACCEPT # Netvault done

#### Services for everyone

#$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 25 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 53 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $WORLD --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 80 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 443 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 110 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 143 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 465 -j ACCEPT # smtp -ssl #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 993 -j ACCEPT # imap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 995 -j ACCEPT # pop3 ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 8443 -j ACCEPT

echo "Done."

} # end of firewall

########################################################################

function off { # stop firewall echo "Firewall: disabling filtering (allowing all access)" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } ###################################################################### function stop { # stop all external connections echo "Firewall: stopping all external connections" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD REJECT $IPTABLES -P OUTPUT REJECT

# allow anything over loopback $IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT }

case "$1" in start) on ;; stop) off ;; stop-ext) stop ;; *) echo "$0 {start|stop|stop-ext}" echo "start enables the firewall." echo "stop disables the firewall" echo "stop-ext disables all external connections" ;; esac

$IPTABLES -L

Reply to
Troubled User
Loading thread data ...

ANY trouble with it at all.

Fix your news reader - set the line length to less than 78 characters. Also, please don't multipost.

What did you change? If it worked before, and doesn't work now, SOMETHING changed. What?

Look at the output of tcpdump (that runs lower in the stack than the firewall code), and see what is being blocked.

It looks to be overly complex. I'm not saying that is the problem, but do you _really_ need all that stuff? Including the duplication?

Standard answer. You changed something. We have no idea what you did, and thus have no idea what the cause is. But tcpdump will tell you.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.