Firewall is loosing it's marbles
Waldher, Travis R
Travis.R.Waldher at boeing.com
Mon Mar 24 18:48:36 UTC 2008
Honestly, I'm not sure. Here's the table, it's been holding strong
since I went to static IP's. Host names and IP's modified to protect
the guilty.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere host01 tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT icmp -- anywhere host01 icmp
echo-reply state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere host01 icmp
echo-request state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- 192.168.2.0/25 anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- host01 anywhere tcp spt:ssh
dpts:login:65535 state ESTABLISHED
ACCEPT icmp -- host01 anywhere icmp
echo-reply state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- host01 anywhere icmp
echo-request state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- 192.168.2.0/25 anywhere
Host01(eth0) would essentially be on the internet, eth1 on 192.168.1 and
eth2 on 192.168.2 - all dhcp. It will allow SSH to come in. Once on
the box you are free to roam 192.168.1 and 192.168.2. But, what you
can't do is get back out to the internet once your in. It's the roach
motel.
What would happen, I would set the tables up and approximately 24 hours
later the tables would be completely trashed. I could still ping host01
from the internet, but I couldn't ssh in. Reapplying my rules after
zero'ing out the tables was the only thing that cleared it up.
What made me wonder about DHCP was looking at the DHCP requests on the
private side of the network just suddenly started producing errors. The
private side was also screwed up in iptables. I took that, figured
going to static wouldn't hurt as a test, and what do you know, it's been
stable since.
I agree DHCP + Firewall is pretty common, but perhaps my implementation
of firewall was too uncommon for the software to handle it.
From: McCarty Ronald [mailto:mccarty at yournetguard.com]
Sent: Monday, March 24, 2008 6:32 AM
To: Getting started with Red Hat Linux
Subject: Re: Firewall is loosing it's marbles
Travis,
What was the particular issue? Running DHCP / iptables isn't that
uncommon of a setup, so it would be interesting to hear the particulars.
Best regards,
--ron
On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:
From: Waldher, Travis R
Sent: Friday, March 14, 2008 8:48 AM
To: Getting started with Red Hat Linux
Subject: Firewall is loosing it's marbles
I've got a pretty strict firewall setup on a machine that acts
as a gateway between a production environment and a test > > >
environment.
Users will log in to the box to access the test environment, the
box is running RHEL5. Once in, it's like the roach motel, no one > gets
back out to the real world from the test world.
My firewall is working fine, but it seems to loose it's marbles
and deny ssh but still allow pings from the outside after a day or >
two. Wiping out the tables and re-applying them corrects the issue but
obviously this is a poor solution.
Has anyone else seen iptables partially stop working like this?
Answer: Firewall + DHCP = no worky so well.
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request at redhat.com
Subject: unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-install-list/attachments/20080324/fc567fea/attachment.htm>
More information about the Redhat-install-list
mailing list