Berkson Wein
asked on
iptables, ubuntu vps, state established
Hi all-
I'm playing with two ubuntu 8.04 installations (at 2 different vps providers). The providers are using OpenVZ I beleive. The nics in /etc/network/interfaces are listed as venet0, venet0:0, and venet0:1 on both installations.
I'm using iptables for a firewall. The rules are pretty simple,
allow everything out
allow dns queries in
allow ESTABLISHED tcp sessions back in (for web, dns, etc)
block everything else
One one installation this works great, but on the other, the line that has:
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
errors out with the message:
iptables: no chain/targe/match by that name
I've attatched the full script below. It's identical (Except for ip addresses, replaced with x.x.x.112 here) on the other machine.
I'm also game to listen to other suggestions, as I'm by no means a linux guru.
not having the established sessions work, means that even simple tasks like wget are failing. wget looks up the ip of the server ok thanks to the explicit rule allowing upd traffic sourced at port 53 back in. however, it just hangs while transfering the http data since the established tcp session isn't allowed back in.
if I do:
iptables -A INPUT -p tcp -j ACCEPT
then POOF, everything works. Obviously this defeats the firewall though.
Thanks for your input.
I'm playing with two ubuntu 8.04 installations (at 2 different vps providers). The providers are using OpenVZ I beleive. The nics in /etc/network/interfaces are listed as venet0, venet0:0, and venet0:1 on both installations.
I'm using iptables for a firewall. The rules are pretty simple,
allow everything out
allow dns queries in
allow ESTABLISHED tcp sessions back in (for web, dns, etc)
block everything else
One one installation this works great, but on the other, the line that has:
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
errors out with the message:
iptables: no chain/targe/match by that name
I've attatched the full script below. It's identical (Except for ip addresses, replaced with x.x.x.112 here) on the other machine.
I'm also game to listen to other suggestions, as I'm by no means a linux guru.
not having the established sessions work, means that even simple tasks like wget are failing. wget looks up the ip of the server ok thanks to the explicit rule allowing upd traffic sourced at port 53 back in. however, it just hangs while transfering the http data since the established tcp session isn't allowed back in.
if I do:
iptables -A INPUT -p tcp -j ACCEPT
then POOF, everything works. Obviously this defeats the firewall though.
Thanks for your input.
echo "0" > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# flush
iptables -F INPUT
iptables -F OUTPUT
# default
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# allow pinging
iptables -A INPUT -p icmp -j ACCEPT
# allow inputs to loopback
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
# all established
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
# dns
iptables -A INPUT -p udp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i venet0 -d x.x.x.112 --dport 53 -j ACCEPT
# allow local lookups to work
iptables -A INPUT -p udp -i venet0 --sport 53 --dport 1024:65535 -j ACCEPT
ASKER
Thanks fosiul01, but I just tried that, and I got the same error message:
iptables: No chain/target/match by that name
Is there something special that needs to be compiled into the kernel for this to work? Or maybe there's some extra package that I need to install via apt-get? Again the line worked at another provider without issue.
What does RELATED do anyway?
iptables: No chain/target/match by that name
Is there something special that needs to be compiled into the kernel for this to work? Or maybe there's some extra package that I need to install via apt-get? Again the line worked at another provider without issue.
What does RELATED do anyway?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What's nuts is that my other openvz provider has iptables working just fine. Also ubuntu 8.04. Nuts.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
been there, done that. clueless. might be time to dump em.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
gimme a bit. I'm in the middle of doing an
apt-get upgrade ubuntu-minimum
to see if that makes a difference
apt-get upgrade ubuntu-minimum
to see if that makes a difference
but i thought in ubuntu you guys use something call fw rules ??
ASKER
I use iptables.
ASKER
I spoke with the provider who "installed some modules on the host" Now it works. Trying to get details on exactly what was done.
thanks all for the input.
thanks all for the input.
ASKER
Thanks for the help.
ASKER
The provider said that they added
xt_tcpudp and ip_conntrack ip_conntrack_enable_ve0=1
xt_tcpudp and ip_conntrack ip_conntrack_enable_ve0=1
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT