ssh keeps on freezing caused by iptables

My ssh keeps on disconnecting (freezing) after while with the following iptables setting.
the only way to fix this is to enter the following line:

iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT

192.168.2.0/24 is my ip range, but this means trust every protocol local user send, i am sure it will will be the same case for http as well.  what am i missing here? and freezing always happen when using find command to search for a word.
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

#iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP  -s 0/0 --dport 80 -j okay
iptables -A INPUT -p TCP  -s 0/0 --dport 22 -j okay

#ICMP rules
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# FORWARD chain rules
#iptables -A FORWARD -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.0.202 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.123 -j ACCEPT

Open in new window

rawandnetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
If you use find it will try to find a filename recursively in a directory.
It's not the iptables that is in play...

grep is the way to search for words in a file not find.
If you use find to search for files with specific names and then use grep on the files found to find a word in a file. It might happen that you find a named pipe, unix socket.... and those file don't have 'an end of file' so grep get stuck on it continuous waiting for input from such a special file
Remedies:
try to add '-type f'  to the find options. (without the ')
to prove ssh / iptables is not the trouble: have you tried to connect a second session to the system that is "hung" while your session is in trouble?
Please note that iptables (except for l7-matching) is unaware of any content passing. Also note that all content during the handling by iptables is encrypted.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rawandnetAuthor Commented:
I do agree with you that iptables is unaware of any content passing, but the strang thing is, this doesn't happen while iptables is truned off.
0
pawwaCommented:
Try some debugging at client:

# ssh -vv user@server

or at server (debugging information will print on screen, and bind to an alternate port you can try to connect - 2222):

# /usr/sbin/sshd -dd -e -p 2222
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

nociSoftware EngineerCommented:
the "offending" line is commented out.
Without that line a connection could not start... if

This line in OK doesn't make sense:
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT.

As there is an earlier rule in the INPUT chain that matches before.

These lines don't make much sense as that source address shouldn't normally happen on the lo interface
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT

The start of the SSH session is arranged on:
iptables -A INPUT -p TCP  -s 0/0 --dport 22 -j okay

This should match ANY source.. so there should be no need for a special iptables.

What are your find commands, my guess is that the problem is there and not in iptables.
(It might happen that a special file exists when the fire wall is active and that you find hangs on that, which isn't active with iptables turned "off")
0
rawandnetAuthor Commented:
if i remove these two lines, i want be able to ping local interface from the server itself
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
0
nociSoftware EngineerCommented:
You can allways ping the local interface and it doesn't need those rules.
(And thos IP addresses are NEVER bound to lo until you make them an alias there (and remove them elsewhere) which would render your server unreachable for others.


From your question:
" and freezing always happen when using find command to search for a word."

What are the command(s) you use for this....
0
rawandnetAuthor Commented:
this doesn't happen anymore, it might have been something within the network.
but still if i remove those two lines, i wan't be able to ping local ip addresses including 127.0.0.1.

0
nociSoftware EngineerCommented:
well I don't know your complete setup so by all means be free to insert them but it should not be needed...

0
rawandnetAuthor Commented:
thanks guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.