[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

ssh keeps on freezing caused by iptables

Posted on 2010-03-29
9
Medium Priority
?
864 Views
Last Modified: 2013-11-16
My ssh keeps on disconnecting (freezing) after while with the following iptables setting.
the only way to fix this is to enter the following line:

iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT

192.168.2.0/24 is my ip range, but this means trust every protocol local user send, i am sure it will will be the same case for http as well.  what am i missing here? and freezing always happen when using find command to search for a word.
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

#iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP  -s 0/0 --dport 80 -j okay
iptables -A INPUT -p TCP  -s 0/0 --dport 22 -j okay

#ICMP rules
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# FORWARD chain rules
#iptables -A FORWARD -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.0.202 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.123 -j ACCEPT

Open in new window

0
Comment
Question by:rawandnet
  • 4
  • 4
9 Comments
 
LVL 41

Accepted Solution

by:
noci earned 1000 total points
ID: 29065844
If you use find it will try to find a filename recursively in a directory.
It's not the iptables that is in play...

grep is the way to search for words in a file not find.
If you use find to search for files with specific names and then use grep on the files found to find a word in a file. It might happen that you find a named pipe, unix socket.... and those file don't have 'an end of file' so grep get stuck on it continuous waiting for input from such a special file
Remedies:
try to add '-type f'  to the find options. (without the ')
to prove ssh / iptables is not the trouble: have you tried to connect a second session to the system that is "hung" while your session is in trouble?
Please note that iptables (except for l7-matching) is unaware of any content passing. Also note that all content during the handling by iptables is encrypted.
0
 

Author Comment

by:rawandnet
ID: 29075105
I do agree with you that iptables is unaware of any content passing, but the strang thing is, this doesn't happen while iptables is truned off.
0
 
LVL 4

Assisted Solution

by:pawwa
pawwa earned 1000 total points
ID: 29082506
Try some debugging at client:

# ssh -vv user@server

or at server (debugging information will print on screen, and bind to an alternate port you can try to connect - 2222):

# /usr/sbin/sshd -dd -e -p 2222
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 41

Expert Comment

by:noci
ID: 29089259
the "offending" line is commented out.
Without that line a connection could not start... if

This line in OK doesn't make sense:
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT.

As there is an earlier rule in the INPUT chain that matches before.

These lines don't make much sense as that source address shouldn't normally happen on the lo interface
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT

The start of the SSH session is arranged on:
iptables -A INPUT -p TCP  -s 0/0 --dport 22 -j okay

This should match ANY source.. so there should be no need for a special iptables.

What are your find commands, my guess is that the problem is there and not in iptables.
(It might happen that a special file exists when the fire wall is active and that you find hangs on that, which isn't active with iptables turned "off")
0
 

Author Comment

by:rawandnet
ID: 29182569
if i remove these two lines, i want be able to ping local interface from the server itself
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
0
 
LVL 41

Expert Comment

by:noci
ID: 29191371
You can allways ping the local interface and it doesn't need those rules.
(And thos IP addresses are NEVER bound to lo until you make them an alias there (and remove them elsewhere) which would render your server unreachable for others.


From your question:
" and freezing always happen when using find command to search for a word."

What are the command(s) you use for this....
0
 

Author Comment

by:rawandnet
ID: 29311947
this doesn't happen anymore, it might have been something within the network.
but still if i remove those two lines, i wan't be able to ping local ip addresses including 127.0.0.1.

0
 
LVL 41

Expert Comment

by:noci
ID: 29317682
well I don't know your complete setup so by all means be free to insert them but it should not be needed...

0
 

Author Closing Comment

by:rawandnet
ID: 31708334
thanks guys
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question