Honestly, I’m
not sure. Here’s the table, it’s been holding strong since I
went to static IP’s. Host names and IP’s modified to protect
the guilty.
Chain INPUT
(policy DROP)
target
prot opt
source
destination
ACCEPT
all --
anywhere
anywhere
ACCEPT
tcp --
anywhere
host01 tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT
icmp --
anywhere
host01 icmp
echo-reply state NEW,RELATED,ESTABLISHED
ACCEPT
icmp --
anywhere
host01 icmp
echo-request state NEW,RELATED,ESTABLISHED
DROP
all --
anywhere anywhere
ACCEPT
all -- 192.168.1.0/24 anywhere
ACCEPT
all -- 192.168.2.0/25 anywhere
Chain FORWARD
(policy DROP)
target
prot opt
source
destination
Chain OUTPUT
(policy DROP)
target
prot opt source destination
ACCEPT
all --
anywhere
anywhere
ACCEPT
tcp -- host01
anywhere tcp
spt:ssh dpts:login:65535 state ESTABLISHED
ACCEPT
icmp -- host01
anywhere icmp
echo-reply state NEW,RELATED,ESTABLISHED
ACCEPT
icmp -- host01
anywhere icmp
echo-request state NEW,RELATED,ESTABLISHED
DROP
all --
anywhere
anywhere
ACCEPT
all -- 192.168.1.0/24 anywhere
ACCEPT
all -- 192.168.2.0/25 anywhere
Host01(eth0)
would essentially be on the internet, eth1 on 192.168.1 and eth2 on 192.168.2 –
all dhcp. It will allow SSH to come in. Once on the box you are
free to roam 192.168.1 and 192.168.2. But, what you can’t do is get
back out to the internet once your in. It’s the roach motel.
What would
happen, I would set the tables up and approximately 24 hours later the tables
would be completely trashed. I could still ping host01 from the internet,
but I couldn’t ssh in. Reapplying my rules after zero’ing out
the tables was the only thing that cleared it up.
What made me
wonder about DHCP was looking at the DHCP requests on the private side of the
network just suddenly started producing errors. The private side was also
screwed up in iptables. I took that, figured going to static wouldn’t
hurt as a test, and what do you know, it’s been stable since.
I agree DHCP +
Firewall is pretty common, but perhaps my implementation of firewall was too
uncommon for the software to handle it.
From: McCarty Ronald
[mailto:mccarty@xxxxxxxxxxxxxxxx]
Sent: Monday, March 24, 2008 6:32 AM
To: Getting started with Red Hat Linux
Subject: Re: Firewall is loosing it's marbles
Travis,
What was the particular issue? Running DHCP / iptables
isn't that uncommon of a setup, so it would be interesting to hear the
particulars.
--ron
On Mar 20, 2008, at 9:30 AM, Waldher, Travis R wrote:
From: Waldher, Travis R
Sent: Friday, March 14, 2008 8:48 AM
To: Getting started with Red Hat Linux
Subject: Firewall is loosing it's marbles
I've got a pretty strict firewall setup on a machine that
acts as a gateway between a production environment and a test > > >
environment.
Users will log in to the box to access the test environment,
the box is running RHEL5. Once in, it's like the roach motel, no one >
gets back out to the real world from the test world.
My firewall is working fine, but it seems to loose it's
marbles and deny ssh but still allow pings from the outside after a day or >
two. Wiping out the tables and re-applying them corrects the issue but
obviously this is a poor solution.
Has anyone else seen iptables partially stop working like
this?
Answer: Firewall + DHCP = no worky so well.
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
