[ydl-gen] iptables suddenly rejecting ping traffic

Chris St. Pierre stpierre at NebrWesleyan.edu
Thu May 25 10:24:00 MDT 2006 

Derick--

We actually have a hardware firewall between our campus and the
Internet, and a dedicated firewall device between the campus and the
residence halls.  This box is really only open to the academic
buildings on campus.

The box you recommended looks nice for a residential firewall, but not
for a firewall for a production server.  Furthermore, it'd be silly to
put those boxes on all of our machines, and putting a Cisco (etc.)
hardware firewall between our data center and the academic portion of
campus would not only be overkill, but would suffer the same drawback
as iptables: static configuration.  It would admittedly centralize the
configuration, but I've already centralized my configs with Cfengine,
and that cost a lot less than a fancy new firewall. :)

Thanks for the suggestion, but I'm definitely looking to fix this with
iptables.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Mon, 15 May 2006, Derick Centeno wrote:

> Hi Chris:
>
> May I respectfully suggest a completely different approach?
>
> My reasoning for doing so follows this path:  Maintaining a software firewall
> can be extremely challenging.  They can be tricked, hacked and of course there
> are unintentional errors, even if one installs one or another piece of software
> -- say tripwire -- to watch it and any changes to your system for you.
>
> The alternative is to go to a hardwired firewall, plug it in and go about your
> business dedicating your time to something else which absolutely requires your
> attention.
> This little device has done it's job over and time again (for me) and others
> and maybe if you consider it, you'll discover more time for other issues.  The
> really hot thing about this device is that it does way more than what iptables
> can do for you anyway and the device works independently of any operating
> system.  It is designed to work on networks faster dial-up; so it can sit
> between the incoming signal and the router feeding the rest of the network
> which means that anything coming past the device to the router is clean.  So
> anything connected to that router -- wireless or otherwise -- are also clean as
> far as the signals they are receiving.  Of course, making sure the internal
> nets are clean is the job of the sys.admin.
>
> Here's the link for you to review and consider:
>
> http://www.thinkgeek.com/computing/accessories/75f3/
>
> Of course, you could refer to IPCop.org, netfilter.org, or tldp.org ... but
> after the Stingray, all of that will become mere reference material.
>
> Best wishes.... Derick.
>
> On May 15, 2006, at 9:28 AM, Chris St. Pierre wrote:
>
>> Last week, I brought up iptables on my YDL 4 box with a very basic
>> configuration, and all was working well.  This morning, at about 8 am,
>> it randomly started rejecting ping traffic.  Restarting iptables did
>> not solve the problem.  My iptables configuration has not changed
>> since Thursday afternoon.  Here's my /etc/sysconfig/iptables:
>>
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A FORWARD -j RH-Firewall-1-INPUT
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5308 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>> As you can see, this is a very basic configuration that works on many
>> other hosts -- and, in fact, worked on this host for a while, too.
>> Any ideas?  Thanks!
>>
>> Chris St. Pierre
>> Unix Systems Administrator
>> Nebraska Wesleyan University
>> _______________________________________________
>> yellowdog-general mailing list
>> yellowdog-general at lists.terrasoftsolutions.com
>> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>> HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>>
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general at lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>

More information about the yellowdog-general mailing list