[RndTbl] Bizarre netfilter behaviour

Dan Martin ummar143 at gmail.com
Wed Jan 11 14:21:19 CST 2012


Hi John

It's been a long time since I worked with iptables, but one thing that used
to trip me up is forgetting to explicitly flush the tables.

I eventually wrote a script for this:

#!/bin/bash
#
# iptables.init script
# flushes all tables, zeroes counters, resets policies
#
# Dan Martin  University of Manitoba  0599441
# for 74.757 Advanced Networking
#
IPTABLES="/sbin/iptables"
# iptables.init script
# modules loaded and tables flushed
echo "Previous iptables"
echo
$IPTABLES -L --line-numbers -v
echo
$IPTABLES -t nat -L --line-numbers -v
echo
$IPTABLES -t mangle -L --line-numbers -v
echo
#
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
#
echo "Cleaned iptables"
echo
$IPTABLES -L --line-numbers -v
echo
$IPTABLES -t nat -L --line-numbers -v
echo
$IPTABLES -t mangle -L --line-numbers -v
echo

On Wed, Jan 11, 2012 at 1:50 PM, John Lange <john at johnlange.ca> wrote:

> I'm hoping someone suggest a fix for this.
>
> We moved some applications over to a new server which still had the
> default firewall rules in place which included a rate limiting "drop"
> rule that looks like this:
>
> iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate
> NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
> --log-ip-options
>
> In short, limit to 3 new connections per minute.
>
> It turns out this was way to short for our application and so I just
> removed all firewall rules by stopping the firewal (this is on
> OpenSUSE).
>
> The last firewall log message indicates that a packet was being
> dropped to a specific IP due to a rate limit but now the server will
> not send packets to that IP at all! tcpdump shows that the packets are
> not even attempting to leave the interface.
>
> It seems like netfilter blocked the ip on the rate limit rule and now
> its "stuck".
>
> I tried specifically allowing that IP and even recreated the limit
> rule thinking that would "reactivate" the chain but it doesn't work.
>
> My guess is that a reboot would fix it but the server is in production
> and can not be rebooted without a scheduled outage.
>
> The only other thing I can think of is to reload all of the netfilter
> kernel modules but again that is too risky on a production system.
>
> Any other ideas on how to clear the filter?
>
> Is there a command to display the current status of what netfilter is
> tracking and dropping?
>
> --
> John Lange
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>



-- 
Dan Martin, MD
GP Hospital Practitioner
Computer Scientist
ummar143 at shaw.ca
(204) 831-1746
answering machine always on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20120111/da670836/attachment.html>


More information about the Roundtable mailing list