IPTables Intermittent Stopping

[Jay]

On Mon, 7 Jan 2008, Erich Newell wrote:

> 1) Why do you have a service listening on this port if you intend to
> block all traffic to it?


TCP/111 is listening on an internal interface (eth1) but blocked on eth0. 
Lame, but RPC does not seem to have a method of binding the daemon to a 
specific interface only.


> 2) Are there any other services that might be exposed if iptables are
> reset? or is sunrpc the only one?


RPC is the only one. Other services (like SSH) are not exposed if iptables 
fails because they are configured to only listen on an internal interface.


> 3) What logs do you have with normal operation?


I have iptables logging what it rejects/drops. Of course, the regular 
syslog stuff too.


> If you have a log of the normal start and stop but not the unexpected
> start and stop, and only *one* additional service is being exposed,
> then it sounds like something nefarious to me. Seriously.


Any unnecessary services being exposed are unacceptable.


> A final thought: How are you setting your iptables rules? Also, are
> you using an explicit DROP statement at the top?


No, iptables reads top-down. Thus, my config has explicit ACCEPT 
statements for the stuff I want exposed, then an explicit REJECT statement 
at the end. Putting a blanket DROP literally as the first statement would 
kill all communications to/from the server.

-- 
~Jay