IPTables Intermittent Stopping
Technomage-hawke
technomage.hawke at gmail.com
Mon Jan 7 20:06:52 MST 2008
On Monday 07 January 2008 12:09, Jay wrote:
> On Mon, 7 Jan 2008, Erich Newell wrote:
> > 1) Why do you have a service listening on this port if you intend to
> > block all traffic to it?
>
> TCP/111 is listening on an internal interface (eth1) but blocked on eth0.
> Lame, but RPC does not seem to have a method of binding the daemon to a
> specific interface only.
>
> > 2) Are there any other services that might be exposed if iptables are
> > reset? or is sunrpc the only one?
>
> RPC is the only one. Other services (like SSH) are not exposed if iptables
> fails because they are configured to only listen on an internal interface.
>
> > 3) What logs do you have with normal operation?
>
> I have iptables logging what it rejects/drops. Of course, the regular
> syslog stuff too.
>
> > If you have a log of the normal start and stop but not the unexpected
> > start and stop, and only *one* additional service is being exposed,
> > then it sounds like something nefarious to me. Seriously.
>
> Any unnecessary services being exposed are unacceptable.
>
> > A final thought: How are you setting your iptables rules? Also, are
> > you using an explicit DROP statement at the top?
>
> No, iptables reads top-down. Thus, my config has explicit ACCEPT
> statements for the stuff I want exposed, then an explicit REJECT statement
> at the end. Putting a blanket DROP literally as the first statement would
> kill all communications to/from the server.
oooops. you need to have the default policy set to drop. having that reject at
the end means that it is rejecting everything, including the previously
opened ports...
This might cause some problems (though iptables acts completely backward to
PF, which I have gotten more familiar with).
I'll have to relocate my old iptables high security script and see how I wrote
it.
More information about the PLUG-discuss
mailing list