IPTables Intermittent Stopping

Craig White craig at tobyhouse.com
Mon Jan 7 10:25:41 MST 2008 

On Mon, 2008-01-07 at 10:12 -0700, Jay wrote:
> I have dozens of servers, all of them running the most recent Debian 
> stable branch and pretty basic iptables instances. All are working well 
> except for two of them... On these two problem servers, iptables seems to 
> be intermittently stopping and starting. There is nothing in the system 
> logs to indicate such, but I can see it when port scanning the servers.
> 
> The servers' iptables rules are set to allow connections on TCP 25, 53, 
> 80, and 443, then block everything else. When doing a simple nmap scan of 
> the servers, and everything is working, the scan takes a few minutes, it 
> shows these four ports open, and everything else **filtered**. When 
> everything is not working, the nmap scan happens in just a couple of 
> seconds, it shows another open port (TCP/111 - I do have this service 
> running on the servers), plus the four expected open ports, and everything 
> else **closed**.
> 
> I can do 10 nmap scans back-to-back, and about half of them will show 
> ports filtered, while the other half will show ports closed (and the extra 
> open port). This tells me that iptables on these two servers is 
> intermittently stopping, then intermittently starting again.
> 
> I have watched the logs on the servers - nothing unusual. I have done the 
> nmap scans from three different source locations, and all exhibit the same 
> intermittent results. Googling for 'iptables intermittent' is not turning 
> up anything applicable. I have other servers using the same iptables 
> scripts, and they are not exhibiting this problem, plus bad iptables rules 
> should make the problem always happen, not be randomly intermittent.
> 
> Anybody have any ideas? Seen anything like this before?
----
gee...you're the security expert

Do you have something like denyhosts (I vaguely recall something else
like it that starts with a 'p') that periodically scans logs for login
failures via ssh and adds rules to iptables which would require a
stop/start of iptables rules?

Craig

More information about the PLUG-discuss mailing list