#20 Runtime address tables not working

closed-fixed
None
1
2010-03-10
2010-01-15
Les
No

I have two very large address tables. One has 2500 lines and blocks all of china, the other has 900 and blocks all of korea.

When I use compile time, it works perfectly but takes a very long time to compile When I use runtime, the firewall basically blocks ALL incoming traffic.

I did an iptables-save with both the compile time and the runtime versions and I am attaching a diff of the two files so you can see the differences. If you like I can also send you the complete files but they are rather large because of over 3000 address blocks.

the firewall is running CentOS5.3 and iptables.

Discussion

1 2 > >> (Page 1 of 2)
  • Les

    Les - 2010-01-15
     
  • Les

    Les - 2010-01-15

    I forgot to mention. This problem existed with both 3.0.7 and with the latest 3.1.0 build 2349

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15
    • assigned_to: nobody --> vkurland
    • status: open --> open-rejected
     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    the diff shows that iptables configurations were nearly identical, with an exception of one rule for port 21 (ftp) which branched to the rule set fail2ban-ProFTPD (looks like this rule was added in the second iptables configuration) and the change in log prefix of the rule that matches state INVALID. Otherwise, the diff shows no difference in rules. This means compile time and run time tables worked exactly the same (as they should, of course).

    Are you saying the firewall was blocking all traffic when you used run-time tables and did not block it when you used compile-time ? the diff does not support this theory, unless the blockage you refer to was done by one of the two rules that show up in the diff. That seems unlikely, because these rules can not block "all traffic".

    You need to repeat your test with compile time to see if it also blocks all incoming traffic just like it does when you use run time tables. Then, you need to look in the address table list of addresses to see if some addresses are mistyped and are define address blocks that are too large.

     
  • Les

    Les - 2010-01-15

    Compile time - complete file

     
  • Les

    Les - 2010-01-15

    runtime - complete file

     
  • Les

    Les - 2010-01-15

    compiletime/runtime - diff

     
  • Les

    Les - 2010-01-15

    It was 1am when I sent you those last files and I probably did something stupid. So, I did it again.

    Attached files are the complete compile time, the complete run time, and the diff

    The results were the same. with the run time all connections from my workstation were blocked. My IP address is 76.14.223.201

    Here is the log where it was blocking connections from my workstation as well as another connection that should have been allowed. It was rule 4 that was blocking.

    Jan 15 11:23:58 zeus kernel: RULE 4 -- DENY IN=eth0 OUT= MAC=00:22:19:02:ad:cf:00:17:c5:40:05:08:08:00 SRC=216.151.2.126 DST=216.151.2.125 LEN=264 TOS=0x00 PREC=0x00 TTL=64 ID=22330 DF PROTO=UDP SPT=514 DPT=514 LEN=244
    Jan 15 11:24:04 zeus kernel: RULE 4 -- DENY IN=eth0 OUT= MAC=00:22:19:02:ad:cf:00:17:c5:40:05:08:08:00 SRC=76.14.223.201 DST=216.151.2.125 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=17783 DF PROTO=TCP SPT=7025 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
    Jan 15 11:24:07 zeus kernel: RULE 4 -- DENY IN=eth0 OUT= MAC=00:22:19:02:ad:cf:00:17:c5:40:05:08:08:00 SRC=76.14.223.201 DST=216.151.2.125 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=17786 DF PROTO=TCP SPT=7025 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
    Jan 15 11:24:13 zeus kernel: RULE 4 -- DENY IN=eth0 OUT= MAC=00:22:19:02:ad:cf:00:17:c5:40:05:08:08:00 SRC=76.14.223.201 DST=216.151.2.125 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=17806 DF PROTO=TCP SPT=7025 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
    Jan 15 11:24:19 zeus kernel: RULE 4 -- DENY IN=eth0 OUT= MAC=00:22:19:02:ad:cf:00:17:c5:40:05:08:08:00 SRC=216.151.2.126 DST=216.151.2.125 LEN=302 TOS=0x00 PREC=0x00 TTL=64 ID=55260 DF PROTO=UDP SPT=514 DPT=514 LEN=282

     
  • Les

    Les - 2010-01-15

    Also, I forgot to mention in my last, you will see fail2ban and psad in those files which are other programs that are being restarted in the epilog script. I doubt that they have anything to do with the problem.

    rule 4 which was blocking is the rule that has the large address tables

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    the line

    -A INPUT -j RULE_4

    in the runtime blocks everything, indeed.

    perhaps you have an empty line in your address table file ?

    I'll see if I can modify the script to ignore empty lines

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15
    • status: open-rejected --> open-accepted
     
  • Les

    Les - 2010-01-15

    No, I just checked and there are no blank lines. There was a newline added after the last entry. I just removed that and it still has the problem.

    The address tables on the firewall are exactly the same as the ones on the workstation being used for compile time.

     
  • Les

    Les - 2010-01-15

    One of the two address tables

     
  • Les

    Les - 2010-01-15

    second address table

     
  • Les

    Les - 2010-01-15

    I just sent you the two address table files china.range and korea.range. Neither have blank lines

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    I did not receive the files

     
  • Les

    Les - 2010-01-15

    I just looked and they are there with the rest of the files on this ticket. They are china.range and korea.range

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    oh, you are right, they are here. I thought you have sent email. I'll look at what is going on.

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    how does the rule #4 look like ? Do you use two address table objects in the Source ? May I see generated .fw file as well ?

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    yes, I definitely need to see the .fwb data file. Please attach it or send it to me.

     
  • Les

    Les - 2010-01-15

    Ok, I just added the fwb file. It has two firewalls in it. The one I was testing with was Zeus.

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    ok, I can see the bug. Let me work on this.

     
  • Vadim Kurland

    Vadim Kurland - 2010-01-15

    quick workaround for you, before I implement the fix: split rule 4 so that you have two rules, each matching one run-time address table object. This should produce the script that should work properly.

     
  • Les

    Les - 2010-01-15

    That seems to have fixed it. Very strange but fwbuilder stopped responding and crashed immediately after the install upload. I did it a second time and everything went well.

    It is VERY nice being able to do runtime as it adds about 5 minutes to the compile when using compile time. It only takes a second or two at runtime.

     
  • Les

    Les - 2010-01-15

    WOW, I am very impressed with your level support. And such an awesome product too. I am still in my 30day trial but I will definitely be buying this one.

    I have one last question. Since I am so very new to IPtables, do you see anything stupid that I am doing in my fwb file? Anything I could add to make it more secure? The server is being used for webhosting and email. The firewall I am most concerned with is Echo.

     
1 2 > >> (Page 1 of 2)

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks