~alpine/devel

3 2

[alpine-devel] edge 120403: bug in netfilter?

Details
Message ID
<1334300016.25030.15.camel@df1844j>
Sender timestamp
1334300016
DKIM signature
missing
Download raw message
Hi,

I have an edge box with latest edge snapshot with shorewall installed.
Once logged remotely via ssh I've setup and started Shorewall with the
following rule:

ACCEPT		all		fw		tcp	22

After that, I'm no longer able to establish new ssh connections from any
IP address.

Thinking of a Shorewall issue (hoping to see AWall soon! Thanks kunkku!)
I did "shorewall clear", and I was able to login via ssh again. 

So, instead of Shorewall, I've setup plain iptables rules:

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -d $MYIP -p tcp --dport 22 -j ACCEPT

I didn't change the default INPUT policy (ACCEPT). After that, again, I
wasn't able to login via ssh anymore.

Anybody noticed the same issue, or am I missing something obvious?

Thanks

- leonardo




---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20120413221535.16060469@alpinelinux.org>
In-Reply-To
<1334300016.25030.15.camel@df1844j> (view parent)
Sender timestamp
1334348135
DKIM signature
missing
Download raw message
On Fri, 13 Apr 2012 08:53:36 +0200
Leonardo <rnalrd@gmail.com> wrote:

> Hi,
> 
> I have an edge box with latest edge snapshot with shorewall installed.
> Once logged remotely via ssh I've setup and started Shorewall with the
> following rule:
> 
> ACCEPT		all		fw		tcp
> 22
> 
> After that, I'm no longer able to establish new ssh connections from
> any IP address.
> 
> Thinking of a Shorewall issue (hoping to see AWall soon! Thanks
> kunkku!) I did "shorewall clear", and I was able to login via ssh
> again. 
> 
> So, instead of Shorewall, I've setup plain iptables rules:
> 
> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -I INPUT -d $MYIP -p tcp --dport 22 -j ACCEPT
> 
> I didn't change the default INPUT policy (ACCEPT). After that, again,
> I wasn't able to login via ssh anymore.
> 
> Anybody noticed the same issue, or am I missing something obvious?

Did you add the interface to any zone?

-nc



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Leonardo Arena <rnalrd@gmail.com>
Details
Message ID
<CAGG_d8CMDHr4DnoSz2AEe3s99Cyv+Q4wYActSvC_G36HXbx91g@mail.gmail.com>
In-Reply-To
<20120413221535.16060469@alpinelinux.org> (view parent)
Sender timestamp
1334384551
DKIM signature
missing
Download raw message
On Fri, Apr 13, 2012 at 10:15 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
> On Fri, 13 Apr 2012 08:53:36 +0200
>> Anybody noticed the same issue, or am I missing something obvious?
>
> Did you add the interface to any zone?

Yes, of course. Zones, Interfaces and Policy are fully configured.
Doesn't look like it's a Shorewall issue, as I was able to reproduce
it with iptables only.

- leonardo


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Leonardo Arena <rnalrd@gmail.com>
Details
Message ID
<CAGG_d8BUZGQp7RAn548CrqfQs+N982zk8Pkdkn19HsTWTUja0g@mail.gmail.com>
In-Reply-To
<CAGG_d8CMDHr4DnoSz2AEe3s99Cyv+Q4wYActSvC_G36HXbx91g@mail.gmail.com> (view parent)
Sender timestamp
1334556516
DKIM signature
missing
Download raw message
On Sat, Apr 14, 2012 at 8:22 AM, Leonardo Arena <rnalrd@gmail.com> wrote:
> On Fri, Apr 13, 2012 at 10:15 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
>> On Fri, 13 Apr 2012 08:53:36 +0200
>>> Anybody noticed the same issue, or am I missing something obvious?
>>
>> Did you add the interface to any zone?
>
> Yes, of course. Zones, Interfaces and Policy are fully configured.
> Doesn't look like it's a Shorewall issue, as I was able to reproduce
> it with iptables only.

"iptables -L E2fw -vn shows that the ACCEPT rule isn't matched (0 pkts).
I can observe the same behaviour with the following rule too:

ACCEPT		inet:$MYIP	fw		udp	514

Incoming syslog packets aren't matched by the rule. It seems that they
are dropped early.
All dropped packets are logged via "info" but I don't see any dropped
packet in busybox syslog.

- leonardo


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)