[BBLISA] Troubleshooting iptables/netfilter problems

John P. Rouillard rouilj at cs.umb.edu
Fri Feb 28 12:14:30 EST 2014 

In message <5310B66A.5090101 at brandeis.edu>,
John Miller writes:
>We're running into an issue with our LDAP servers where legitimate 
>packets are being intermittently (say 1/10000) rejected by iptables. 
>They match one of our ACCEPT rules, yet still get rejected (we're seeing 
>the return ICMP traffic).

Have you captured the inbound and outbound packets? Are you sure that
the first ldap packet is being rejected and not a packet that should
be allowed through by a:

   --state established -j ACCEPT

rule somewhere in your rule stack? This would also point to a state
table issue, but might provide some more insight.

>I don't yet have any evidence to support this, but I'm thinking that 
>we're bumping up against some sort of internal netfilter limit--perhaps 
>with connection tracking or stateful matching.
>
>The problem seems to have cropped up in moving from RHEL 5 to RHEL 6.
>
>The rules in question:
>
>What should be hit:
>-A RH-Firewall-1-INPUT -s 129.64.0.0/255.255.0.0 -p tcp -m state --state 
>NEW -m tcp --dport 636 -j ACCEPT

I have not seen this, but you could simplify the rule and remove

     "-m state --state NEW"

for testing to see if the problem goes away. That should eliminate any
issues with the state setup and allow all ldap traffic to pass
through.

Or what you could do is put a rule:

-A RH-Firewall-1-INPUT -s 129.64.0.0/255.255.0.0 -p tcp -m state -m tcp --dport 636 -j RECORD_LDAP

after the rule you expect to get hit. If any packet hits this new
RECORD_LDAP rule, it should be an error and in the RECORD_LDAP chain
you can get a count or possibly full packet dump for a better idea of
what's happening.

Also there was a bash script that automtically instrumented an
existing iptbles rule. Try googling for Tony Clayton iptables-trace.

Also you can try looking for:

  conntrack-tools

to see if that provides any info.

>What is actually being hit:
>-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I assume this is the last rule in RH-Firewall-1-INPUT after the ldap rule.

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

More information about the bblisa mailing list