| === jlamothe is now known as Guest60057 | ||
| === Guest60057 is now known as jlamothe | ||
| willwh | hey guys :) | 18:18 |
|---|---|---|
| willwh | anyone alive? could use a hand to talk something through :) | 18:18 |
| willwh | I have a VPS that is running iptables | 18:18 |
| willwh | I think my host are idiots and something is misconfigured | 18:19 |
| willwh | let me save my iptables rules and I'll link em, 2min | 18:19 |
| willwh | http://willwh.com/iptables.txt | 18:21 |
| willwh | so my port 80 traffic == np | 18:21 |
| willwh | the app I have bound to 3000 is not accessable remotely | 18:21 |
| willwh | I can hit it like so; lynx localhost:3000 | 18:21 |
| willwh | ont he host | 18:21 |
| willwh | can't connect externally | 18:21 |
| willwh | iptables looks good to me | 18:22 |
| willwh | and I think my host has something misconfigured | 18:22 |
| willwh | they want me to pay them to investigate further (hah) | 18:22 |
| willwh | but they are slow / poor in response | 18:22 |
| willwh | so | 18:22 |
| DarwinSurvivor | willwh: do you have a copy of the actual iptables rules file (or script/etc)? | 18:27 |
| willwh | DarwinSurvivor: I think I figured it out | 18:28 |
| willwh | my host are just being cheeky bastards | 18:28 |
| DarwinSurvivor | willwh: double firewalled you? | 18:28 |
| willwh | no | 18:31 |
| willwh | they're telling me "INPUT" chain | 18:31 |
| willwh | if you look at that iptables output | 18:31 |
| willwh | it's PUB_IN | 18:31 |
| DarwinSurvivor | I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server | 18:31 |
| willwh | that rules should be added to | 18:31 |
| willwh | ah | 18:31 |
| willwh | DarwinSurvivor: I'm a little confused still though | 18:32 |
| willwh | I am not sure how I ended up with so many chains | 18:32 |
| willwh | and the fact that adding stuff to INPUT was useless | 18:33 |
| willwh | I'm not making a lot of sense, hag | 18:33 |
| willwh | hah* | 18:33 |
| willwh | but trying to understand how a chain is applied | 18:33 |
| DarwinSurvivor | line 14 is useless as line 13 will prevent ANYTHING from getting to it | 18:33 |
| willwh | yes | 18:34 |
| willwh | but like I say - the INPUT chain rules seem to have almost no effect | 18:34 |
| willwh | it's all the PUB_IN | 18:34 |
| DarwinSurvivor | and you don't need a drop rule at the end of INPUT if your default policy is to drop | 18:34 |
| DarwinSurvivor | hmm | 18:34 |
| DarwinSurvivor | yeah, i see that | 18:34 |
| willwh | I don't understand the difference | 18:34 |
| willwh | or how they relate at all | 18:34 |
| DarwinSurvivor | do you know which network adapter is your external? | 18:35 |
| DarwinSurvivor | if it's anything but eth0, then 3 will not trigger and it will get blocked in PUB_IN | 18:35 |
| DarwinSurvivor | *rule 3 | 18:35 |
| willwh | you mean rule 3 in INPUT? | 18:35 |
| DarwinSurvivor | yes | 18:36 |
| willwh | ahhh | 18:36 |
| DarwinSurvivor | if your external connections are not coming in through eth0, that rule will not work | 18:36 |
| willwh | right | 18:36 |
| willwh | eurka | 18:36 |
| willwh | I understand | 18:36 |
| willwh | :) | 18:36 |
| DarwinSurvivor | ifconfig should tell you which ones you have | 18:36 |
| willwh | yup | 18:36 |
| willwh | thanks mate | 18:36 |
| DarwinSurvivor | no problem | 18:36 |
| willwh | lo and 2 virtual interfaces | 18:36 |
| willwh | so that kinda explains that ;] | 18:36 |
| DarwinSurvivor | bingo | 18:36 |
| DarwinSurvivor | when I saw all the FOO+, I figured you had a non-standard setup | 18:38 |
| willwh | DarwinSurvivor> I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server | 18:41 |
| willwh | how do I do that exactly? :) | 18:41 |
| DarwinSurvivor | do you have direct access to the iptables rules file? | 18:43 |
| willwh | DarwinSurvivor: yeah I have root on the box | 18:43 |
| DarwinSurvivor | ok | 18:44 |
| willwh | gotta take a call, back asap | 18:44 |
| DarwinSurvivor | first move rule 5 to right after rule 1 (so that banned ips are blocked even if they had already connected) | 18:44 |
| DarwinSurvivor | k | 18:44 |
| DarwinSurvivor | brb | 18:46 |
| DarwinSurvivor | back | 18:53 |
| willwh | DarwinSurvivor: yo | 19:23 |
| willwh | is it possible to move rules? | 19:23 |
| willwh | like #2 -> #7 | 19:23 |
| DarwinSurvivor | willwh: what do you use to set the firwall rules? (iptables.rules file, bash script, web interface, etc)? | 19:25 |
| willwh | just command line | 19:26 |
| willwh | and services iptables save | 19:26 |
| willwh | ther eis a web interface | 19:26 |
| willwh | too | 19:26 |
| DarwinSurvivor | what distribution? | 19:27 |
| willwh | debian :D | 19:27 |
| willwh | I don't really like the route ubuntu has gone recently :( | 19:28 |
| DarwinSurvivor | see if there is an iptables.rules (or similar) file in /etc/ | 19:28 |
| DarwinSurvivor | there may be 2 files (iptables.up.rules and iptables.down.rules) | 19:29 |
| willwh | /etc/iptables: rules & iptables.conf | 19:29 |
| DarwinSurvivor | is rules a file or directory? | 19:30 |
| willwh | file | 19:30 |
| willwh | and it's generated by iptables --save | 19:30 |
| willwh | sorry | 19:30 |
| willwh | iptables-save | 19:30 |
| willwh | argh - another call | 19:30 |
| willwh | :( | 19:30 |
| DarwinSurvivor | yes, that is a saved copy of all the iptables rules (which can be loaded with iptables-restore) | 19:31 |
| DarwinSurvivor | an easy way to modify the running firewall is to edit that file, then run iptables-restore again | 19:31 |
| DarwinSurvivor | if you don't want to mess with the system files, you could also use iptables-restore to create a new copy, then modify that | 19:35 |
| DarwinSurvivor | One hint: add an ACCEPT for your personal IP address at the very beginning of the INPUT chain so that you can always log back in if you mess up the firewall! | 19:41 |
| willwh | roger | 19:55 |
| willwh | so one more question DarwinSurvivor | 19:55 |
| willwh | it seems that I don't need all these chains | 19:55 |
| willwh | I should just use an INPUT / OUTPUT / FORWARD? | 19:55 |
| willwh | got it all ironed out | 20:00 |
| willwh | I really appreciate the advice, thanks very much DarwinSurvivor :) | 20:00 |
| DarwinSurvivor | no problem | 20:09 |
| DarwinSurvivor | using chains can simplify some things (like with fail2ban), but can also over-complicate things if you don't understand what they are doing | 20:11 |
| willwh | key Kip :D | 22:55 |
| willwh | how's it going man?! | 22:55 |
| willwh | DarwinSurvivor: you still around? | 22:55 |
| willwh | got an odd one | 22:55 |
| willwh | this works: ssh -i .ssh/ec2netro.pem ubuntu@ec2-23-21-37-13.compute-1.amazonaws.com | 22:55 |
| willwh | this in my .ssh/config - does not | 22:55 |
| willwh | Host ec2netro | 22:56 |
| willwh | Hostname ec2-23-21-37-13.compute-1.amazonaws.com | 22:56 |
| willwh | User ubuntu | 22:56 |
| willwh | PreferredAuthentications publickey | 22:56 |
| willwh | IdentityFile "/home/willwh/.shh/ec2netro.pem" | 22:56 |
| willwh | which is VERRRY strange | 22:56 |
| willwh | I don't understand :[ | 22:56 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!