[18:18] <willwh> hey guys :)
[18:18] <willwh> anyone alive? could use a hand to talk something through :)
[18:18] <willwh> I have a VPS that is running iptables
[18:19] <willwh> I think my host are idiots and something is misconfigured
[18:19] <willwh> let me save my iptables rules and I'll link em, 2min
[18:21] <willwh> http://willwh.com/iptables.txt
[18:21] <willwh> so my port 80 traffic == np
[18:21] <willwh> the app I have bound to 3000 is not accessable remotely
[18:21] <willwh> I can hit it like so; lynx localhost:3000
[18:21] <willwh> ont he host
[18:21] <willwh> can't connect externally
[18:22] <willwh> iptables looks good to me
[18:22] <willwh> and I think my host has something misconfigured
[18:22] <willwh> they want me to pay them to investigate further (hah)
[18:22] <willwh> but they are slow / poor in response
[18:22] <willwh> so
[18:27] <DarwinSurvivor> willwh: do you have a copy of the actual iptables rules file (or script/etc)?
[18:28] <willwh> DarwinSurvivor: I think I figured it out
[18:28] <willwh> my host are just being cheeky bastards
[18:28] <DarwinSurvivor> willwh: double firewalled you?
[18:31] <willwh> no
[18:31] <willwh> they're telling me "INPUT" chain
[18:31] <willwh> if you look at that iptables output
[18:31] <willwh> it's PUB_IN
[18:31] <DarwinSurvivor> I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server
[18:31] <willwh> that rules should be added to
[18:31] <willwh> ah
[18:32] <willwh> DarwinSurvivor: I'm a little confused still though
[18:32] <willwh> I am not sure how I ended up with so many chains
[18:33] <willwh> and the fact that adding stuff to INPUT was useless
[18:33] <willwh> I'm not making a lot of sense, hag
[18:33] <willwh> hah*
[18:33] <willwh> but trying to understand how a chain is applied
[18:33] <DarwinSurvivor> line 14 is useless as line 13 will prevent ANYTHING from getting to it
[18:34] <willwh> yes
[18:34] <willwh> but like I say - the INPUT chain rules seem to have almost no effect
[18:34] <willwh> it's all the PUB_IN
[18:34] <DarwinSurvivor> and you don't need a drop rule at the end of INPUT if your default policy is to drop
[18:34] <DarwinSurvivor> hmm
[18:34] <DarwinSurvivor> yeah, i see that
[18:34] <willwh> I don't understand the difference
[18:34] <willwh> or how they relate at all
[18:35] <DarwinSurvivor> do you know which network adapter is your external?
[18:35] <DarwinSurvivor> if it's anything but eth0, then 3 will not trigger and it will get blocked in PUB_IN
[18:35] <DarwinSurvivor> *rule 3
[18:35] <willwh> you mean rule 3 in INPUT?
[18:36] <DarwinSurvivor> yes
[18:36] <willwh> ahhh
[18:36] <DarwinSurvivor> if your external connections are not coming in through eth0, that rule will not work
[18:36] <willwh> right
[18:36] <willwh> eurka
[18:36] <willwh> I understand
[18:36] <willwh> :)
[18:36] <DarwinSurvivor> ifconfig should tell you which ones you have
[18:36] <willwh> yup
[18:36] <willwh> thanks mate
[18:36] <DarwinSurvivor> no problem
[18:36] <willwh> lo and 2 virtual interfaces
[18:36] <willwh> so that kinda explains that ;]
[18:36] <DarwinSurvivor> bingo
[18:38] <DarwinSurvivor> when I saw all the FOO+, I figured you had a non-standard setup
[18:41] <willwh> DarwinSurvivor> I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server
[18:41] <willwh> how do I do that exactly? :)
[18:43] <DarwinSurvivor> do you have direct access to the iptables rules file?
[18:43] <willwh> DarwinSurvivor: yeah I have root on the box
[18:44] <DarwinSurvivor> ok
[18:44] <willwh> gotta take a call, back asap
[18:44] <DarwinSurvivor> first move rule 5 to right after rule 1 (so that banned ips are blocked even if they had already connected)
[18:44] <DarwinSurvivor> k
[18:46] <DarwinSurvivor> brb
[18:53] <DarwinSurvivor> back
[19:23] <willwh> DarwinSurvivor: yo
[19:23] <willwh> is it possible to move rules?
[19:23] <willwh> like #2 -> #7
[19:25] <DarwinSurvivor> willwh: what do you use to set the firwall rules? (iptables.rules file, bash script, web interface, etc)?
[19:26] <willwh> just command line
[19:26] <willwh> and services iptables save
[19:26] <willwh> ther eis a web interface
[19:26] <willwh> too
[19:27] <DarwinSurvivor> what distribution?
[19:27] <willwh> debian :D
[19:28] <willwh> I don't really like the route ubuntu has gone recently :(
[19:28] <DarwinSurvivor> see if there is an iptables.rules (or similar) file in /etc/
[19:29] <DarwinSurvivor> there may be 2 files (iptables.up.rules and iptables.down.rules)
[19:29] <willwh> /etc/iptables: rules & iptables.conf
[19:30] <DarwinSurvivor> is rules a file or directory?
[19:30] <willwh> file
[19:30] <willwh> and it's generated by iptables --save
[19:30] <willwh> sorry
[19:30] <willwh> iptables-save
[19:30] <willwh> argh - another call
[19:30] <willwh> :(
[19:31] <DarwinSurvivor> yes, that is a saved copy of all the iptables rules (which can be loaded with iptables-restore)
[19:31] <DarwinSurvivor> an easy way to modify the running firewall is to edit that file, then run iptables-restore again
[19:35] <DarwinSurvivor> if you don't want to mess with the system files, you could also use iptables-restore to create a new copy, then modify that
[19:41] <DarwinSurvivor> One hint: add an ACCEPT for your personal IP address at the very beginning of the INPUT chain so that you can always log back in if you mess up the firewall!
[19:55] <willwh> roger
[19:55] <willwh> so one more question DarwinSurvivor
[19:55] <willwh> it seems that I don't need all these chains
[19:55] <willwh> I should just use an INPUT / OUTPUT / FORWARD?
[20:00] <willwh> got it all ironed out
[20:00] <willwh> I really appreciate the advice, thanks very much DarwinSurvivor :)
[20:09] <DarwinSurvivor> no problem
[20:11] <DarwinSurvivor> using chains can simplify some things (like with fail2ban), but can also over-complicate things if you don't understand what they are doing
[22:55] <willwh> key Kip :D
[22:55] <willwh> how's it going man?!
[22:55] <willwh> DarwinSurvivor: you still around?
[22:55] <willwh> got an odd one
[22:55] <willwh> this works: ssh -i .ssh/ec2netro.pem ubuntu@ec2-23-21-37-13.compute-1.amazonaws.com
[22:55] <willwh> this in my .ssh/config - does not
[22:56] <willwh> Host ec2netro
[22:56] <willwh> Hostname ec2-23-21-37-13.compute-1.amazonaws.com
[22:56] <willwh> User ubuntu
[22:56] <willwh> PreferredAuthentications publickey
[22:56] <willwh> IdentityFile "/home/willwh/.shh/ec2netro.pem"
[22:56] <willwh> which is VERRRY strange
[22:56] <willwh> I don't understand :[