=== jlamothe is now known as Guest60057 === Guest60057 is now known as jlamothe [18:18] hey guys :) [18:18] anyone alive? could use a hand to talk something through :) [18:18] I have a VPS that is running iptables [18:19] I think my host are idiots and something is misconfigured [18:19] let me save my iptables rules and I'll link em, 2min [18:21] http://willwh.com/iptables.txt [18:21] so my port 80 traffic == np [18:21] the app I have bound to 3000 is not accessable remotely [18:21] I can hit it like so; lynx localhost:3000 [18:21] ont he host [18:21] can't connect externally [18:22] iptables looks good to me [18:22] and I think my host has something misconfigured [18:22] they want me to pay them to investigate further (hah) [18:22] but they are slow / poor in response [18:22] so [18:27] willwh: do you have a copy of the actual iptables rules file (or script/etc)? [18:28] DarwinSurvivor: I think I figured it out [18:28] my host are just being cheeky bastards [18:28] willwh: double firewalled you? [18:31] no [18:31] they're telling me "INPUT" chain [18:31] if you look at that iptables output [18:31] it's PUB_IN [18:31] I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server [18:31] that rules should be added to [18:31] ah [18:32] DarwinSurvivor: I'm a little confused still though [18:32] I am not sure how I ended up with so many chains [18:33] and the fact that adding stuff to INPUT was useless [18:33] I'm not making a lot of sense, hag [18:33] hah* [18:33] but trying to understand how a chain is applied [18:33] line 14 is useless as line 13 will prevent ANYTHING from getting to it [18:34] yes [18:34] but like I say - the INPUT chain rules seem to have almost no effect [18:34] it's all the PUB_IN [18:34] and you don't need a drop rule at the end of INPUT if your default policy is to drop [18:34] hmm [18:34] yeah, i see that [18:34] I don't understand the difference [18:34] or how they relate at all [18:35] do you know which network adapter is your external? [18:35] if it's anything but eth0, then 3 will not trigger and it will get blocked in PUB_IN [18:35] *rule 3 [18:35] you mean rule 3 in INPUT? [18:36] yes [18:36] ahhh [18:36] if your external connections are not coming in through eth0, that rule will not work [18:36] right [18:36] eurka [18:36] I understand [18:36] :) [18:36] ifconfig should tell you which ones you have [18:36] yup [18:36] thanks mate [18:36] no problem [18:36] lo and 2 virtual interfaces [18:36] so that kinda explains that ;] [18:36] bingo [18:38] when I saw all the FOO+, I figured you had a non-standard setup [18:41] DarwinSurvivor> I would recommend moving your ESTABLISHED line to the top, then blocking all non-syn tcp packets immediately after. that will drastically cut down on the amount of illegitimate traffic that hits your server [18:41] how do I do that exactly? :) [18:43] do you have direct access to the iptables rules file? [18:43] DarwinSurvivor: yeah I have root on the box [18:44] ok [18:44] gotta take a call, back asap [18:44] first move rule 5 to right after rule 1 (so that banned ips are blocked even if they had already connected) [18:44] k [18:46] brb [18:53] back [19:23] DarwinSurvivor: yo [19:23] is it possible to move rules? [19:23] like #2 -> #7 [19:25] willwh: what do you use to set the firwall rules? (iptables.rules file, bash script, web interface, etc)? [19:26] just command line [19:26] and services iptables save [19:26] ther eis a web interface [19:26] too [19:27] what distribution? [19:27] debian :D [19:28] I don't really like the route ubuntu has gone recently :( [19:28] see if there is an iptables.rules (or similar) file in /etc/ [19:29] there may be 2 files (iptables.up.rules and iptables.down.rules) [19:29] /etc/iptables: rules & iptables.conf [19:30] is rules a file or directory? [19:30] file [19:30] and it's generated by iptables --save [19:30] sorry [19:30] iptables-save [19:30] argh - another call [19:30] :( [19:31] yes, that is a saved copy of all the iptables rules (which can be loaded with iptables-restore) [19:31] an easy way to modify the running firewall is to edit that file, then run iptables-restore again [19:35] if you don't want to mess with the system files, you could also use iptables-restore to create a new copy, then modify that [19:41] One hint: add an ACCEPT for your personal IP address at the very beginning of the INPUT chain so that you can always log back in if you mess up the firewall! [19:55] roger [19:55] so one more question DarwinSurvivor [19:55] it seems that I don't need all these chains [19:55] I should just use an INPUT / OUTPUT / FORWARD? [20:00] got it all ironed out [20:00] I really appreciate the advice, thanks very much DarwinSurvivor :) [20:09] no problem [20:11] using chains can simplify some things (like with fail2ban), but can also over-complicate things if you don't understand what they are doing [22:55] key Kip :D [22:55] how's it going man?! [22:55] DarwinSurvivor: you still around? [22:55] got an odd one [22:55] this works: ssh -i .ssh/ec2netro.pem ubuntu@ec2-23-21-37-13.compute-1.amazonaws.com [22:55] this in my .ssh/config - does not [22:56] Host ec2netro [22:56] Hostname ec2-23-21-37-13.compute-1.amazonaws.com [22:56] User ubuntu [22:56] PreferredAuthentications publickey [22:56] IdentityFile "/home/willwh/.shh/ec2netro.pem" [22:56] which is VERRRY strange [22:56] I don't understand :[