PDA

View Full Version : Firewall is blocking all



g_hammer
31-May-2013, 14:37
Hi,

after changing name and IP-Address, the firewall is blocking all requests after rebooting.
I even cannot ping the machine and I cannot stop the firewall.
If I reboot the machine with disabled firewall and start it manually it works as expected.

Can anybody help me with this problem? It is SLES 11 SP2.

Best regards
Gerlinde Hammer

ab
31-May-2013, 15:21
Normally the firewall will not block ICMP echo requests at all, and while
you can implement that the few places I've seen block them have done so
using sysctl, as I recall. Anyway, as a result I do not believe the
firewall is involved, but there are more things to check.

First, do you have the old IP/netmask/gateway documented? If so, please
share them.

Second, please post the output from the following commands:

Code:
----------
ip addr
ip route
----------

Next, please post output from the following when the firewall is running
things are not working:

Code:
----------
ip -s link
/usr/sbin/iptables -nvL
----------

Finally, post the output from the same commands after booting with the
firewall initially disabled but then started when things are working
correctly.

Good luck.

g_hammer
03-Jun-2013, 12:31
Hi,
thanks for your answer.
Here the outputs.

ip addr output is:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether e0:db:55:1f:a3:12 brd ff:ff:ff:ff:ff:ff
inet 131.173.111.149/23 brd 131.173.111.255 scope global em1
inet6 fe80::e2db:55ff:fe1f:a312/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether e0:db:55:1f:a3:14 brd ff:ff:ff:ff:ff:ff


ip route output is:

default via 131.173.111.254 dev em1
127.0.0.0/8 dev lo scope link
131.173.110.0/23 dev em1 proto kernel scope link src 131.173.111.149


ip -s link output when not working:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether e0:db:55:1f:a3:12 brd ff:ff:ff:ff:ff:ff
inet 131.173.111.149/23 brd 131.173.111.255 scope global em1
inet6 fe80::e2db:55ff:fe1f:a312/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether e0:db:55:1f:a3:14 brd ff:ff:ff:ff:ff:ff

ip -s link output when working:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
3678447 5228 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3678447 5228 0 0 0 0
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether e0:db:55:1f:a3:12 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
24337807 57230 0 556 0 4746
TX: bytes packets errors dropped carrier collsns
6505926 23458 0 0 0 0
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether e0:db:55:1f:a3:14 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0

iptables -nvL output when not working:

Chain INPUT (policy DROP 995 packets, 155K bytes)
pkts bytes target prot opt in out source destination
71 168K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
677 79517 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 679 packets, 50292 bytes)
pkts bytes target prot opt in out source destination
73 168K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

iptables -nvL output when working:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 2587 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
391 34556 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
170 30429 input_ext all -- em1 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- em2 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT 363 packets, 257K bytes)
pkts bytes target prot opt in out source destination
27 2587 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (3 references)
pkts bytes target prot opt in out source destination
163 29969 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:12097:12099 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:12097:12099
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:4544 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4544
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:9090 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
6 380 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
7 460 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable


Best regards
Gerlinde Hammer

ab
03-Jun-2013, 13:09
On 06/03/2013 05:34 AM, g hammer wrote:
> ip -s link output when not working:
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> qlen 1000
> link/ether e0:db:55:1f:a3:12 brd ff:ff:ff:ff:ff:ff
> inet 131.173.111.149/23 brd 131.173.111.255 scope global em1
> inet6 fe80::e2db:55ff:fe1f:a312/64 scope link
> valid_lft forever preferred_lft forever
> 3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether e0:db:55:1f:a3:14 brd ff:ff:ff:ff:ff:ff

I think this is actually 'ip addr' output. Can we get the 'ip -s link'
output when not working? Also, for anything pasted please put it within
Code tags which I think is detailed in some of the forum docs if you are
unfamiliar with the practice. This basically preserves the layout of the
data so that it looks the same to me as it did to you in a terminal.

> iptables -nvL output when not working:
>
> Chain INPUT (policy DROP 995 packets, 155K bytes)
> pkts bytes target prot opt in out source
> destination
> 71 168K ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 677 79517 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state ESTABLISHED
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 679 packets, 50292 bytes)
> pkts bytes target prot opt in out source
> destination
> 73 168K ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
>
> Chain reject_func (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with tcp-reset
> 0 0 REJECT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-proto-unreachable
>
> iptables -nvL output when working:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 27 2587 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 391 34556 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state ESTABLISHED
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED
> 170 30429 input_ext all -- em1 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 input_ext all -- em2 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 input_ext all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-IN-ILL-TARGET '
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-FWD-ILL-ROUTING '
>
> Chain OUTPUT (policy ACCEPT 363 packets, 257K bytes)
> pkts bytes target prot opt in out source
> destination
> 27 2587 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
>
> Chain forward_ext (0 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain input_ext (3 references)
> pkts bytes target prot opt in out source
> destination
> 163 29969 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 PKTTYPE = broadcast
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 4
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 8
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:12097:12099
> flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpts:12097:12099
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:4544
> flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:4544
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:9090
> flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:9090
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02
> LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 6 380 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG
> flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> 7 460 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 PKTTYPE = multicast
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 PKTTYPE = broadcast
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG
> flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> 0 0 LOG icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT '
> 0 0 LOG udp -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level
> 4 prefix `SFW2-INext-DROP-DEFLT '
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain reject_func (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with tcp-reset
> 0 0 REJECT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-proto-unreachable

Well this is quite the difference. When working there are a bunch of
rules setup for em1 and em2, and everything else really, to allow a bunch
of things through the firewall. When not working.... not so much and
therefore it appears that things just hit the default DROP policy and go
away. You mentioned this started when you changed IP and "name" which I
assume means the server hostname. Neither of those changes have ever
tweaked the firewall for me, so are you sure there were no other changes
at the time, either to networking, the firewall, or maybe with SLES
patches? Also, if you go into your firewall configuration now
(`/sbin/yast firewall`) and look at things in there do you see your NIC(s)
set for the proper (probably external) zone?

When you disable the firewall (after rebooting with it enabled when things
are not working at all) what do you get from the same `iptables -nvL`
command? A disabled firewall is not really disabled, it is just
infinitely tolerant of traffic and typically has no rules with default
policies of ACCEPT so everything just moves through without NetFilter (the
firewall) restrictions.

Do you have any other scripts or code that is configuring your firewall?
For example, some of these port ranges are unfamiliar to me at first
glance, so is there an application in particular on the box that may be
trying to configure the firewall for you which could be upset now that the
system is reconfigured?

Good luck.

g_hammer
06-Jun-2013, 08:03
Hi,

you were right: there was a different script that prevented the firewall from start completely.

Thanks for the hint.

Best regards
Gerlinde

ab
06-Jun-2013, 13:06
Well that was a lucky guess then. Thank-you for posting back your
results; I was beginning to worry that I didn't understand the Yast-based
firewall nearly as well as I thought I did.

Good luck.