Results 1 to 7 of 7
  1. #1
    Join Date
    Jan 2008
    Posts
    47

    IPTables in a HyperVM/OpenVZ HIB (CentOS4) troubles

    Anybody any good with iptables ??? I'm having some real troubles with it on one VPS (strangely it's working fine on an identical VPS that I have) but this one is causing me troubles and I don't know how to get to the bottom of it.

    I have tried with a simple script:

    IPT="/sbin/iptables"
    $IPT --flush
    $IPT --delete-chain
    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT

    This works fine. I then try:

    IPT="/sbin/iptables"
    $IPT --flush
    $IPT --delete-chain
    $IPT -P INPUT DROP
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -A INPUT -p tcp --dport 22 -s 0/0 -j ACCEPT

    This allows SSH traffic in from anywhere, BUT, for some reason all outbound traffic seems to stop. Even adding a rule like:

    $IPT -A OUTPUT -j ACCEPT

    Doesn't make any difference, I've also tried specific rules for a type of traffic (like allowing a destination port of 25 out to a specific address) but without success. As soon as I stop iptables everything works fine (so I know it's not a routing/networking issue etc.)

    I do not have control of the node so cannot check anything there. Anybody any ideas of what I can do next??

  2. #2
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    I'm assuming it's the same problem most any beginner OpenVZ provider has. They aren't allowing the correct modules in order for IPTables to work correctly, there really isn't anything you can do. You need your provider to enable all the modules for inside the VE.


  3. #3
    Join Date
    Jan 2008
    Posts
    47
    Thanks for your quick response.

    I thought it must be something like that, as the VPS was on an unstable node beforehand and my script (a slightly more complex one which also uses states) worked fine before it was moved to this node. I've raised multiple support tickets on the subject and I get a lot of "your issue is now resolved please check and let us know" and then after a few of those the ticket ends with "can you please raise a new ticket so we can support you better with this issue" ... then on the new ticket all the same questions get asked again.

    I'll keep on at them if this is the case, unless anyone can think of something obvious that I am missing??

  4. #4
    Join Date
    Mar 2005
    Location
    Labrador, Canada
    Posts
    951
    Quote Originally Posted by felikz View Post

    IPT="/sbin/iptables"
    $IPT --flush
    $IPT --delete-chain
    $IPT -P INPUT DROP
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -A INPUT -p tcp --dport 22 -s 0/0 -j ACCEPT

    This allows SSH traffic in from anywhere, BUT, for some reason all outbound traffic seems to stop. Even adding a rule like:

    $IPT -A OUTPUT -j ACCEPT
    Well, you've blocked all incoming traffic except SSH, so there's not likely to be much outgoing traffic.... For example, httpd won't be serving requests because there aren't any requests -- incoming port 80 is blocked

    To check whether iptables is functioning correctly on your VPS just do:

    [[email protected]] iptables -L

    If you see errors about modules then you have a problem which your provider needs to address.

    If you see data displayed for INPUT, FORWARD, OUTPUT chains (etc.) then iptables is functioning correctly. You just need to sort out your rules.

    If you're going to set the default INPUT to DROP, you must then explicitly open (ACCEPT) every port where you have a daemon, e.g. http port 80, ssh port 22, etc.

  5. #5
    Join Date
    Jan 2008
    Posts
    47
    Quote Originally Posted by sleddog View Post
    Well, you've blocked all incoming traffic except SSH, so there's not likely to be much outgoing traffic.... For example, httpd won't be serving requests because there aren't any requests -- incoming port 80 is blocked
    By outbound traffic I mean I can SSH in but then any traffic out from the server (as an example, DNS queries/trying to deliver mail to an SMTP server etc.) fails. SSH works fine, if I open port 80 then http works fine, as does the traffic back to the connecting client ... what doesn't work is traffic originating from the host.

    Quote Originally Posted by sleddog View Post
    If you're going to set the default INPUT to DROP, you must then explicitly open (ACCEPT) every port where you have a daemon, e.g. http port 80, ssh port 22, etc.
    I'm aware of this, as I'm trying to get to the root of the problem I'm using scripts which are as simple as possible!

  6. #6
    Join Date
    Jan 2008
    Posts
    47
    Okay, this is now becoming quite a nightmare for me now. Would anybody be willing to help me out with rules ?? Although I'm confused as to what the issue is as the rules were working fine before the move of the VPS. However, I'm no iptables expert!

  7. #7
    Join Date
    Jan 2008
    Posts
    47
    Moved to another node and all is well, I'm guessing it must have been a kernel issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •