Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Serious error in my iptables rules?

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
CaptTaifun
Posts: 1
Joined: 2018-06-30 00:42

Serious error in my iptables rules?

#1 Post by CaptTaifun »

Good morning/day/evening to you!

First, our setup:
Rented vServer with Debian Stretch (v9.4)
LXC and LXD (LXD with snap) installed
LXC container (IP: 10.0.3.2) with TeamSpeak 3 server running
LXC container (IP: 10.0.3.3) with running sinusbot (TeamSpeak 3 musicbot)
Network interface (lxdbr0) set up via lxd init

Problem:
Our TeamSpeak 3 server, which is running in an LXC/LXD container, sometimes drops the connection to all clients on the server.

Further information:
I have set up some rules under iptables, which only lets packets through, defined by me via the incoming and outgoing ports.

What I've discovered so far:
We have a musicbot running in another container which does not connect to the TeamSpeak 3 server over the public IP, but over the local IP (i.e. container 10.0.3.3 (Sinusbot) connects to container 10.0.3.4 (TeamSpeak 3 server)).
So the packets don't get to the firewall, if I understood correctly. Yesterday, 29 June, there was this timeout for a maximum of 2 seconds. The timeout never lasts longer. The server really only drops the connections and allows them again immediately. In the log files of the Sinusbot, however, there is no information that the bot has also been kicked. In fact, I assume that my iptables rules are flawed.

Could someone please take a look and tell me if there's something wrong with it? And first of all: I am a student at an IT school and am more of a software programmer than a network technician. I think I have a basic understanding of what I am doing, but I had to teach myself most of it. So please be merciful if I made one or more big mistakes :P.

Log file for the accepted network packets:
https://www.dropbox.com/s/k30qxnfo0d7la ... s.log?dl=0

Log file for the dropped network packets:
https://www.dropbox.com/s/739ccqxp3dany ... s.log?dl=0

My iptables rules:

Code: Select all

#!/bin/sh
# -------------- Load Modules --------------
modprobe ip_conntrack_ftp
# -------------- Clear all other rules --------------
iptables -F
iptables -X
iptables -t nat -F
# -------------- Creation of my own chains --------------
iptables -N MYDROP
iptables -N MYACCEPT
# -------------- Loopback communication --------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
# -------------- Statefull inspection --------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j MYDROP
# -------------- Configuring my own chains --------------
iptables -A MYDROP -j LOG --log-prefix "FW-DROP: "
iptables -A MYDROP -j DROP
iptables -A MYACCEPT -j LOG --log-prefix "FW-ACCEPT: "
iptables -A MYACCEPT -j ACCEPT
# -------------- Debian Updates --------------
iptables -A OUTPUT -p tcp --dport 80 -j MYACCEPT
# -------------- SSH --------------
iptables -A INPUT -p tcp --dport xxxxx -j MYACCEPT
# -------------- ICMP Ping --------------
iptables -A INPUT -p icmp -j MYACCEPT
# -------------- DNS --------------
iptables -A INPUT -p udp --dport 53 -j MYACCEPT
iptables -A OUTPUT -p udp --dport 53 -j MYACCEPT
# -------------- LXC --------------
iptables -A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j MYACCEPT
iptables -A FORWARD -s 10.0.3.0/24 -j MYACCEPT
iptables -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j MYACCEPT
iptables -A INPUT -d 239.255.255.250 -s 10.0.3.1 -j MYACCEPT
iptables -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j MYACCEPT
iptables -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j MYACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -j MASQUERADE
# -------------- LXC - Pre-Routing --------------
iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 8087 -j DNAT --to 10.0.3.3:8087
iptables -t nat -A PREROUTING -i ens3 -p udp --dport 9987 -j DNAT --to 10.0.3.2:9987
iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 30033 -j DNAT --to 10.0.3.2:30033
iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 10011 -j DNAT --to 10.0.3.2:10011
iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 41144 -j DNAT --to 10.0.3.2:41144
# -------------- LXC - Forwarding --------------
iptables -A FORWARD -p tcp -d 10.0.3.3 --dport 8087 -j MYACCEPT
iptables -A FORWARD -p udp -d 10.0.3.2 --dport 9987 -j MYACCEPT
iptables -A FORWARD -p tcp -d 10.0.3.2 --dport 30033 -j MYACCEPT
iptables -A FORWARD -p tcp -d 10.0.3.2 --dport 10011 -j MYACCEPT
iptables -A FORWARD -p tcp -d 10.0.3.2 --dport 41144 -j MYACCEPT
# -------------- END --------------
iptables -A INPUT -j MYDROP
iptables -A OUTPUT -j MYDROP
iptables -A FORWARD -j MYDROP
exit 0
I am grateful for any help!

Post Reply