[ale] iptables ruleset blocks external traffic... OUTPUT policy is ACCEPT

Jim Kinney jim.kinney at gmail.com
Fri May 16 10:56:50 EDT 2014


Do you have conn_track on? without it, the allow related, established line
will fail and all return traffic will get dropped. Check
/proc/sys/net/netfilter for nf_conntrack_* files. If missing, the kernel is
not loading the conn_track module.


On Fri, May 16, 2014 at 9:38 AM, Adrya Stembridge <
adrya.stembridge at gmail.com> wrote:

> My previous INPUT policy was ACCEPT.   I'm attempting to limit access to a
> machine to specific subnets (4.3.2.0/24),   So I added a couple rules for
> that (including one to allow LDAP traffic over port 636), then set the
> INPUT policy to DROP.  From that point on I can't access any external
> content.   The OUTPUT policy is ACCEPT.    If I change the INPUT policy
> back to ACCEPT, I can again access external content.
>
> Here's the ruleset:
>
> Chain INPUT (policy DROP 461 packets, 81259 bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination
>
> 1    11835 1095K fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
>
> 2    2972K 1083M ACCEPT     all  --  *      *       4.3.2.0/24           0.0.0.0/0
>
> 3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:636
>
> 4    3747K  436M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 89676 packets, 26M bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination
>
> Chain fail2ban-SSH (1 references)
>
> num   pkts bytes target     prot opt in     out     source               destination
>
> 1    11776 1092K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
>
>
> Any idea what in here could be causing the holdup?
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140516/ef3ea1ca/attachment-0001.html>


More information about the Ale mailing list