Page 1 of 1

CentOS 6.8 dropping all connections

Posted: 2018/06/05 04:51:55
by alfie13
Hi,

I have a CentOS 6.8 (Final) server (on Production). How can I allow the incoming connections from a different private subnet? Currently, it is accessible on the same network (10.0.6.x). Below is my IPTABLES, but currently it is not working as expected.

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.6.104/32 -i bond0 -j ACCEPT
-A INPUT -s 192.168.6.1/32 -i bond0 -j ACCEPT
-A INPUT -i bond0 -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -m comment --comment "ftp" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i eth0 -j ACCEPT
-A INPUT -s 10.10.200.0/24 -j ACCEPT
-A INPUT -s 10.23.101.0/24 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -j ACCEPT
-A INPUT -s 10.0.6.0/24 -i eth0 -j ACCEPT
-A INPUT -s 10.10.100.0/24 -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.6.104/32 -o bond0 -j ACCEPT
-A OUTPUT -d 192.168.6.1/32 -o bond0 -j ACCEPT
-A OUTPUT -o bond0 -j DROP
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW -m owner --uid-owner root -m comment --comment "root" -j ACCEPT
-A OUTPUT -s 10.0.6.0/24 -o eth0 -j ACCEPT
-A OUTPUT -s 10.10.100.0/24 -o eth0 -j ACCEPT


Can you please help?

Regards,

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/05 08:34:28
by TrevorH
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.6.104/32 -i bond0 -j ACCEPT
-A INPUT -s 192.168.6.1/32 -i bond0 -j ACCEPT
-A INPUT -i bond0 -j DROP
So you allow anything from localhost and from those two specified ip addresses and then DROP everything else. At that point, all the rest of your INPUT rules are ignored.

You have the same sort of problem in the OUTPUT chain too.

Also, you need to yum update as 6.8 is ancient and missing important fixes. RHEL 6.10 is in beta upstream and 6.9 is the current version.

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/05 08:53:09
by alfie13
Hi TrevorH,

bond0 is a different interface. We should access this server under this 10.0.6.X subnet range which is configured in eth0 interface. Is it affecting the remaining rules even though we dropped the connection coming from bond0 (192.168.6.x)?

Also, are there any files that control the traffic of incoming and outgoing connections?

Regards,

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/05 10:43:52
by TrevorH
If you specify an interface then those rules should only apply to that interface.

What ip address are you coming from and via what interface for the things you have problems with?

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/05 11:16:36
by tunk
Does it work if you (temporarely) switch off the firewall?
If not, could it be a problem with your router setup?

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/06 00:38:42
by alfie13
Hi TrevorH,

Please see my update below:

What ip address are you coming from and via what interface for the things you have problems with?
- I tried to access the server using 10.10.100.0/24, 10.10.200.0/24, 10.8.0.0/24 and 10.23.101.0/24. The interface that is having the issue is eth0 (10.0.6.0/24).

Hi Tunk,

Does it work if you (temporarely) switch off the firewall?
- I already did this but I got the same issue.
If not, could it be a problem with your router setup?
- I don't think so. Since this is the only server that I can't access when I'm on the 10.10.100.0/24, 10.10.200.0/24, 10.8.0.0/24 and 10.23.101.0/24 subnet range. So this server is blocking the traffic.

Regards,

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/06 07:34:09
by alfie13
Hi Again,

I tried to flush the iptables, but after that, every connection on this server got disconnected. Before I flush it, here are things that I did:

1. iptables -save > iptable.rule

I tried to restore it using iptables-restore > iptable.rule, but still failing. Anything I missed?

Regards,

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/06 10:15:29
by tunk
Is there a typo in iptables-restore, or should it have been: iptables-restore < iptable.rule
It works on the subnet, but does not work from other subnets when the firewall is off:
To me this suggests that the problem lies outside the server.
I have no experience with enterprise routers, but I got the impression that they are very configurable:
Could there be some setting on the router port that blocks it?

Re: CentOS 6.8 dropping all connections

Posted: 2018/06/08 00:37:44
by alfie13
Hi Guys,

I already resolved the issue. I just added a gateway on my interface eth0 and restarted the network service.

Thanks all!