perfsonar-user - Re: [perfsonar-user] Perfsonar ports - tracepath blocked
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Brian Candler <>
- To: Andrew Lake <>, "" <>
- Subject: Re: [perfsonar-user] Perfsonar ports - tracepath blocked
- Date: Tue, 16 Feb 2016 16:51:48 +0000
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=sasl; b=AWceWQVNetBMkYS1N5x5WSmf19/FbOT/ l7mit9GFwSU7lk5SJWkuUgw3mwBz3tEOMrmghYbkYL15PLyyLgBlXewEVB2SSIpM AVyDy9yzILN3VkWiNYMHOx45+vxBcV1gTLQvTgit1+gEYdMdUInAdR4/gUVe3nMe 5QQ9Hwz1slM=
|
On 16/02/2016 16:44, Andrew Lake wrote:
Here are the complete rules from the "bad" box (not blocking) # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination perfSONAR all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain perfSONAR (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 udp ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:8090 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33634 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8001:8020 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:843 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:7123 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:3001:3003 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:861 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:4823 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5000:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5000:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5001:5300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5001:5300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5301:5600 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5301:5600 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5601:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5601:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8760:9960 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8760:9960 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Here are the complete rules from the "good" box (blocking) # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 52.19.226.164 0.0.0.0/0 tcp dpt:10050 state NEW,ESTABLISHED fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spt:547 dpt:546 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5060 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:8080 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:5060 perfSONAR all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SSH (1 references) target prot opt source destination REJECT all -- 202.106.211.99 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain perfSONAR (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 udp ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33634 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8001:8020 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:7123 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:3001:3003 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:861 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:4823 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5000:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5000:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:10101:10300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10101:10300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5001:5300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5001:5300 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5001:5300 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5301:5600 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5301:5600 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5301:5600 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5601:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5601:5900 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:5601:5900 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6001:6200 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:6001:6200 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8760:9960 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:8760:9960 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:8760:9960 RETURN all -- 0.0.0.0/0 0.0.0.0/0 You can see the difference is in the INPUT chain. The bad box is missing all the rules apart from the one which bounces to the perfSONAR chain. Since there is no REJECT rule anywhere, and an ACCEPT policy, it never drops packets. The good box has additional rules in the INPUT chain, including one which bounces port 22 to the fail2ban-SSH chain, and ends with REJECT all (reject-with icmp-port-unreachable) so that it actually acts as a firewall. Regards, Brian. |
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, (continued)
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Brian Candler, 02/18/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/18/2016
- RE: [perfsonar-user] Perfsonar ports - tracepath blocked, Garnizov, Ivan (RRZE), 02/16/2016
- Re: [perfsonar-user] Perfsonar ports - tracepath blocked, Andrew Lake, 02/16/2016
Archive powered by MHonArc 2.6.16.