Hi Brian,
Ugh sadly you are right that it doesn’t appear to be installing the reject. Looks like maybe a bug that was introduced for clean 3.5 installs. Expect a fix to be pushed to yum in the next 24 hours.
On February 16, 2016 at 11:52:05 AM, Brian Candler () wrote:
On 16/02/2016 16:44, Andrew Lake
wrote:
Your rules look fine? The INPUT chain says go to the perfSONAR
chain which I am guessing based on the first couple lines contains
the usual set of rules. Or is there nothing else in the perfSONAR
chain? See http://docs.perfsonar.net/manage_security.html for
what they usually look like.
Here are the complete rules from the "bad" box (not blocking)
# iptables -L -n
Chain INPUT (policy
ACCEPT)
target prot
opt
source
destination
perfSONAR all
--
0.0.0.0/0
0.0.0.0/0
Chain FORWARD
(policy ACCEPT)
target prot opt
source
destination
Chain OUTPUT
(policy ACCEPT)
target prot opt
source
destination
Chain perfSONAR
(1 references)
target prot opt
source
destination
ACCEPT
icmp --
0.0.0.0/0
0.0.0.0/0
icmp type 255
ACCEPT icmpv6--
0.0.0.0/0
0.0.0.0/0
ACCEPT
tcp --
0.0.0.0/0
0.0.0.0/0
tcp dpt:80 state NEW,ESTABLISHED
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
tcp dpt:443 state NEW,ESTABLISHED
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpt:123 udp
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:8090
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:33434:33634
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:8000
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8001:8020
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:843
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:7123
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:3001:3003
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:861
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:4823
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5000:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5000:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5001:5300
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5001:5300
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5001:5300
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5001:5300
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5301:5600
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5301:5600
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5301:5600
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5301:5600
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5601:5900
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5601:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5601:5900
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5601:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8760:9960
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8760:9960
RETURN all --
0.0.0.0/0
0.0.0.0/0
Here are the complete rules from the "good" box (blocking)
# iptables -L -n
Chain INPUT (policy
ACCEPT)
target prot
opt
source
destination
ACCEPT
tcp --
52.19.226.164
0.0.0.0/0
tcp dpt:10050 state NEW,ESTABLISHED
fail2ban-SSH tcp --
0.0.0.0/0
0.0.0.0/0
tcp dpt:22
ACCEPT
all --
0.0.0.0/0
0.0.0.0/0
ACCEPT
all --
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:22
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
state NEW udp spt:547 dpt:546
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:8080
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:5060
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
state NEW udp dpt:8080
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
state NEW udp dpt:5060
perfSONAR
all --
0.0.0.0/0
0.0.0.0/0
REJECT
all --
0.0.0.0/0
0.0.0.0/0
reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt
source
destination
REJECT
all --
0.0.0.0/0
0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt
source
destination
ACCEPT
all --
0.0.0.0/0
0.0.0.0/0
Chain
fail2ban-SSH (1 references)
target prot opt
source
destination
REJECT
all --
202.106.211.99
0.0.0.0/0
reject-with icmp-port-unreachable
RETURN all --
0.0.0.0/0
0.0.0.0/0
Chain perfSONAR
(1 references)
target prot opt
source
destination
ACCEPT
icmp --
0.0.0.0/0
0.0.0.0/0
icmp type 255
ACCEPT icmpv6--
0.0.0.0/0
0.0.0.0/0
ACCEPT
tcp --
0.0.0.0/0
0.0.0.0/0
tcp dpt:80 state NEW,ESTABLISHED
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
tcp dpt:443 state NEW,ESTABLISHED
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpt:123 udp
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:33434:33634
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:8000
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8001:8020
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:7123
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:3001:3003
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:861
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:4823
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5000:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5000:5900
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:10101:10300
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:10101:10300
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpt:7
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpt:7
ACCEPT
udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5001:5300
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5001:5300
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5001:5300
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5001:5300
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5301:5600
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5301:5600
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5301:5600
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5301:5600
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5601:5900
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5601:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:5601:5900
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:5601:5900
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:6001:6200
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:6001:6200
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8760:9960
ACCEPT udp --
0.0.0.0/0
0.0.0.0/0
udp dpts:8760:9960
ACCEPT tcp --
0.0.0.0/0
0.0.0.0/0
state NEW,ESTABLISHED tcp dpts:8760:9960
RETURN all --
0.0.0.0/0
0.0.0.0/0
You can see the difference is in the INPUT chain. The bad box is
missing all the rules apart from the one which bounces to the
perfSONAR chain. Since there is no REJECT rule anywhere, and an
ACCEPT policy, it never drops packets.
The good box has additional rules in the INPUT chain, including one
which bounces port 22 to the fail2ban-SSH chain, and ends with
REJECT all (reject-with icmp-port-unreachable) so that it actually
acts as a firewall.
Regards,
Brian.
|
