Hi John<br><br>It's been a long time since I worked with iptables, but one thing that used to trip me up is forgetting to explicitly flush the tables.<br><br>I eventually wrote a script for this:<br><br>#!/bin/bash<br>
#<br># iptables.init script<br># flushes all tables, zeroes counters, resets policies<br>#<br># Dan Martin University of Manitoba 0599441<br># for 74.757 Advanced Networking<br># <br>IPTABLES="/sbin/iptables"<br>
# iptables.init script<br># modules loaded and tables flushed<br>echo "Previous iptables"<br>echo<br>$IPTABLES -L --line-numbers -v<br>echo<br>$IPTABLES -t nat -L --line-numbers -v<br>echo<br>$IPTABLES -t mangle -L --line-numbers -v<br>
echo<br>#<br>#<br>$IPTABLES -F<br>$IPTABLES -t nat -F<br>$IPTABLES -t mangle -F<br>$IPTABLES -X<br>$IPTABLES -Z<br>$IPTABLES -t nat -Z<br>$IPTABLES -t mangle -Z<br>$IPTABLES -P INPUT ACCEPT<br>$IPTABLES -P OUTPUT ACCEPT<br>
$IPTABLES -P FORWARD ACCEPT<br>#<br>#<br>echo "Cleaned iptables"<br>echo<br>$IPTABLES -L --line-numbers -v<br>echo<br>$IPTABLES -t nat -L --line-numbers -v<br>echo<br>$IPTABLES -t mangle -L --line-numbers -v<br>
echo<br><br><div class="gmail_quote">On Wed, Jan 11, 2012 at 1:50 PM, John Lange <span dir="ltr"><<a href="mailto:john@johnlange.ca">john@johnlange.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm hoping someone suggest a fix for this.<br>
<br>
We moved some applications over to a new server which still had the<br>
default firewall rules in place which included a rate limiting "drop"<br>
rule that looks like this:<br>
<br>
iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate<br>
NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options<br>
--log-ip-options<br>
<br>
In short, limit to 3 new connections per minute.<br>
<br>
It turns out this was way to short for our application and so I just<br>
removed all firewall rules by stopping the firewal (this is on<br>
OpenSUSE).<br>
<br>
The last firewall log message indicates that a packet was being<br>
dropped to a specific IP due to a rate limit but now the server will<br>
not send packets to that IP at all! tcpdump shows that the packets are<br>
not even attempting to leave the interface.<br>
<br>
It seems like netfilter blocked the ip on the rate limit rule and now<br>
its "stuck".<br>
<br>
I tried specifically allowing that IP and even recreated the limit<br>
rule thinking that would "reactivate" the chain but it doesn't work.<br>
<br>
My guess is that a reboot would fix it but the server is in production<br>
and can not be rebooted without a scheduled outage.<br>
<br>
The only other thing I can think of is to reload all of the netfilter<br>
kernel modules but again that is too risky on a production system.<br>
<br>
Any other ideas on how to clear the filter?<br>
<br>
Is there a command to display the current status of what netfilter is<br>
tracking and dropping?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
John Lange<br>
_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>Dan Martin, MD<br>GP Hospital Practitioner<br>Computer Scientist<br><a href="mailto:ummar143@shaw.ca">ummar143@shaw.ca</a><br>(204) 831-1746<br>answering machine always on <br>