[RndTbl] Bizarre netfilter behaviour
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Wed Jan 11 14:22:14 CST 2012
On 2012-01-11 13:50, John Lange wrote:
> I'm hoping someone suggest a fix for this.
>
> We moved some applications over to a new server which still had the
> default firewall rules in place which included a rate limiting "drop"
> rule that looks like this:
>
> iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate
> NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
> --log-ip-options
>
> In short, limit to 3 new connections per minute.
>
> It turns out this was way to short for our application and so I just
> removed all firewall rules by stopping the firewal (this is on
> OpenSUSE).
>
> The last firewall log message indicates that a packet was being
> dropped to a specific IP due to a rate limit but now the server will
> not send packets to that IP at all! tcpdump shows that the packets are
> not even attempting to leave the interface.
>
> It seems like netfilter blocked the ip on the rate limit rule and now
> its "stuck".
>
> I tried specifically allowing that IP and even recreated the limit
> rule thinking that would "reactivate" the chain but it doesn't work.
>
> My guess is that a reboot would fix it but the server is in production
> and can not be rebooted without a scheduled outage.
>
> The only other thing I can think of is to reload all of the netfilter
> kernel modules but again that is too risky on a production system.
>
> Any other ideas on how to clear the filter?
Have you tried this "iptables" option?...
-Z, --zero [chain]
Zero the packet and byte counters in all chains. It is legal to
specify the -L, --list (list) option as well, to see the coun-
ters immediately before they are cleared. (See above.)
> Is there a command to display the current status of what netfilter is
> tracking and dropping?
I don't know if this will give you the information you need...
-L, --list [chain]
List all rules in the selected chain. If no chain is selected,
all chains are listed. As every other iptables command, it
applies to the specified table (filter is the default), so NAT
rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order
to avoid long reverse DNS lookups. It is legal to specify the
-Z (zero) option as well, in which case the chain(s) will be
atomically listed and zeroed. The exact output is affected by
the other arguments given. The exact rules are suppressed until
you use
iptables -L -v
Some information is also available under /proc/net, such as
/proc/net/ip_conntrack, which shows all connections being tracked. I
don't know where the limit counters are available, though.
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list