[RndTbl] Bizarre netfilter behaviour

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Wed Jan 11 14:22:14 CST 2012 

On 2012-01-11 13:50, John Lange wrote:
> I'm hoping someone suggest a fix for this.
>
> We moved some applications over to a new server which still had the
> default firewall rules in place which included a rate limiting "drop"
> rule that looks like this:
>
> iptables -A input_ext -m limit --limit 3/min -m conntrack --ctstate
> NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
> --log-ip-options
>
> In short, limit to 3 new connections per minute.
>
> It turns out this was way to short for our application and so I just
> removed all firewall rules by stopping the firewal (this is on
> OpenSUSE).
>
> The last firewall log message indicates that a packet was being
> dropped to a specific IP due to a rate limit but now the server will
> not send packets to that IP at all! tcpdump shows that the packets are
> not even attempting to leave the interface.
>
> It seems like netfilter blocked the ip on the rate limit rule and now
> its "stuck".
>
> I tried specifically allowing that IP and even recreated the limit
> rule thinking that would "reactivate" the chain but it doesn't work.
>
> My guess is that a reboot would fix it but the server is in production
> and can not be rebooted without a scheduled outage.
>
> The only other thing I can think of is to reload all of the netfilter
> kernel modules but again that is too risky on a production system.
>
> Any other ideas on how to clear the filter?

Have you tried this "iptables" option?...

   -Z, --zero [chain]
         Zero the packet and byte counters in all chains.  It is legal to
         specify the -L, --list (list) option as well, to see  the  coun-
         ters immediately before they are cleared. (See above.)

> Is there a command to display the current status of what netfilter is
> tracking and dropping?

I don't know if this will give you the information you need...

   -L, --list [chain]
         List  all rules in the selected chain.  If no chain is selected,
         all chains are listed.  As  every  other  iptables  command,  it
         applies  to  the specified table (filter is the default), so NAT
         rules get listed by
             iptables -t nat -n -L
         Please note that it is often used with the -n option,  in  order
         to  avoid  long reverse DNS lookups.  It is legal to specify the
         -Z (zero) option as well, in which case  the  chain(s)  will  be
         atomically  listed  and zeroed.  The exact output is affected by
         the other arguments given. The exact rules are suppressed  until
         you use
             iptables -L -v

Some information is also available under /proc/net, such as 
/proc/net/ip_conntrack, which shows all connections being tracked.  I 
don't know where the limit counters are available, though.

-- 
Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609

More information about the Roundtable mailing list