2.3.35-3+netfilter (ip_nat+iptables) => hard lockup

Arjan Filius (arjan@nospam.xs4all.nl)
Sun, 26 Dec 1999 20:04:16 +0100 (CET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrea Arcangeli: "Re: Object Based Storage and File System Snapshots: alpha release"
Previous message: Manfred Spraul: "[PATCH] Documentation/oops-tracking update"
Next in thread: Bernard Wei: "Re: 2.3.35-3+netfilter (ip_nat+iptables) => hard lockup"
Maybe reply: Bernard Wei: "Re: 2.3.35-3+netfilter (ip_nat+iptables) => hard lockup"

Hello,

Yesterday i retried my netfilter script to configure ip_nat & iptables on
various interfaces (just downed/installed netfilter-0.1.13), and all
seemed to went well, until i decided to test it with nmap(same machine),
and got a solid lockup (even no magic keys).

After a power-off+manual e2fsck, reconfigured again ip_nat/iptables and
went away for a while, but when i came back i found the machine at similar
way locked up. I suspect a packet arrived for iptables (no ip_nat because
nat is only used on ppp0, which i use for my ISP, and was not connected)

The same script i used for earlyer 2.3 kernels (only then with
netfilter-0.1.12), and i do see a relation now with some spontanious
reboots then (they stopped when my kernel was too new for
netfilter-0.1.12, so no ip_nat/iptables defined)

My kernel is at this moment the pre3-2.3.35 with almost anything compiled
as module.

My script used (and yes the firewall rules are not optimal yet, just a
_first_ attempt):

#!/bin/sh

echo "Running: $0"

# Netfilter script for gt 2.2 kernel
export PATH=$PATH:/usr/local/bin/

modprobe ip_nat || exit 1

modprobe iptables || exit 1

PACKET_TCP_INPUT_PORTS="20:22 37 53 80 87 443 1024:3285 3287:3601 3603:5999 6001:6710 6712:9999 10001:14089 14093:20004 20006:40000 40002: "
PACKET_UDP_INPUT_PORTS="21:22 53 123 443 1024: "
PACKET_TCP_OUTPUT_PORTS="$PACKET_TCP_INPUT_PORTS"
PACKET_UDP_OUTPUT_PORTS="$PACKET_UDP_INPUT_PORTS"

INTERNET_TCP_INPUT_PORTS="$PACKET_TCP_INPUT_PORTS"
INTERNET_UDP_INPUT_PORTS="$PACKET_UDP_INPUT_PORTS"
INTERNET_TCP_OUTPUT_PORTS="$PACKET_TCP_INPUT_PORTS"
INTERNET_UDP_OUTPUT_PORTS="$PACKET_UDP_INPUT_PORTS"

LOCALNET_TCP_INPUT_PORTS="$PACKET_TCP_INPUT_PORTS"
LOCALNET_UDP_INPUT_PORTS="$PACKET_UDP_INPUT_PORTS"
LOCALNET_TCP_OUTPUT_PORTS="$PACKET_TCP_INPUT_PORTS"
LOCALNET_UDP_OUTPUT_PORTS="$PACKET_UDP_INPUT_PORTS"

LOG="LOG --log-tcp-sequence --log-tcp-options --log-ip-options"

iptables -F
ipnatctl -F

ipnatctl -I -s 192.168.0.0/16 -o ppp0 -b source -m masquerade
ipnatctl -I -s 27.0.0.0/8 -o ppp0 -b source -m masquerade

#ipmasqadm portfw -a -P tcp -L 27.137.26.42 87 -R 27.137.26.43 87
ipnatctl -I -p tcp -d 27.137.26.42 --dport 87 -b dest -t 27.137.26.43 --to-port 87
ipnatctl -L

iptables -N packet_in
iptables -N packet_out

iptables -N packet_forward

iptables -N internet_in
iptables -N internet_out

iptables -N localnet_in
iptables -N localnet_out

iptables -A INPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_in -i scc0
iptables -A INPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_in -i scc1
iptables -A INPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_in -i scc2
iptables -A INPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_in -i sl0
iptables -A INPUT -p all -j internet_in -i ppp0
iptables -A INPUT -p all -j localnet_in -i eth0

iptables -A INPUT -p all -j $LOG -o scc0
iptables -A INPUT -p all -j $LOG -o scc1
iptables -A INPUT -p all -j $LOG -o scc2
iptables -A INPUT -p all -j $LOG -o sl0
iptables -A INPUT -p all -j $LOG -o ppp0
iptables -A INPUT -p all -j $LOG -o eth0

iptables -A INPUT -p all -j REJECT -i scc0
iptables -A INPUT -p all -j REJECT -i scc1
iptables -A INPUT -p all -j REJECT -i scc2
iptables -A INPUT -p all -j REJECT -i sl0
iptables -A INPUT -p all -j REJECT -i ppp0
iptables -A INPUT -p all -j REJECT -i eth0

iptables -A OUTPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_out -o scc0
iptables -A OUTPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_out -o scc1
iptables -A OUTPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_out -o scc2
iptables -A OUTPUT -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_out -o sl0
iptables -A OUTPUT -p all -j internet_out -o ppp0
iptables -A OUTPUT -p all -j localnet_out -o eth0

iptables -A OUTPUT -p all -j $LOG -o scc0
iptables -A OUTPUT -p all -j $LOG -o scc1
iptables -A OUTPUT -p all -j $LOG -o scc2
iptables -A OUTPUT -p all -j $LOG -o sl0
iptables -A OUTPUT -p all -j $LOG -o ppp0
iptables -A OUTPUT -p all -j $LOG -o eth0

iptables -A OUTPUT -p all -j REJECT -o scc0
iptables -A OUTPUT -p all -j REJECT -o scc1
iptables -A OUTPUT -p all -j REJECT -o scc2
iptables -A OUTPUT -p all -j REJECT -o sl0
iptables -A OUTPUT -p all -j REJECT -o ppp0
iptables -A OUTPUT -p all -j REJECT -o eth0

iptables -A FORWARD -p all -s 27.0.0.0/8 -d 27.0.0.0/8 -j packet_forward
iptables -A FORWARD -p all -s 27.0.0.0/8 -j packet_forward -i sl0
iptables -A FORWARD -p all -j $LOG --log-prefix FORWARD:

iptables -A packet_forward -p all -j ACCEPT
iptables -A packet_forward -p all -j REJECT

for ports in $PACKET_TCP_INPUT_PORTS
do
iptables -A packet_in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
for ports in $PACKET_UDP_INPUT_PORTS
do
iptables -A packet_in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
iptables -A packet_in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A packet_in -p all -j ACCEPT
iptables -A packet_in -p all -j $LOG --log-prefix packet_in:
iptables -A packet_in -p 93 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A packet_in -p tcp -j REJECT
iptables -A packet_in -p udp -j REJECT
iptables -A packet_in -p icmp -j REJECT
iptables -A packet_in -p all -j REJECT

for ports in $PACKET_TCP_OUTPUT_PORTS
do
iptables -A packet_out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
for ports in $PACKET_UDP_OUTPUT_PORTS
do
iptables -A packet_out -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
iptables -A packet_out -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A packet_out -p all -j ACCEPT
iptables -A packet_out -p all -j $LOG --log-prefix packet_out:
iptables -A packet_out -p 93 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A packet_out -p tcp -j REJECT
iptables -A packet_out -p udp -j REJECT
iptables -A packet_out -p icmp -j REJECT
iptables -A packet_out -p all -j REJECT

for ports in $INTERNET_TCP_INPUT_PORTS
do
iptables -A internet_in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
for ports in $INTERNET_UDP_INPUT_PORTS
do
iptables -A internet_in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
iptables -A internet_in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A internet_in -p all -j ACCEPT
iptables -A internet_in -p all -j $LOG --log-prefix internet_in:
iptables -A internet_in -p tcp -j REJECT
iptables -A internet_in -p udp -j REJECT
iptables -A internet_in -p icmp -j REJECT
iptables -A internet_in -p all -j REJECT

for ports in $INTERNET_TCP_OUTPUT_PORTS
do
iptables -A internet_out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
for ports in $INTERNET_UDP_OUTPUT_PORTS
do
iptables -A internet_out -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
iptables -A internet_out -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A internet_out -p all -j ACCEPT
iptables -A internet_out -p all -j $LOG --log-prefix internet_out:
iptables -A internet_out -p tcp -j REJECT
iptables -A internet_out -p udp -j REJECT
iptables -A internet_out -p icmp -j REJECT
iptables -A internet_out -p all -j REJECT

for ports in $LOCALNET_TCP_INPUT_PORTS
do
iptables -A localnet_in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
for ports in $LOCALNET_UDP_INPUT_PORTS
do
iptables -A localnet_in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --destination-port $ports -j ACCEPT
done
iptables -A localnet_in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A localnet_in -p all -j ACCEPT
iptables -A localnet_in -p all -j $LOG --log-prefix localnet_in:
iptables -A localnet_in -p tcp -j REJECT
iptables -A localnet_in -p udp -j REJECT
iptables -A localnet_in -p icmp -j REJECT
iptables -A localnet_in -p all -j REJECT

for ports in $LOCALNET_TCP_OUTPUT_PORTS
do
iptables -A localnet_out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
for ports in $LOCALNET_UDP_OUTPUT_PORTS
do
iptables -A localnet_out -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --source-port $ports -j ACCEPT
done
iptables -A localnet_out -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A localnet_out -p all -j ACCEPT
iptables -A localnet_out -p all -j $LOG --log-prefix localnet_out:
iptables -A localnet_out -p tcp -j REJECT
iptables -A localnet_out -p udp -j REJECT
iptables -A localnet_out -p icmp -j REJECT
iptables -A localnet_out -p all -j REJECT

iptables -vL

Arjan Filius
mailto:iafilius@xs4all.nl

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: Object Based Storage and File System Snapshots: alpha release"
Previous message: Manfred Spraul: "[PATCH] Documentation/oops-tracking update"
Next in thread: Bernard Wei: "Re: 2.3.35-3+netfilter (ip_nat+iptables) => hard lockup"
Maybe reply: Bernard Wei: "Re: 2.3.35-3+netfilter (ip_nat+iptables) => hard lockup"