IPtables Resets Overnight

[thedead]

Hi Everyone, I have a odd issue.

I have CPANEL/WHM installed on redhat, and I installed a squid proxy server on it as well.

By default iptables blocks everything unless opened.

I opened up the port for the proxy only for my IP.

The problem I have, is every morning I need to SSH into the server and do a 'service iptables reset' before I can connect to the proxy.

Any idea why I need to do that every morning?

[Mudgen]

"reset" is not a valid option for service iptables on any Red Hat version I'm familiar with, so I don't know why that would work, much less why you have to do it. Do you mean "service iptables restart"?

[thedead]

sorry - that was exactly what I meant.

[tkb2766]

I can't think of anything that would cause this issue. However, I'd start by saving the current firewall rules in effect before restarting iptables, then save the rules in effect after restarting and comparing the two sets.

Save current ruleset as follows

Code:

sudo /sbin/iptables-save > /tmp/oldruleset

Restart iptables as per normal, then save current ruleset

Code:

sudo /sbin/iptables-save > /tmp/currentruleset

Then finally use your favourite compare utility (I use kdiff3) to check the differences in the sets.

Then ask yourself, what is adding and/or removing the rules?

Do you have fail2ban installed? This is a likely candidate that could be adding/removing rules from your firewall.


Cheers,
ak.

[Lazydog]

I would suggest that you configure your firewall the way you want them and then save the config with service iptables save which is the way RH works with the firewall saving.

Sounds like you are not saving your rules and for some reason the system get restarted. You could check this with uptime.

If the system isn't being restarted and the firewall is still changing check your logs to see when the firewall is being restarted/changed.

[thedead]

I got a chance to do this... the 4 lines that let in 4 separate ip's were simply blank.

This set of code changed, but I don't think its relevent. Nothing else was changed.

Code:

:PREROUTING ACCEPT [2696009:1289268213]
:INPUT ACCEPT [2696009:1289268213]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2595052:698051209]
:POSTROUTING ACCEPT [2594607:698018464]

I looked at the logs, and they are huge, they have an entry for every access... is there a way to find out what program is changing my iptables?

[tkb2766]

I'm stumped. Before I go about being paranoid, lets first make sure that you have not configured a cronjob to do something weird in the past. Have a look at /var/log/cron and if you spot any odd looking jobs in there.

Could it be that some one has compromised your machine and is making changes to your rulesets? Is there another user who has root access that could be manipulating these rules without your knowledge?

I've got a few other tricks to use but first let's check the above then get back with whatever you find.

Ciao,
ak.

[thedead]

Sorry for the delay :s I was out of the country...

I looked through the cron long and there were way to many entries, I tried to look through the log for anything unusual but couldn't find anything.

Is there a way I can tell Linux to watch this file, and email me when it changes and what changed it?

I know its Automated, sometime between 1am-8am. Happens EVERY night.

I saw something about inotify however I don't understand how to use it.

Thanks