iptables does something weird following suspend

Discussion in 'all things UNIX' started by Gullible Jones, Nov 17, 2012.

Thread Status:
Not open for further replies.
  1. iptables does something weird following suspend [found workaround]

    I wrote a script to set up a simple firewall, as follows:

    Code:
    # Flush the tables
    /usr/sbin/iptables -F
    # Deny everything by default
    /usr/sbin/iptables -P INPUT DROP
    /usr/sbin/iptables -P FORWARD DROP
    /usr/sbin/iptables -P OUTPUT DROP
    # Allow established and related inputs
    /usr/sbin/iptables -A INPUT -m conntrack \
           	--ctstate ESTABLISHED,RELATED -j ACCEPT
    # Allow DNS (UDP) outbound
    /usr/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    # Allow ICMP outbound
    /usr/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
    # Allow various TCP stuff
    /usr/sbin/iptables -A OUTPUT -p tcp -m multiport \
    	--dports 21,22,53,80,443,6881:6999 -j ACCEPT
    
    I set it up to run on boot, and three weird things now happen on resuming from suspend:
    1. Getting an IP address through DHCP on my home network takes about 30+ seconds
    2. During those 30 seconds, Wicd's GUI is unresponsive
    3. When 'iptables --list' is invoked, it shows that the last line (the one with the outbound TCP rules) twice

    Running the script again cuts all that short, and restores everything to normal. What did I do wrong here?

    Update: Found a workaround using acpid. Instead of invoking pm-suspend, I suspend directly with 'echo mem > /sys/power/state'. This is fine since I was already using acpid, rather than a power manager.
     
    Last edited by a moderator: Nov 18, 2012
  2. And solved. Answer is that iptables filters loopback stuff too; you have to explicitly tell it not to filter anything on lo, or you will get problems.

    Edit: an updated and much cleaner version...

    Code:
    #!/bin/sh
    iptables-restore <<END
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -p udp --dport 53 -j ACCEPT
    -A OUTPUT -p tcp -m multiport --dports 21,22,53,80,443,6881:6999 -j ACCEPT
    -A OUTPUT -p icmp -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    COMMIT
    END
    Hope that doesn't have any gratuitous holes in it!
     
    Last edited by a moderator: Nov 27, 2012
Loading...
Thread Status:
Not open for further replies.