LINUX.ORG.RU
ФорумAdmin

После добавления правил iptables долгая загрузка

 , ,


0

1

Привет. Добавил список правил, после чего система и авторизация происходит очень долго, с зависанием:

sudo iptables -P INPUT DROP

sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --dport 22 -j LOG --log-prefix "Iptab: Request connect client: "
sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK --sport 22 -j LOG --log-prefix "Iptab: Confirm connect fr server: "

sudo iptables -A INPUT -p tcp --tcp-flags RST RST --dport 22 -j LOG --log-prefix "Iptab: Reset connect client: "
sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST --sport 22 -j LOG --log-prefix "Iptab: Reset connect server: "

sudo iptables -A INPUT -p tcp --tcp-flags FIN FIN --dport 22 -j LOG --log-prefix "Iptab: Close connect client: "
sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK ACK --sport 22 -j LOG --log-prefix "Iptab: Confirm clos server: "

sudo iptables -A OUTPUT -p tcp --tcp-flags FIN FIN --sport 22 -j LOG --log-prefix "Iptab: Close connect server: "
sudo iptables -A INPUT -p tcp --tcp-flags SYN,ACK ACK --dport 22 -j LOG --log-prefix "Iptab: Confirm clos client: "



sudo iptables -A INPUT -i eth0 -p tcp --dport 8384 -m iprange --src-range 192.168.0.102-192.168.0.103 -m comment --comment "ALLOW Syncthing Notebook" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 8384 -m iprange --dst-range 192.168.0.102-192.168.0.103 -m comment --comment "ALLOW Syncthing Notebook" -j ACCEPT

sudo iptables -A INPUT -i eth0 -p tcp --dport 8384 -s 192.168.0.104 -m comment --comment "ALLOW Syncthing Phone" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 8384 -d 192.168.0.104 -m comment --comment "ALLOW Syncthing Phone" -j ACCEPT

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m iprange --src-range 192.168.0.101-192.168.0.104 -m comment --comment "ALLOW SSH HOME" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m iprange --dst-range 192.168.0.101-192.168.0.104 -m comment --comment "ALLOW SSH HOME" -j ACCEPT

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Вот логи syslog после зависания:

Feb 20 09:43:24 Desktop systemd[1]: Started System Logging Service.
Feb 20 09:43:24 Desktop kernel: [    1.264344] pcieport 0000:00:15.1: PME: Signaling with IRQ 26
Feb 20 09:43:24 Desktop kernel: [    1.264426] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
Feb 20 09:43:24 Desktop kernel: [    1.264868] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
Feb 20 09:43:24 Desktop kernel: [    1.264996] 00:07: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
Feb 20 09:43:24 Desktop kernel: [    1.265604] Linux agpgart interface v0.103
Feb 20 09:43:24 Desktop kernel: [    1.265837] AMD-Vi: AMD IOMMUv2 functionality not available on this system - This is not a bug.
Feb 20 09:43:24 Desktop kernel: [    1.266095] i8042: PNP: No PS/2 controller found.
Feb 20 09:43:24 Desktop kernel: [    1.266150] mousedev: PS/2 mouse device common for all mice
Feb 20 09:43:24 Desktop kernel: [    1.266178] rtc_cmos 00:04: RTC can wake from S4
Feb 20 09:43:24 Desktop kernel: [    1.266329] rtc_cmos 00:04: registered as rtc0
Feb 20 09:43:24 Desktop kernel: [    1.266356] rtc_cmos 00:04: setting system clock to 2022-02-20T09:42:33 UTC (1645350153)
Feb 20 09:43:24 Desktop kernel: [    1.266371] rtc_cmos 00:04: alarms up to one month, y3k, 114 bytes nvram, hpet irqs
Feb 20 09:43:24 Desktop kernel: [    1.266423] ledtrig-cpu: registered to indicate activity on CPUs
Feb 20 09:43:24 Desktop kernel: [    1.266765] NET: Registered protocol family 10
Feb 20 09:43:24 Desktop kernel: [    1.274424] Segment Routing with IPv6
Feb 20 09:43:24 Desktop kernel: [    1.274451] mip6: Mobile IPv6
Feb 20 09:43:24 Desktop kernel: [    1.274454] NET: Registered protocol family 17
Feb 20 09:43:24 Desktop kernel: [    1.274507] mpls_gso: MPLS GSO support
Feb 20 09:43:24 Desktop kernel: [    1.274510] x86/pm: family 0x15 cpu detected, MSR saving is needed during suspending.
Feb 20 09:43:24 Desktop kernel: [    1.274771] microcode: CPU0: patch_level=0x06001116
Feb 20 09:43:24 Desktop kernel: [    1.274775] microcode: CPU1: patch_level=0x06001116
Feb 20 09:43:24 Desktop kernel: [    1.274783] microcode: CPU2: patch_level=0x00000000
Feb 20 09:43:24 Desktop kernel: [    1.274789] microcode: CPU3: patch_level=0x00000000
Feb 20 09:43:24 Desktop kernel: [    1.274793] microcode: Microcode Update Driver: v2.2.
Feb 20 09:43:24 Desktop kernel: [    1.274798] IPI shorthand broadcast: enabled
Feb 20 09:43:24 Desktop kernel: [    1.274806] sched_clock: Marking stable (1270591639, 4120868)->(1287716998, -13004491)
Feb 20 09:43:24 Desktop kernel: [    1.274894] registered taskstats version 1
Feb 20 09:43:24 Desktop kernel: [    1.274898] Loading compiled-in X.509 certificates
Feb 20 09:43:24 Desktop kernel: [    1.314646] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
Feb 20 09:43:24 Desktop kernel: [    1.314666] Loaded X.509 cert 'Debian Secure Boot Signer 2021 - linux: 4b6ef5abca669825178e052c84667ccbc0531f8c'
Feb 20 09:43:24 Desktop kernel: [    1.314709] zswap: loaded using pool lzo/zbud
Feb 20 09:43:24 Desktop kernel: [    1.314881] Key type ._fscrypt registered
Feb 20 09:43:24 Desktop kernel: [    1.314882] Key type .fscrypt registered
Feb 20 09:43:24 Desktop kernel: [    1.314882] Key type fscrypt-provisioning registered
Feb 20 09:43:24 Desktop kernel: [    1.314921] AppArmor: AppArmor sha1 policy hashing enabled
Feb 20 09:43:24 Desktop kernel: [    1.316684] Freeing unused kernel image (initmem) memory: 2412K
Feb 20 09:43:24 Desktop kernel: [    1.346016] Write protecting the kernel read-only data: 22528k
Feb 20 09:43:24 Desktop kernel: [    1.346641] Freeing unused kernel image (text/rodata gap) memory: 2040K
Feb 20 09:43:24 Desktop kernel: [    1.346863] Freeing unused kernel image (rodata/data gap) memory: 624K
Feb 20 09:43:24 Desktop kernel: [    1.384100] x86/mm: Checked W+X mappings: passed, no W+X pages found.
Feb 20 09:43:24 Desktop kernel: [    1.384108] Run /init as init process
Feb 20 09:43:24 Desktop kernel: [    1.384109]   with arguments:
Feb 20 09:43:24 Desktop kernel: [    1.384110]     /init
Feb 20 09:43:24 Desktop kernel: [    1.384111]   with environment:
Feb 20 09:43:24 Desktop kernel: [    1.384112]     HOME=/
Feb 20 09:43:24 Desktop kernel: [    1.384112]     TERM=linux
Feb 20 09:43:24 Desktop kernel: [    1.384113]     BOOT_IMAGE=/boot/vmlinuz-5.10.0-11-amd64
Feb 20 09:43:24 Desktop kernel: [    1.523332] input: Power Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input0
Feb 20 09:43:24 Desktop kernel: [    1.523369] ACPI: Power Button [PWRB]
Feb 20 09:43:24 Desktop kernel: [    1.523440] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input1
Feb 20 09:43:24 Desktop kernel: [    1.542965] ACPI: Power Button [PWRF]
Feb 20 09:43:24 Desktop kernel: [    1.557162] piix4_smbus 0000:00:14.0: SMBus Host Controller at 0xb00, revision 0
Feb 20 09:43:24 Desktop kernel: [    1.557165] piix4_smbus 0000:00:14.0: Using register 0x2e for SMBus port selection
Feb 20 09:43:24 Desktop kernel: [    1.557266] piix4_smbus 0000:00:14.0: Auxiliary SMBus Host Controller at 0xb20
Feb 20 09:43:24 Desktop kernel: [    1.557651] cryptd: max_cpu_qlen set to 1000
Feb 20 09:43:24 Desktop kernel: [    1.561312] ACPI: bus type USB registered
Feb 20 09:43:24 Desktop kernel: [    1.561343] usbcore: registered new interface driver usbfs
Feb 20 09:43:24 Desktop kernel: [    1.561356] usbcore: registered new interface driver hub
Feb 20 09:43:24 Desktop kernel: [    1.561370] usbcore: registered new device driver usb
Feb 20 09:43:24 Desktop kernel: [    1.573186] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Feb 20 09:43:24 Desktop kernel: [    1.573647] AVX version of gcm_enc/dec engaged.
Feb 20 09:43:24 Desktop kernel: [    1.573649] AES CTR mode by8 optimization enabled
Feb 20 09:43:24 Desktop kernel: [    1.578493] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Feb 20 09:43:24 Desktop kernel: [    1.580767] SCSI subsystem initialized
Feb 20 09:43:24 Desktop kernel: [    1.590595] ehci-pci: EHCI PCI platform driver
Feb 20 09:43:24 Desktop kernel: [    1.590778] QUIRK: Enable AMD PLL fix
Feb 20 09:43:24 Desktop kernel: [    1.590812] ehci-pci 0000:00:12.2: EHCI Host Controller
Feb 20 09:43:24 Desktop kernel: [    1.590821] ehci-pci 0000:00:12.2: new USB bus registered, assigned bus number 1
Feb 20 09:43:24 Desktop kernel: [    1.590827] ehci-pci 0000:00:12.2: applying AMD SB700/SB800/Hudson-2/3 EHCI dummy qh workaround
Feb 20 09:43:24 Desktop kernel: [    1.590834] ehci-pci 0000:00:12.2: debug port 1
Feb 20 09:43:24 Desktop kernel: [    1.590885] ehci-pci 0000:00:12.2: irq 17, io mem 0xfe10b000
Feb 20 09:43:24 Desktop kernel: [    1.606001] ehci-pci 0000:00:12.2: USB 2.0 started, EHCI 1.00
Feb 20 09:43:24 Desktop kernel: [    1.606085] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.10
Feb 20 09:43:24 Desktop kernel: [    1.606087] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
Feb 20 09:43:24 Desktop kernel: [    1.606089] libata version 3.00 loaded.
Feb 20 09:43:24 Desktop kernel: [    1.606090] usb usb1: Product: EHCI Host Controller
Feb 20 09:43:24 Desktop kernel: [    1.606092] usb usb1: Manufacturer: Linux 5.10.0-11-amd64 ehci_hcd
Feb 20 09:43:24 Desktop kernel: [    1.606094] usb usb1: SerialNumber: 0000:00:12.2
Feb 20 09:43:24 Desktop rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2102.0]
Feb 20 09:43:24 Desktop kernel: [    1.606274] hub 1-0:1.0: USB hub found
Feb 20 09:43:24 Desktop kernel: [    1.606285] hub 1-0:1.0: 5 ports detected
Feb 20 09:43:24 Desktop kernel: [    1.606717] ehci-pci 0000:00:13.2: EHCI Host Controller
Feb 20 09:43:24 Desktop kernel: [    1.606737] ehci-pci 0000:00:13.2: new USB bus registered, assigned bus number 2
Feb 20 09:43:24 Desktop kernel: [    1.606747] ehci-pci 0000:00:13.2: applying AMD SB700/SB800/Hudson-2/3 EHCI dummy qh workaround
Feb 20 09:43:24 Desktop kernel: [    1.606761] ehci-pci 0000:00:13.2: debug port 1
Feb 20 09:43:24 Desktop kernel: [    1.606809] ehci-pci 0000:00:13.2: irq 17, io mem 0xfe109000
Feb 20 09:43:24 Desktop kernel: [    1.610406] libphy: r8169: probed
Feb 20 09:43:24 Desktop kernel: [    1.610411] ahci 0000:00:11.0: version 3.0
Feb 20 09:43:24 Desktop kernel: [    1.610689] r8169 0000:04:00.0 eth0: RTL8168f/8111f, 50:46:5d:a5:06:0a, XID 480, IRQ 27
Feb 20 09:43:24 Desktop kernel: [    1.610692] r8169 0000:04:00.0 eth0: jumbo features [frames: 9194 bytes, tx checksumming: ko]
Feb 20 09:43:24 Desktop kernel: [    1.610720] ahci 0000:00:11.0: AHCI 0001.0300 32 slots 8 ports 6 Gbps 0xff impl SATA mode
Feb 20 09:43:24 Desktop kernel: [    1.610723] ahci 0000:00:11.0: flags: 64bit ncq sntf ilck pm led clo pmp pio sxs 
Feb 20 09:43:24 Desktop kernel: [    1.612088] r8169 0000:04:00.0 enp4s0: renamed from eth0
Feb 20 09:43:24 Desktop kernel: [    1.612281] scsi host0: ahci
Feb 20 09:43:24 Desktop kernel: [    1.612587] scsi host1: ahci
Feb 20 09:43:24 Desktop kernel: [    1.612840] scsi host2: ahci
Feb 20 09:43:24 Desktop kernel: [    1.613046] scsi host3: ahci
Feb 20 09:43:24 Desktop kernel: [    1.613266] scsi host4: ahci
Feb 20 09:43:24 Desktop kernel: [    1.613422] scsi host5: ahci
Feb 20 09:43:24 Desktop kernel: [    1.613755] scsi host6: ahci
Feb 20 09:43:24 Desktop kernel: [    1.613961] scsi host7: ahci

Debian 11, Gnome 3, X11 В чём может быть проблема? На другой системе и устройстве такого не было.

Ответ на: комментарий от anonymous

И ещё стоит поднять вверх established/related, а сразу за ним добавить дроп для invalid.

anonymous ()
Ответ на: комментарий от funyfizik

если на лупбек не дать все правила аксепт

Что такое лупбек? У меня на прошлом устройстве были все дроп и правила работали отлично. также и загрузка была впорядке. Но тогда не было и не нужно было правило RELATED,ESTABLISHED -j ACCEPT.

TheLinuxUser ★★ ()
Для того чтобы оставить комментарий войдите или зарегистрируйтесь.