Strange Network Problem - GURU NEEDED Options

[CyberSEAL]

I have 3 boxes at the planet in the 67.15.x.x IP range. They are all Linux/Ensim machines for production web hosting. I have APF firewall running on each box and configured to allow access from my home and work IP addresses. This setup has worked great for over two years now.

When I came into work today I realized that I cannot reach any of those boxes. I'm able to shell to my home router and then get in to all 3 boxes just fine. Also, if I disable the APF firewall on any of those boxes, I can get in from work. NOTHING HAS CHANGED RECENTLY. These ssh connections were all working as of Friday.

TP is not blocking me, nor is my company. I suspect something network related has changed at work which is having a strange effect on APF or IPtables. Networking is not really one of my strong points...is there anyone here who can take a guess at this one? Have I given enough information? I'm stumped and think this is really, really weird...

thanks...

[markcausa]

You've most likely blocked your office's IP due to a number of failed log in attempts. Have you checked your APF block list? Are there any other firewalls running? Do you recall making any failed log in attempts from work?

[CyberSEAL]

You've most likely blocked your office's IP due to a number of failed log in attempts. Have you checked your APF block list? Are there any other firewalls running? Do you recall making any failed log in attempts from work?

Hey thanks Mark. My office IP is listed in the /etc/apf/allow_hosts.rules file. I do not have any ip's listed in my deny_hosts.rules file. I do not recall any failed login attempts. What's really strange is this is affecting all 3 boxes and I only routinely login to one of them.

Is there something my work could've done that would affect the way the firewall/iptables responds to connection requests? As soon as I shutdown APF, the connections are fine. Also, I have no problems connecting from home which is the only other allowed IP in my firewall configs. The only firewall I'm running on all 3 boxes is APF.

I've run iptables -L -n and it shows my work IP as configured for ALLOW.

WEIRD!

[newexpos]

I have 3 boxes at the planet in the 67.15.x.x IP range. They are all Linux/Ensim machines for production web hosting. I have APF firewall running on each box and configured to allow access from my home and work IP addresses. This setup has worked great for over two years now.

When I came into work today I realized that I cannot reach any of those boxes. I'm able to shell to my home router and then get in to all 3 boxes just fine. Also, if I disable the APF firewall on any of those boxes, I can get in from work. NOTHING HAS CHANGED RECENTLY. These ssh connections were all working as of Friday.

TP is not blocking me, nor is my company. I suspect something network related has changed at work which is having a strange effect on APF or IPtables. Networking is not really one of my strong points...is there anyone here who can take a guess at this one? Have I given enough information? I'm stumped and think this is really, really weird...

thanks...

Not to be insulting or anything but my first question is.. did you check to see if your IP address changed at work? Someone updating or replacing a router could easily cause the IP addresses to change

[CyberSEAL]

Not to be insulting or anything but my first question is.. did you check to see if your IP address changed at work? Someone updating or replacing a router could easily cause the IP addresses to change

Yeh checked that, IP is still the same.

[markcausa]

Hmmm, there must be some other firewall blocking your IP address. I know I have three running at anytime on my boxes, so it's not uncommon for this to happen.

I'm interested in what James is gonna say about this.

[mv_]

I've had numerous problems with APF, unexplained by a few server management companies nor TP. I got rid of APF and the problem went away, it is really strange to me though. Tracert, ping, all worked perfectly, but access to www or ssh was always dead due to "connection timeout error". :-(

[markcausa]

EXACTLY! APF plays these kind of games.

[CyberSEAL]

I've been running this configuration for over two years with Zero problems and no system changes have been made recently. I think this is actually a difficult to troubleshoot networking problem resulting from changes made by my employer. When I disable APF, everyone can connect, so you'd normally think the problem would be on my end, but in this case I'd bet it's not.

What could my employer have done that would have this strange effect on my firewall? APF is the only firewall running on this and my other two machines btw...

[CyberSEAL]

What's even stranger is the fact that I have 3 boxes in the 67.15.x.x range and this issue started on all 3 at the same time.

[CyberSEAL]

ok guys...figured it out, was a dumb issue but actually makes the whole scenario a little stranger...

Port 22 was not listed in my conf.apf file for allowing access. I do not know how it was removed from this file...on all 3 servers. Kinda have a bad feeling about this. Also...how the heck could I still ssh to port 22 from home? Whattya guys think...perhaps I've been cracked?

[James Jhurani]

ok guys...figured it out, was a dumb issue but actually makes the whole scenario a little stranger...

Port 22 was not listed in my conf.apf file for allowing access. I do not know how it was removed from this file...on all 3 servers. Kinda have a bad feeling about this. Also...how the heck could I still ssh to port 22 from home? Whattya guys think...perhaps I've been cracked?

APF uses iptables. The order in iptables matters... A LOT.
If you have
-
allow all from <your home ip>
deny all from * destination port 22
allow all from <your work ip>
-
Your home IP would be explicitly allowed because it reads top to bottom. but if the deny rule is above your work ip, (and after your home ip) you would have this effect.

A good way to see if this is the case, is to do "iptables -I INPUT -s <your work ip> -j ACCEPT" and "iptables -I OUTPUT -d <your work ip> -j ACCEPT" (these are case sensitive). That is only a temporary fix, since APF reloads your config every hour... but it would confirm if that is the problem or not...

Although I must confess, I share Mark's opinion on APF.

[TAK]

I replaced APF on all my servers with ConfigServer Firewall about a year ago. Couldn't be happier.