Search code examples
javalinuxsocketsnetwork-programmingiptables

Reg. firewall in Linux

I have a java program listening to packets from both UDP and TCP on a range of ports. I have a script locally on that Linux box which will block or unblock the inward network traffic on those ports. These scripts work well. But when I use this script to stop the traffic it takes almost 40 minutes to get the traffic stopped. Till then I receive the packets on

java.net.DatagramSocket.receive() and
java.net.Socket.getInputStream().read()

methods. After 40 minutes, the traffic gets stopped. I have no clue what is happening. I was expecting the incoming traffic to immediately stop. Is there any configuration that I have missed in the Linux box ?

The socket buffer size is for udp and tcp is:

[root@APP ~]# cat /proc/sys/net/ipv4/udp_mem
6164448 8219264 12328896
[root@APP ~]# cat /proc/sys/net/ipv4/udp_rmem_min
4096
[root@APP ~]# cat /proc/sys/net/ipv4/udp_wmem_min
4096

[root@APP ~]# cat /proc/sys/net/ipv4/tcp_mem
6164448 8219264 12328896
[root@APP ~]# cat /proc/sys/net/ipv4/tcp_rmem
4096    87380   4194304
[root@APP ~]# cat /proc/sys/net/ipv4/tcp_wmem
4096    16384   4194304

Here is a snippet of the iptables script. I am interested in the ports between 5000 to 5100.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [218796:15563881]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5000:5100 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 4814 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8000 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 4815 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 2814 -j ACCEPT

-A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A INPUT -p udp --dport 5000:5100 -j DROP
-A INPUT -p udp --dport 4814 -j DROP

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 5000:5100 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 4814 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 4815 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 2814 -j ACCEPT

-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A OUTPUT -p udp --sport 5000:5100 -j ACCEPT
-A OUTPUT -p udp --sport 4814 -j ACCEPT
Solution

  • The first rule in your firewall tells iptables to accept all established connections so you are only blocking new connections

    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    Try removing that rule and see what happens