Losing network shares

Fri, 08 Mar 2002 11:28:05 -0800 

Greetings,

        I am using iptables and NAT (a la the gShield script) as a
firewall for my staff workstations. (My rule set is below.)
        Folks come and go out of numerous NT Server (shudder) shares
frequently. While initial logins connect straight to the server via
mapped network drives, if they are idle for more than 30 minutes or so on
these shares and then try to access them again they receive

                G:\ is not accessible.
                The network path was not found.

        errors from Windows.
        If they disconnect from the share and then re-map them all is well
again.
        I suspect this is due to some ip_conntrack timeout thing, but I'm
not sure how to approach the problem - at the server or the clients.
        Maybe some sort of keep-alive thing on the clients?
        If anyone can suggest a way to work around this problem I'd be
very grateful.
        Thank you very much in advance!


Brett Charbeneau, Network Administrator         Tel: 757-259-7750
Williamsburg Regional Library                   FAX: 757-259-7798
7770 Croaker Road                               [EMAIL PROTECTED]
Williamsburg, VA 23188-7064                     http://www.wrl.org


# Generated by iptables-save v1.2.1a on Fri Mar  8 13:05:00 2002
*nat
:PREROUTING ACCEPT [622874:71144748]
:POSTROUTING ACCEPT [17956:777946]
:OUTPUT ACCEPT [1929:134358]
-A PREROUTING -d 209.96.177.31 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
192.168.1.250:80
-A PREROUTING -d 209.96.177.31 -p udp -m udp --dport 80 -j DNAT --to-destination 
192.168.1.250:80
-A PREROUTING -d 209.96.177.31 -p tcp -m tcp --dport 25 -j DNAT --to-destination 
192.168.1.250:25
-A PREROUTING -d 209.96.177.31 -p udp -m udp --dport 25 -j DNAT --to-destination 
192.168.1.250:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 209.96.177.31
COMMIT
# Completed on Fri Mar  8 13:05:00 2002
# Generated by iptables-save v1.2.1a on Fri Mar  8 13:05:00 2002
*mangle
:PREROUTING ACCEPT [69054256:31604483456]
:OUTPUT ACCEPT [573318:54693235]
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --sport 23 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6667 -j TOS --set-tos 0x10
COMMIT
# Completed on Fri Mar  8 13:05:00 2002
# Generated by iptables-save v1.2.1a on Fri Mar  8 13:05:00 2002
*filter
:INPUT DROP [3:158]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [23729:4312738]
:ACCEPTnLOG - [0:0]
:BLACKLIST - [0:0]
:BLOCK_OUT - [0:0]
:CLIENT - [0:0]
:CLOSED - [0:0]
:DHCP - [0:0]
:DMZ - [0:0]
:DNS - [0:0]
:DROPICMP - [0:0]
:DROPnLOG - [0:0]
:HIGHPORT - [0:0]
:MON_OUT - [0:0]
:OPENPORT - [0:0]
:PUBLIC - [0:0]
:RESERVED - [0:0]
:SERVICEDROP - [0:0]
:STATEFUL - [0:0]
:TAINTED - [0:0]
:loopback - [0:0]
-A INPUT -i eth0 -m unclean -j TAINTED
-A INPUT -i lo -j loopback
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i ! eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j RESERVED
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j RESERVED
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.1 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.2 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.4 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.5 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.6 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.9 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.13 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.15 -i eth0 -j RESERVED
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -s 209.96.177.252 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT
-A INPUT -s 209.96.177.77 -p udp -m udp --sport 53 -j DNS
-A INPUT -s 209.96.177.71 -p udp -m udp --sport 53 -j DNS
-A INPUT -d 192.168.1.250 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.1.250 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -d 192.168.1.250 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d 192.168.1.250 -p udp -m udp --dport 25 -j ACCEPT
-A INPUT -d 209.96.177.31 -p tcp -m tcp --dport 22 -j PUBLIC
-A INPUT -d 209.96.177.31 -p udp -m udp --dport 22 -j PUBLIC
-A INPUT -d 209.96.177.31 -p tcp -m tcp --dport 113 -j PUBLIC
-A INPUT -d 209.96.177.31 -p udp -m udp --dport 113 -j PUBLIC
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p tcp -m tcp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.72 -d 209.96.177.31 -p udp -m udp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p tcp -m tcp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.66 -d 209.96.177.31 -p udp -m udp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p tcp -m tcp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.130 -d 209.96.177.31 -p udp -m udp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 20 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 21 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 22 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 110 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 80 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 443 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p tcp -m tcp --dport 8000 -j CLIENT
-A INPUT -s 209.96.177.129 -d 209.96.177.31 -p udp -m udp --dport 8000 -j CLIENT
-A INPUT -j STATEFUL
-A FORWARD -d 192.168.1.250 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.250 -p udp -m udp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.250 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.1.250 -p udp -m udp --dport 25 -j ACCEPT
-A FORWARD -j STATEFUL
-A OUTPUT -o lo -j loopback
-A ACCEPTnLOG -j LOG --log-prefix "gShield (accept) " --log-level 6
-A ACCEPTnLOG -j ACCEPT
-A BLACKLIST -j LOG --log-prefix "gShield (blacklisted drop) " --log-level 6
-A BLACKLIST -j DROP
-A BLOCK_OUT -j DROP
-A CLIENT -j ACCEPT
-A CLOSED -j LOG --log-prefix "gShield (closed port drop) " --log-level 6
-A CLOSED -p tcp -j REJECT --reject-with reject-with
-A CLOSED -p udp -j REJECT --reject-with icmp-proto-unreachable
-A CLOSED -j DROP
-A DHCP -j LOG --log-prefix "gShield (DHCP accept) " --log-level 6
-A DHCP -j ACCEPT
-A DMZ -j LOG --log-prefix "gShield (DMZ drop) " --log-level 6
-A DMZ -j DROP
-A DNS -j ACCEPT
-A DROPICMP -j DROP
-A DROPnLOG -p udp -m udp --dport 137:139 -j DROP
-A DROPnLOG -p tcp -m tcp --sport 80 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN 
-j ACCEPT
-A DROPnLOG -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j DROP
-A DROPnLOG -m limit --limit 5/min -j LOG --log-prefix "gShield (default drop) " 
--log-level 6
-A DROPnLOG -p 47 -m limit --limit 5/min -j LOG --log-prefix "gShield (default drop / 
GRE) " --log-level 6
-A DROPnLOG -p tcp -j REJECT --reject-with reject-with
-A DROPnLOG -p udp -j REJECT --reject-with icmp-proto-unreachable
-A DROPnLOG -j DROP
-A HIGHPORT -j ACCEPT
-A MON_OUT -j ACCEPT
-A OPENPORT -j ACCEPT
-A PUBLIC -j ACCEPT
-A RESERVED -p tcp -j REJECT --reject-with reject-with
-A RESERVED -p udp -j REJECT --reject-with icmp-proto-unreachable
-A RESERVED -j DROP
-A SERVICEDROP -j LOG --log-prefix "gShield (service drop) " --log-level 6
-A SERVICEDROP -p tcp -j REJECT --reject-with reject-with
-A SERVICEDROP -p udp -j REJECT --reject-with icmp-proto-unreachable
-A SERVICEDROP -j DROP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DROPnLOG
-A TAINTED -j LOG --log-prefix "gShield (unclean drop) " --log-level 6
-A TAINTED -j DROP
-A loopback -i lo -j ACCEPT
COMMIT
# Completed on Fri Mar  8 13:05:00 2002

Reply via email to