I have a script with some iptables rules in it. When I execute this script on another host using 'ssh', then this call blocks for approx. 2 hours.
This is the contents of the script. The idea is to block all traffic, except ssh, http(s), icmp and broadcast udp-discovery :
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 22,80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sport 22,80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
I execute the script via this call:
sshpass -p <pwd> ssh root@<host> '/bin/sh -s' < script.sh
And most of the time (not always), this call hangs and is interrupted after 7300 sec. I have done a s-trace. It also seems that this only happens when setting some iptables rules, executing any other command over ssh shows no problem although the s-trace is the same, but the interrupt happens after 0,1 sec.
0.000092 wait4(4075588, 0x7ffd2d32bdec, WNOHANG, NULL) = 0
0.000086 pselect6(4, [3], NULL, NULL, NULL, {[], 8}) = ? ERESTARTNOHAND (To be restarted if no handler)
7303.455216 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4075588, si_uid=1005, si_status=255, si_utime=2, si_stime=0} ---
0.000332 rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
0.000328 wait4(4075588, [{WIFEXITED(s) && WEXITSTATUS(s) == 255}], WNOHANG, NULL) = 4075588
0.000423 exit_group(255) = ?
0.000645 +++ exited with 255 +++
The strange thing is also that the iptables rules are correctly set after 7300 seconds, BUT an extra rule is added: ACCEPT all -- anywhere anywhere for the INPUT and OUTPUT chains.
Can someone give some explanation about this behaviour ?
Thx
