As with many others I had issues w/ the IPS rule snafu. I had saw the problem within 15 minutes of all my equipment going down at one of our locations and raced to the datacenter to see what the problem was.
At this time nothing had been posted and I saw that our ISP was up but nothing was getting to or past our routers. I knew it was more than likely an update issue since every device in my HA cluster had the exact same problem.
At this point I decided to just wipe them clean and disable auto updates and reload my previous config file. Since I've done this its come to my attention that all SSH traffic is being blocked by my reject rule (#36). For testing purposes I have allowed SSH traffic from a remote location and set this rule to #1 and I get rejects from rule #36 (any -> any, reject; which is my last rule fwiw). Also, all other traffic seems to be fine (http, https, smtp, etc...)
Now I just grep'd all of the netfilter rules using 'iptables -L -n --line numbers|grep :22|more' and see that in the AUTO_INPUT chain there is the following line:
10 LOGDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:22 LOGMARK match 60004
I know this is now where the log is showing the drop/reject is occurring but this is the only other rule where I see an issue. What would the recommended procedure be in this scenario since this has only started since I started from scratch after the autoupdate's breaking my routers?
Below is the log output:
12:09:50 Packet filter rule #36 TCP
69.163.201.97 : 33043 → X.X.X.X : 22
[SYN] len=60 ttl=53 tos=0x00 srcmac=00:01:e8:1a:bb:65 dstmac=00:1a:8c:f0:a4:e1
12:10:38 Packet filter rule #36 TCP
69.163.201.97 : 34182 → X.X.X.X : 22
[SYN] len=60 ttl=53 tos=0x00 srcmac=00:01:e8:1a:bb:65 dstmac=00:1a:8c:f0:a4:e1
12:11:37 Packet filter rule #36 TCP
69.163.201.97 : 35335 → X.X.X.X : 22
[SYN] len=60 ttl=53 tos=0x00 srcmac=00:01:e8:1a:bb:65 dstmac=00:1a:8c:f0:a4:e1
This thread was automatically locked due to age.
