Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > iptables: ESTABLISHED,RELATED but some ACK or RST rejected

Reply
Thread Tools Display Modes

iptables: ESTABLISHED,RELATED but some ACK or RST rejected

 
 
Emmanuel CHANTREAU
Guest
Posts: n/a

 
      09-14-2003, 01:53 PM
I got a server behind a firewall, DNAT on the firewall redirect ports to
it (like www). The server never initiate a connection, so the rules in the
firewall for forwarding packets from the server are:
I accept states ESTABLISHED,RELATED, and for the rest I log and reject:

iptables -A $CHAIN -m state -p tcp -s $IP_SERVER --state ESTABLISHED,RELATED -j ACCEPT
iptables -A $CHAIN -j LOG --log-level DEBUG --log-prefix "IPT $CHAIN REJECT: "
iptables -A $CHAIN -j REJECT

My problem is:

Some packets are not in the state ESTABLISHED,RELATED but seems valid,
like:

Sep 4 14:23:40 brouillard kernel: IPT tap0-fw REJECT: IN=tap0 OUT=ppp0 SRC=192.168.112.179 DST=80.88.128.132 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=64803 DF PROTO=TCP SPT=80 DPT=49260 WINDOW=5792 RES=0x00 ACK FIN URGP=0

I have overs with flags RST or just ACK.

I don't understand why because these packets are related to a connection.

Shure I could forward all packets but I need security.

thanks

--
Emmanuel Chantréau
100% des gens sont dans une minorité de moins de 5% des gens.
 
Reply With Quote
 
 
 
 
Horst Knobloch
Guest
Posts: n/a

 
      09-17-2003, 08:47 PM
Emmanuel CHANTREAU <(E-Mail Removed)> wrote:

> I got a server behind a firewall, DNAT on the firewall redirect ports to
> it (like www). The server never initiate a connection, so the rules in
> the firewall for forwarding packets from the server are:
> I accept states ESTABLISHED,RELATED, and for the rest I log and reject:
>
[...]
> Some packets are not in the state ESTABLISHED,RELATED but seems valid,
> like:
>
> Sep 4 14:23:40 brouillard kernel: IPT tap0-fw REJECT: IN=tap0 OUT=ppp0
> SRC=192.168.112.179 DST=80.88.128.132 LEN=52 TOS=0x00 PREC=0x00 TTL=63
> ID=64803 DF PROTO=TCP SPT=80 DPT=49260 WINDOW=5792 RES=0x00 ACK FIN
> URGP=0
>
> I have overs with flags RST or just ACK.
>
> I don't understand why because these packets are related to a connection.

I've watched something similar. My investigation has shown that
in my case these rejected packets were delayed duplicates which
arrived when the connection did not exist anymore in the connection
tracking engine of the packet filter.

So fire up ethereal and capture traffic until you see such a log
entry above. Then follow the communication in ethereal where the
logged entry stems from and draw your conclusions or post it here.


HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn
 
Reply With Quote
Reply

« WLAN PCI Card | Timeout too long if no network »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables restart, existing sessions, and ESTABLISHED,RELATED rules Andrew Gideon Linux Networking 0 07-12-2008 01:10 PM
iptables: state RELATED and ICMP jqpx37 Linux Networking 3 08-30-2006 10:10 PM
IPTABLES and RELATED states Andrew Townsend Linux Networking 3 07-27-2005 05:20 PM
Two QoS/iptables related questions Jomu Linux Networking 3 07-17-2005 08:23 AM
iptables blocks 'established' packets ? Tom Van Overbeke Linux Networking 0 07-01-2003 01:35 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11