Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > iptables v1.2.4 logs dropped packets that should have been allowed ???

Reply
Thread Tools Display Modes

iptables v1.2.4 logs dropped packets that should have been allowed ???

 
 
Tom Van Overbeke
Guest
Posts: n/a

 
      07-16-2003, 03:18 PM
Hi,


I hope someone can shed some light on a mistery i have:


our firewall (also squid proxy) serves some 50 desktops for web browsing.

Everything works fine, noone complains about sites not being accessible or
sth, but in the firewall logs, i see very regularly 2 types of blocked
packets:


Jul 16 16:49:11 dobermann kernel: -drop_the_rest-IN=eth0 OUT=
MAC=00:06:5b:f7:66:96:00:00:d1:ec:fa:3b:08:00 SRC=213.199.148.12
DST=172.17.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=11706 PROTO=TCP SPT=80
DPT=55475 WINDOW=17125 RES=0x00 ACK URGP=0

DST ip is the external interface of the proxy server. to me, this appears to
be the reply from an attempt of the squid proxy to initiate a connection
with a remote website (because of the ACK).
i see no reason why this packet would be blocked, because i can't find the
corresponding SYN packet in my logs.
anyway, The connection between these hosts and ports in this example are
configured to be permitted.


second type of blocked packets:

Jul 16 11:57:47 dobermann kernel: -drop_the_rest-IN= OUT=eth1 SRC=172.21.3.1
DST=172.21.3.209 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=6144 PROTO=TCP SPT=3128
DPT=2408 WINDOW=16056 RES=0x00 ACK PSH FIN URGP=0
Jul 16 13:16:19 dobermann kernel: -drop_the_rest-IN= OUT=eth1 SRC=172.21.3.1
DST=172.21.3.209 LEN=1102 TOS=0x00 PREC=0x00 TTL=64 ID=25203 PROTO=TCP
SPT=3128 DPT=3384 WINDOW=6468 RES=0x00 ACK PSH URGP=0

SRC is the internal ip of the firewall / squid proxy; DST is one of the
desktop pc's used to surf the web.

this packet looks like it's the squid that is forwarding the received web
page back to the requesting client (because of the ACK and PSH bits set).
the source port is 3128, where we have configured our proxy to listen to.


to me this doesn't make sence: it seems almost like iptables has forgotten
about the already established connection and seems to drop the packet
because it can't find it in the connection tracking table.

our firewall is iptables v1.2.4 running on redhat advanced server 2.1.
the firewall was setup via fwbuilder, with connection tracking enabled for
most of the rules (and definitely for the 'allow squid traffic' rule).
cat /proc/sys/net/ipv4/conntrack_max is 32760
cat /proc/net/ip_conntrack | wc -l is 172 (i assume these 2 variables are
related ?).



thx,


Tom.
 
Reply With Quote
 
 
 
Reply

« how can lan network connect to live server | SSH from LAN to Internet via DMZ ip tunnel »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: user-def'd chains: allowed names? jqpx37 Linux Networking 1 10-15-2006 05:47 PM
IPTables filtering what should be allowed outbound traffic SmittyBroham Linux Networking 6 10-03-2005 05:42 PM
dropped packets David Dumas Linux Networking 1 08-31-2005 01:38 AM
di-614+ and mn-720 dropped packets and so on cefek Broadband Hardware 0 08-24-2004 01:20 PM
iptables v1.2.4 logs dropped packets that should have been allowed ??? Tom Van Overbeke Linux Networking 1 07-18-2003 04:32 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11