TCP flag PSH - (Sorry for the cross-posting)

06-22-2006, 04:18 PM

Sorry for the cross-posting, I probably should have put this question
here originally.

I'm having a weird problem with iptables 1.2.11 on my linux system.
For some reason, it is only allowing packets through from allowed
hosts/ports that have the TCP flag PSH set on them, it will deny all
others. I have no rules set in iptables about allowing/disallowing
this tcp flags, and I'm not quite sure what could be causing my
problems.

Does anyone have any ideas why my linux system would be doing this?

Thanks

Mike

Here is an output of my iptables-save (with a few edits for mac and ip
security):

# Generated by iptables-save v1.2.11 on Thu Jun 22 09:38:48 2006
*filter
:INPUT ACCEPT [23:1292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:43479]
:Cid449952DF.0 - [0:0]
:Cid449952E9.0 - [0:0]
:Cid449952E9.1 - [0:0]
:Cid449952F3.0 - [0:0]
:Cid44995307.0 - [0:0]
:Cid44995307.1 - [0:0]
:Cid4499B94F.0 - [0:0]
:RULE_2 - [0:0]
:RULE_3 - [0:0]
:RULE_4 - [0:0]
:RULE_5 - [0:0]
:RULE_7 - [0:0]
:RULE_8 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A INPUT -d <firewall host> -m state --state NEW -j Cid44995307.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 22 -m state --state
NEW -j Cid449952F3.0
-A INPUT -d <firewall host> -m state --state NEW -j Cid449952E9.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 10000:10500 -m state
--state NEW -j Cid449952DF.0
-A INPUT -s <priv subnet>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 1520:1522 -m state --state NEW -j RULE_5
-A INPUT -s <priv subnet 1>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 445 -j DROP
-A INPUT -s <priv subnet 2>/255.255.255.0 -d <firewall host> -m state
--state NEW -j Cid4499B94F.0
-A INPUT -d <firewall host> -j RULE_8
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A OUTPUT -d <firewall host> -j RULE_8
-A Cid449952DF.0 -s 10.0.0.0/255.0.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 3>/255.255.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 5>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 7>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 8>/<priv subnet range> -j RULE_4
-A Cid449952E9.0 -p tcp -m tcp -m multiport --dports 80,443 -j
Cid449952E9.1
-A Cid449952E9.1 -s 10.0.0.0/255.0.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 3>/255.255.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 5>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 7>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 8>/<priv subnet range> -j RULE_3
-A Cid449952F3.0 -s 10.0.0.0/255.0.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 3>/255.255.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 5>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 7>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 8>/<priv subnet range> -j RULE_2
-A Cid44995307.0 -f -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/1 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 0/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 3 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 8/0 -j Cid44995307.1
-A Cid44995307.1 -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 3>/255.255.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 5>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 7>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 8>/<priv subnet range> -j ACCEPT
-A Cid4499B94F.0 -p tcp -m tcp -m multiport --dports 445,139 -j RULE_7
-A Cid4499B94F.0 -p udp -m udp -m multiport --dports 138,137 -j RULE_7
-A RULE_2 -j LOG --log-prefix "ALLOWED-SSH " --log-level 6
-A RULE_2 -j ACCEPT
-A RULE_3 -j LOG --log-prefix "ALLOWED-WEB " --log-level 6
-A RULE_3 -j ACCEPT
-A RULE_4 -j LOG --log-prefix "ALLOWED-APP " --log-level 6
-A RULE_4 -j ACCEPT
-A RULE_5 -j LOG --log-prefix "ALLOWED-DB " --log-level 6
-A RULE_5 -j ACCEPT
-A RULE_7 -j LOG --log-prefix "ALLOWED-SMB " --log-level 6
-A RULE_7 -j ACCEPT
-A RULE_8 -j LOG --log-prefix "DENIED " --log-level 6
-A RULE_8 -j DROP
COMMIT
# Completed on Thu Jun 22 09:38:48 2006

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Meaning of arp flag values	jeniffer	Linux Networking	0	05-16-2006 04:38 AM
how to unset ip flag "don't fragment" on outgoing packets (kernel 2.4.10)	exo	Linux Networking	3	12-09-2005 07:00 AM
cross posting	GreenGoblin	Windows Networking	1	11-22-2005 02:06 AM
receive on socket with MSG_WAITALL flag	Shanthi Paladugu	Linux Networking	0	11-08-2004 04:31 PM
Sorry for posting this here	Alex	Windows Networking	0	09-28-2003 09:06 PM