TCP flag PSH - (Sorry for the cross-posting)

Discussion in 'Linux Networking' started by mikedawg, Jun 22, 2006.

  1. mikedawg

    mikedawg Guest

    Sorry for the cross-posting, I probably should have put this question
    here originally.

    I'm having a weird problem with iptables 1.2.11 on my linux system.
    For some reason, it is only allowing packets through from allowed
    hosts/ports that have the TCP flag PSH set on them, it will deny all
    others. I have no rules set in iptables about allowing/disallowing
    this tcp flags, and I'm not quite sure what could be causing my
    problems.

    Does anyone have any ideas why my linux system would be doing this?

    Thanks

    Mike

    Here is an output of my iptables-save (with a few edits for mac and ip
    security):

    # Generated by iptables-save v1.2.11 on Thu Jun 22 09:38:48 2006
    *filter
    :INPUT ACCEPT [23:1292]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [35:43479]
    :Cid449952DF.0 - [0:0]
    :Cid449952E9.0 - [0:0]
    :Cid449952E9.1 - [0:0]
    :Cid449952F3.0 - [0:0]
    :Cid44995307.0 - [0:0]
    :Cid44995307.1 - [0:0]
    :Cid4499B94F.0 - [0:0]
    :RULE_2 - [0:0]
    :RULE_3 - [0:0]
    :RULE_4 - [0:0]
    :RULE_5 - [0:0]
    :RULE_7 - [0:0]
    :RULE_8 - [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s <firewall host> -m state --state NEW -j ACCEPT
    -A INPUT -d <firewall host> -m state --state NEW -j Cid44995307.0
    -A INPUT -d <firewall host> -p tcp -m tcp --dport 22 -m state --state
    NEW -j Cid449952F3.0
    -A INPUT -d <firewall host> -m state --state NEW -j Cid449952E9.0
    -A INPUT -d <firewall host> -p tcp -m tcp --dport 10000:10500 -m state
    --state NEW -j Cid449952DF.0
    -A INPUT -s <priv subnet>/255.255.255.0 -d <firewall host> -p tcp -m
    tcp --sport 1520:1522 -m state --state NEW -j RULE_5
    -A INPUT -s <priv subnet 1>/255.255.255.0 -d <firewall host> -p tcp -m
    tcp --sport 445 -j DROP
    -A INPUT -s <priv subnet 2>/255.255.255.0 -d <firewall host> -m state
    --state NEW -j Cid4499B94F.0
    -A INPUT -d <firewall host> -j RULE_8
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -s <firewall host> -m state --state NEW -j ACCEPT
    -A OUTPUT -d <firewall host> -j RULE_8
    -A Cid449952DF.0 -s 10.0.0.0/255.0.0.0 -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 3>/255.255.0.0 -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 5>/<priv subnet range> -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 7>/<priv subnet range> -j RULE_4
    -A Cid449952DF.0 -s <priv subnet 8>/<priv subnet range> -j RULE_4
    -A Cid449952E9.0 -p tcp -m tcp -m multiport --dports 80,443 -j
    Cid449952E9.1
    -A Cid449952E9.1 -s 10.0.0.0/255.0.0.0 -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 3>/255.255.0.0 -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 5>/<priv subnet range> -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 7>/<priv subnet range> -j RULE_3
    -A Cid449952E9.1 -s <priv subnet 8>/<priv subnet range> -j RULE_3
    -A Cid449952F3.0 -s 10.0.0.0/255.0.0.0 -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 3>/255.255.0.0 -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 5>/<priv subnet range> -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 7>/<priv subnet range> -j RULE_2
    -A Cid449952F3.0 -s <priv subnet 8>/<priv subnet range> -j RULE_2
    -A Cid44995307.0 -f -j Cid44995307.1
    -A Cid44995307.0 -p icmp -m icmp --icmp-type 11/0 -j Cid44995307.1
    -A Cid44995307.0 -p icmp -m icmp --icmp-type 11/1 -j Cid44995307.1
    -A Cid44995307.0 -p icmp -m icmp --icmp-type 0/0 -j Cid44995307.1
    -A Cid44995307.0 -p icmp -m icmp --icmp-type 3 -j Cid44995307.1
    -A Cid44995307.0 -p icmp -m icmp --icmp-type 8/0 -j Cid44995307.1
    -A Cid44995307.1 -s 10.0.0.0/255.0.0.0 -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 3>/255.255.0.0 -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 5>/<priv subnet range> -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 7>/<priv subnet range> -j ACCEPT
    -A Cid44995307.1 -s <priv subnet 8>/<priv subnet range> -j ACCEPT
    -A Cid4499B94F.0 -p tcp -m tcp -m multiport --dports 445,139 -j RULE_7
    -A Cid4499B94F.0 -p udp -m udp -m multiport --dports 138,137 -j RULE_7
    -A RULE_2 -j LOG --log-prefix "ALLOWED-SSH " --log-level 6
    -A RULE_2 -j ACCEPT
    -A RULE_3 -j LOG --log-prefix "ALLOWED-WEB " --log-level 6
    -A RULE_3 -j ACCEPT
    -A RULE_4 -j LOG --log-prefix "ALLOWED-APP " --log-level 6
    -A RULE_4 -j ACCEPT
    -A RULE_5 -j LOG --log-prefix "ALLOWED-DB " --log-level 6
    -A RULE_5 -j ACCEPT
    -A RULE_7 -j LOG --log-prefix "ALLOWED-SMB " --log-level 6
    -A RULE_7 -j ACCEPT
    -A RULE_8 -j LOG --log-prefix "DENIED " --log-level 6
    -A RULE_8 -j DROP
    COMMIT
    # Completed on Thu Jun 22 09:38:48 2006
     
    mikedawg, Jun 22, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.