Re: New not syn: IN =OUT=eth1
on 2006-03-30 at 12:25, Vladimir Zolotykh wrote:
> I'm new both to this mailing list and firewalls.
> I set up a simple firewall and SNAT using iptables. All works fine
> except that sometimes I see the following in the /var/log/syslog
> Mar 30 08:54:23 dobby kernel: New not syn:IN= OUT=eth1 SRC=3184.108.40.206 \
> DST=3220.127.116.11 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=60918 DF PROTO=TCP \
> SPT=32804 DPT=119 WINDOW=31856 RES=0x00 ACK PSH FIN URGP=0
> Could you please tell me what might be the probable reason for these
> messages? The actual rule that produces them is
> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> --log-prefix "New not syn:"
> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
New not syn means that from the iptables firewall's view, this
is the first packet received in a NEW tcp session. All tcp sessions
should start with a syn packet, but for some reason, the syn packet for
this connection was not received. Lot's of reasons like dropped packet
somewhere, asynchronous routing, out of order packets, flushing and
restarting the firewall in the middle of a tcp session, etc.
if it's valid traffic, tcp will handle this itself. when the sender
notices you haven't replied to the syn packet, it will send it again