[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables conntrack: packets not matching a rule occasionally?



You might try a rule to match "state INVALID", and see if it catches
them.  It might be someone probing your firewall.

Marc Schiffbauer wrote:
> Hi all,
>
> I am using iptables 1.2.11 on a well loaded webserver (constant load
> of about 3-5).
>
> After revising the firewall policy I found a strange behavior of iptables
> that I do not understand:
>
> Most of the packets to port 80 are being ACCEPTed as expected.
>
> But:
>  * For some clients packets to tcp/80 are being DROPed completely
>  * For some clients packets to tcp/80 are being DROPed occasionally
>
> I have the following rules for incoming http traffic:
> (In OUTPUT everything is allowed ATM)
>
> Chain INPUT (policy DROP 5 packets, 1057 bytes)
>  pkts bytes target     prot opt in  out  source destination
>   2227  433K ACCEPT     all  --  *   *    0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>     54  3048 RULE_2     tcp  --  *   *    0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
> [...]
>      5   200 In_RULE_18 all  --  +   *    0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 50
>
> Chain RULE_2 (4 references)
>  pkts bytes target     prot opt in  out  source destination
>     51  2868 LOG        all  --  *   *    0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 7 level 7 prefix `RULE 2 -- ACCEPT '
>     54  3048 ACCEPT     all  --  *   *    0.0.0.0/0 0.0.0.0/0
>
> Chain In_RULE_18 (2 references)
>  pkts bytes target     prot opt in  out  source destination
>      5   200 LOG        all  --  *   *    0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 7 level 7 prefix `DROP '
>      5   200 DROP       all  --  *   *    0.0.0.0/0 0.0.0.0/0
>
> (logging for accepted packets has been added for debugging after seeing the dropped
> packets...)
>
> When I access the webserver all seems to work fine but I am worried
> about these DROPped packets.
>
> The problem is that I cannot see any difference between accepted and
> dropped packets :-/
>
>
> Examples (a-d.x.x.x being 4 different clients and a.b.c.d is my
> server; MAC= value was equal in all lines):
>
> Aug  1 15:31:50 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=a.x.x.x DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=64148 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 SYN URGP=0
> Aug  1 15:31:51 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=b.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55422 DF PROTO=TCP SPT=2433 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug  1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=38797 DF PROTO=TCP SPT=4404 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug  1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=2067 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 ACK URGP=0
> Aug  1 15:31:52 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=d.x.x.x DST=a.b.c.d LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=47854 DF PROTO=TCP SPT=12768 DPT=80 WINDOW=57344 RES=0x00 SYN URGP=0
>
>
> I tried it without connection tracking for port 80: No dropped
> packets! So it seems related to conntrack
>
> Has anybody an Idea what could be the cause of this?
>
> TIA
> -Marc
> PS: The same happens with tcp/21 (ftp)
>   


-- 
Hector Gonzalez
cacho@genac.org
http://www.genac.org



Reply to: