Re: INVALID packets in OUTPUT chain

To: Debian ISP Mailing List <debian-isp@lists.debian.org>
Subject: Re: INVALID packets in OUTPUT chain
From: Gavin Westwood <debian-isp@solutium.co.uk>
Date: Wed, 08 Aug 2007 19:19:36 +0100
Message-id: <[🔎] 46BA0938.1000709@solutium.co.uk>
In-reply-to: <[🔎] 20070808174450.GA21698@beczulka>
References: <[🔎] 20070808174450.GA21698@beczulka>

Marcin Owsiany wrote:

I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
are attacked, they won't be able to download any nasty stuff).

Every now and then a rule created using the following command:

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid

Logs a line such as this:

IN= OUT=eth0 SRC="" DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

Looking in the apache's access logs, I can see that in most cases, there
is a (usually successful) request from the logged CLIENT address to the
webserver, almost exactly two minutes before the line is logged.

Can someone explain to me why conntrack thinks it packet is in INVALID
state, if it's generated by the host's TCP stack?

Unfortunately I can't explain why although it may not necessarily be conntrack, but I'd suggest you at least add the following rules:

#Kill invalid packets (illegal combinations of flags)
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
-A INPUT -i eth0 -p ip -f -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Block Sequence Number Prediction
-A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

# Block NEW without SYN
-A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Drop all inbound packets that claim to be from us..
-A INPUT -i eth0 -s <your server IP> -j DROP

# Accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Gavin

--

Gavin Westwood
Solutium

http://hosting.solutium.co.uk - quality, affordable web hosting.

http://www.solutium.co.uk - IT Services and Support.

Reply to:

References:
- INVALID packets in OUTPUT chain
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: Re: INVALID packets in OUTPUT chain
Next by Date: RE: iptables conntrack: packets not matching a rule occasionally?
Previous by thread: Re: INVALID packets in OUTPUT chain
Next by thread: Dual ADSL modems
Index(es):
- Date
- Thread