Marcin Owsiany wrote:
I have a lightly loaded web server, with an empty (policy ALLOW) INPUT chain, and a few rules in the OUTPUT chain (so if any of the PHP apps are attacked, they won't be able to download any nasty stuff). Every now and then a rule created using the following command: iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid Logs a line such as this: IN= OUT=eth0 SRC="" DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 Looking in the apache's access logs, I can see that in most cases, there is a (usually successful) request from the logged CLIENT address to the webserver, almost exactly two minutes before the line is logged. Can someone explain to me why conntrack thinks it packet is in INVALID state, if it's generated by the host's TCP stack? Unfortunately I can't explain why although it may not necessarily be conntrack, but I'd suggest you at least add the following rules: #Kill invalid packets (illegal combinations of flags) -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP # Block fragments and Xmas tree as well as SYN,FIN and SYN,RST -A INPUT -i eth0 -p ip -f -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # Block Sequence Number Prediction -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset # Block NEW without SYN -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # Drop all inbound packets that claim to be from us.. -A INPUT -i eth0 -s <your server IP> -j DROP # Accept all previously established connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Gavin --
Gavin Westwood Solutium http://hosting.solutium.co.uk - quality, affordable web hosting. http://www.solutium.co.uk - IT Services and Support. |