Re: iptables conntrack: packets not matching a rule occasionally?

You might try a rule to match "state INVALID", and see if it catches them. It might be someone probing your firewall.

Marc Schiffbauer wrote:
> Hi all,
>
> I am using iptables 1.2.11 on a well loaded webserver (constant load
> of about 3-5).
>
> After revising the firewall policy I found a strange behavior of iptables
> that I do not understand:
>
> Most of the packets to port 80 are being ACCEPTed as expected.
>
> But:
> * For some clients packets to tcp/80 are being DROPed completely
> * For some clients packets to tcp/80 are being DROPed occasionally
>
> I have the following rules for incoming http traffic:
> (In OUTPUT everything is allowed ATM)
>
> Chain INPUT (policy DROP 5 packets, 1057 bytes)
> pkts bytes target prot opt in out source destination
> 2227 433K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 54 3048 RULE_2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
> [...]
> 5 200 In_RULE_18 all -- + * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 50
>
> Chain RULE_2 (4 references)
> pkts bytes target prot opt in out source destination
> 51 2868 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 7 level 7 prefix `RULE 2 -- ACCEPT '
> 54 3048 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain In_RULE_18 (2 references)
> pkts bytes target prot opt in out source destination
> 5 200 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 5 LOG flags 7 level 7 prefix `DROP '
> 5 200 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> (logging for accepted packets has been added for debugging after seeing the dropped
> packets...)
>
> When I access the webserver all seems to work fine but I am worried
> about these DROPped packets.
>
> The problem is that I cannot see any difference between accepted and
> dropped packets :-/
>
>
> Examples (a-d.x.x.x being 4 different clients and a.b.c.d is my
> server; MAC= value was equal in all lines):
>
> Aug 1 15:31:50 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=a.x.x.x DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=64148 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 SYN URGP=0
> Aug 1 15:31:51 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=b.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=55422 DF PROTO=TCP SPT=2433 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug 1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=38797 DF PROTO=TCP SPT=4404 DPT=80 WINDOW=864 RES=0x00 ACK FIN URGP=0
> Aug 1 15:31:52 pluto kernel: DROP IN=eth0 OUT= MAC= SRC=c.x.x.x DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=2067 DF PROTO=TCP SPT=52789 DPT=80 WINDOW=5728 RES=0x00 ACK URGP=0
> Aug 1 15:31:52 pluto kernel: RULE 2 -- ACCEPT IN=eth0 OUT= MAC= SRC=d.x.x.x DST=a.b.c.d LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=47854 DF PROTO=TCP SPT=12768 DPT=80 WINDOW=57344 RES=0x00 SYN URGP=0
>
>
> I tried it without connection tracking for port 80: No dropped
> packets! So it seems related to conntrack
>
> Has anybody an Idea what could be the cause of this?
>
> TIA
> -Marc
> PS: The same happens with tcp/21 (ftp)
>

-- 
Hector Gonzalez
cacho@genac.org
http://www.genac.org


-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org