Re: INVALID packets in OUTPUT chain

Marcin Owsiany wrote:
> I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
> chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
> are attacked, they won't be able to download any nasty stuff).
>
> Every now and then a rule created using the following command:
>
> iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
>
> Logs a line such as this:
>
> IN= OUT=eth0 SRC=SERVER DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
>
> Looking in the apache's access logs, I can see that in most cases, there
> is a (usually successful) request from the logged CLIENT address to the
> webserver, almost exactly two minutes before the line is logged.
>
> Can someone explain to me why conntrack thinks it packet is in INVALID
> state, if it's generated by the host's TCP stack?

Unfortunately I can't explain why although it may not necessarily be conntrack, but I'd suggest you at least add the following rules:

#Kill invalid packets (illegal combinations of flags) -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST

-A INPUT -i eth0 -p ip -f -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Block Sequence Number Prediction
-A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

# Block NEW without SYN
-A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Drop all inbound packets that claim to be from us.. -A INPUT -i eth0 -s <your server IP> -j DROP

# Accept all previously established connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Gavin

-- 

Gavin Westwood
Solutium
http://hosting.solutium.co.uk - quality, affordable web hosting.
http://www.solutium.co.uk - IT Services and Support.




-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org