[lug] IPTables question

Zan Lynx zlynx at acm.org
Fri Sep 7 10:58:00 MDT 2007


On Fri, 2007-09-07 at 10:42 -0600, Lee Woodworth wrote:
> Does anyone have an idea why this packet is dropped (firewall rules subset at end)?
> Its only these type of packets that get dropped from an HTTP connection.
> 
> IN= OUT=eth0 SRC=66.17.169.78 DST=63.88.212.82 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48635
> DF PROTO=TCP SPT=38836 DPT=80 WINDOW=92 RES=0x00 ACK PSH FIN URGP=0
> 
> 
> .....
> 
> -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT  -p tcp --sport 80 --dport 1024:65535 ! --syn -m state --state ESTABLISHED  -j ACCEPT
> 
> -A INPUT -j LOG
> -A INPUT -j DROP
> 
> -A INPUT -j LOG
> -A OUTPUT -j DROP

I call it an iptables bug, they call it a "feature".  I can see their
point.

iptables forgets about the connection state as soon as one side closes
the connection with FIN or RST.  This saves memory in-kernel but means
it creates log messages like this.

I believe they did it to prevent memory overload with nmap SYN scans and
other things that never reply to the connection close.

I use rules like this:
-A WAN-in -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A WAN-in -p tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
-A WAN-in -p tcp --tcp-flags RST RST -j DROP
-A WAN-in -j LOG --log-prefix WAN-in-drop:
-A WAN-in -j DROP
-- 
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070907/fe08c4a1/attachment.pgp>


More information about the LUG mailing list