[lug] IPTables question
Zan Lynx
zlynx at acm.org
Fri Sep 7 10:58:00 MDT 2007
On Fri, 2007-09-07 at 10:42 -0600, Lee Woodworth wrote:
> Does anyone have an idea why this packet is dropped (firewall rules subset at end)?
> Its only these type of packets that get dropped from an HTTP connection.
>
> IN= OUT=eth0 SRC=66.17.169.78 DST=63.88.212.82 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48635
> DF PROTO=TCP SPT=38836 DPT=80 WINDOW=92 RES=0x00 ACK PSH FIN URGP=0
>
>
> .....
>
> -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp --sport 80 --dport 1024:65535 ! --syn -m state --state ESTABLISHED -j ACCEPT
>
> -A INPUT -j LOG
> -A INPUT -j DROP
>
> -A INPUT -j LOG
> -A OUTPUT -j DROP
I call it an iptables bug, they call it a "feature". I can see their
point.
iptables forgets about the connection state as soon as one side closes
the connection with FIN or RST. This saves memory in-kernel but means
it creates log messages like this.
I believe they did it to prevent memory overload with nmap SYN scans and
other things that never reply to the connection close.
I use rules like this:
-A WAN-in -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WAN-in -p tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
-A WAN-in -p tcp --tcp-flags RST RST -j DROP
-A WAN-in -j LOG --log-prefix WAN-in-drop:
-A WAN-in -j DROP
--
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070907/fe08c4a1/attachment.pgp>
More information about the LUG
mailing list