From: "Lars Täuber" <taeuber@bbaw.de>
To: netfilter@lists.netfilter.org
Subject: Valid packets blocked as invalid?
Date: Wed, 18 Apr 2007 15:19:41 +0200 [thread overview]
Message-ID: <20070418151941.c689b07c.taeuber@bbaw.de> (raw)
Hi everybody!
I just subscribed and haven't found any hints on the net.
We here have some packets dropped as invalid, but I don't understand why they are invalid and which part of iptables/kernel marks it as invalid.
So I ask for a hint where to look first or how to debug this. I'm a bit familiar with ethereal/wireshark.
The situation:
- Linux hippo1 2.6.18.8-0.1-default #1 SMP Fri Mar 2 13:51:59 UTC 2007 i686 athlon i386 GNU/Linux
- openSUSE 10.2 (i586)
- iptables v1.3.6
eth0, eth1, lo and
eth2 = 194.95.188.7 / 255.255.255.192 !!
2 different networks are connected to eth2:
194.95.188.0 / 26 (directly) and
194.95.188.192 / 26 through gateway 194.95.188.25
routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
194.95.188.192 194.95.188.25 255.255.255.192 UG 0 0 0 eth2
194.95.188.0 0.0.0.0 255.255.255.192 U 0 0 0 eth2
important iptables rules (in this order):
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop packets that do not match any valid state
#
$IPTABLES -N drop_invalid
$IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A INPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid
$IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "RULE -1 -- DENY "
$IPTABLES -A drop_invalid -j DROP
and now the bad log entry:
kernel: RULE -1 -- DENY IN=eth2 OUT=eth2 SRC=194.95.188.38 DST=194.95.188.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=49272 WINDOW=5792 RES=0x00 ACK SYN URGP=0
This is answer of a packet that gets through the firewall because of this rules:
$IPTABLES -A FORWARD -i eth2 -s 194.95.188.192/26 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 194.95.188.38 --dports 80,22,10080,10180 -m state --state NEW -j ACCEPT
Could someone tell me what happens here?
Thank you and best regards.
Lars
--
Informationstechnologie
Berlin-Brandenburgische Akademie der Wissenschaften
Jägerstrasse 22-23 10117 Berlin
Tel.: +49 30 20370-352 http://www.bbaw.de
next reply other threads:[~2007-04-18 13:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-18 13:19 Lars Täuber [this message]
2007-04-18 15:30 ` Valid packets blocked as invalid? Jorge Davila
2007-04-19 6:33 ` Lars Täuber
2007-04-19 9:23 ` Lars Täuber
2007-04-19 11:10 ` Problem resolved! Lars Täuber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070418151941.c689b07c.taeuber@bbaw.de \
--to=taeuber@bbaw.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.