From: Christian Robottom Reis <kiko@acm.org>
To: netfilter@vger.kernel.org
Subject: Packets (sometimes) not marked as RELATED/ESTABLISHED
Date: Tue, 22 Mar 2016 15:55:31 -0300 [thread overview]
Message-ID: <20160322185530.GA3152@anthem.async.com.br> (raw)
Hello there,
In periodically looking at my firewall logs I've always noticed that
from time to time a certain pattern will show up in my logs which
indicates that a legitimate stream which should have been marked
RELATED/ESTABLISHED isn't. I have the following rules set up to allow
related incoming traffic:
-A INPUT -i eth3 -p tcp -m tcp --dport 10000:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth3 -p tcp -m tcp --sport 10000:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
AIUI this is what allows the response from a website request to be
targeted ACCEPT in the INPUT chain. However, my logs show that sometimes
this doesn't work. Here's a recent example:
[89003.161127] IN=eth3 OUT= MAC=XXX SRC=104.73.89.127 DST=XXX
LEN=1472 TOS=0x00 PREC=0x00 TTL=53 ID=10958 DF PROTO=TCP SPT=80
DPT=44709 WINDOW=3775 RES=0x00 ACK URGP=0
[89003.497964] IN=eth3 OUT= MAC=XXX SRC=104.73.89.127 DST=XXX
LEN=1472 TOS=0x00 PREC=0x00 TTL=53 ID=17058 DF PROTO=TCP SPT=80
DPT=44710 WINDOW=3385 RES=0x00 ACK URGP=0
[89049.561143] IN=eth3 OUT= MAC=XXX SRC=104.73.89.127 DST=XXX
LEN=1472 TOS=0x00 PREC=0x00 TTL=53 ID=26347 DF PROTO=TCP SPT=80
DPT=44932 WINDOW=1062 RES=0x00 ACK URGP=0
That specific host [1] is likely a web CDN node, and the fact that it's
an ACK coming from SPT 80 indicates that this is just a plain response
to a web request from an internal client. The question is: why didn't it
get connection-tracked?
Has anyone else noticed this in their logs? It's easy to find this by
just grepping for ACKs -- it makes up more than 50% of my logged
entries, it's almost completely traffic coming from port 80 and 443.
[1] 104.73.89.127 is a104-73-89-127.deploy.static.akamaitechnologies.com.
--
Christian Robottom Reis | [+55 16] 3376 0125 | http://async.com.br/~kiko
| [+55 16] 991 126 430 | http://launchpad.net/~kiko
next reply other threads:[~2016-03-22 18:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-22 18:55 Christian Robottom Reis [this message]
2016-03-23 19:53 ` Packets (sometimes) not marked as RELATED/ESTABLISHED Robert Nichols
2016-03-23 21:00 ` Neal P. Murphy
2016-03-23 20:17 ` Mart Frauenlob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160322185530.GA3152@anthem.async.com.br \
--to=kiko@acm.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.