Re: [Fwd: I do not understand !!!]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Amos Jeffries <squid3@treenet.co.nz>
To: "Gáspár Lajos" <swifty@freemail.hu>
Cc: Netfilter list <netfilter@vger.kernel.org>
Subject: Re: [Fwd: I do not understand !!!]
Date: Wed, 16 Jan 2008 14:34:39 +1300	[thread overview]
Message-ID: <478D5F2F.1090001@treenet.co.nz> (raw)
In-Reply-To: <478B32B4.9090106@freemail.hu>

Gáspár Lajos wrote:
> ANYONE ????

Hm, reads like a FW blocking all packet-based traffic the hard way to me.

A few steps I'd recommend:
   - find a little F/W utility called 'ferm'
   - read its manual, demos, and find a full list of iptables targets
   - define the actions you want the router to perform
   - write the ferm.conf

AYJ

> 
> Hi list,
> 
> I have a bit complicated script.
> But I do not understand the following output of it.
> 
> 1. ESTABLISHED packets without 0x100 or 0x200 mark ???
> 2. NEW packets without the 0x200 mark and without SYN ???
> 3. INVALID packets with SYN/ACK ??? (As a first packet maybe? Should I 
> drop it?)
> 4. Connection that started from internal gets validated as WRONG_NEW 
> (with a simple SYN)...
> 
> Can anyone tell me how the conntrack system works in detail?
> 
> Thanx
> 
> Swifty
> 
> 
> Chain con_tcp (1 references)
> pkts bytes target     prot
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>   0     0 INVALID    tcp  tcp flags:SYN,RST/SYN,RST
> 5224  209K INVALID    tcp  tcp flags:FIN,RST/FIN,RST
>   0     0 INVALID    tcp  tcp flags:FIN,SYN/FIN,SYN
> 2477  101K ACCEPT     all  ctstate RELATED
> 145K 7215K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300 ctstate 
> ESTABLISHED
> 11M 7920M ACCEPT     all  CONNMARK match 0x100/0x300 ctstate ESTABLISHED
> 2880K 1666M ACCEPT     all  ctstate ESTABLISHED
> 272K   15M tcp_NEW    all  [goto] ctstate NEW
> 29796 2233K tcp_INV    all  [goto] ctstate INVALID
>   0     0 LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `UNKNOWN:'
>   0     0 ACCEPT     all
> Chain tcp_NEW (1 references)
> pkts bytes target     prot
> 232K   13M tcp_NEW_1  tcp  [goto] tcp flags:FIN,SYN,RST,ACK/SYN CONNMARK 
> match 0x0/0x300
> 38579 2014K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 969  212K LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `WRONG_NEW:'
> 969  212K ACCEPT     all
> Chain tcp_NEW_1 (1 references)
> pkts bytes target     prot
> 232K   13M CONNMARK   all  CONNMARK set 0x200/0x300
> 232K   13M RETURN     all
> Chain tcp_NEW_2 (3 references)
> pkts bytes target     prot
> 184K 9229K CONNMARK   all  CONNMARK set 0x100/0x300
> 184K 9229K ACCEPT     all
> 
> Chain tcp_INV (1 references)
> pkts bytes target     prot
>   0     0 tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 2148 85920 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST
> 24624  986K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
>  86 15329 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK
> 752 30110 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
>  80  4088 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
> 1507  289K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
> 599  822K INVALID    all
> 
> And a few log:
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17760 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61449 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17770 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61457 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=85.131.72.154 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14307 DF PROTO=TCP SPT=4796 
> DPT=52045 SEQ=4243195870 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=84.3.29.226 LEN=52 
> TOS=0x00 PREC=0x00 TTL=127 ID=14322 DF PROTO=TCP SPT=4797 DPT=6881 
> SEQ=2594461565 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=90.52.165.175 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14323 DF PROTO=TCP SPT=4798 
> DPT=50428 SEQ=2039438787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

     prev parent reply	other threads:[~2008-01-16  1:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-14 10:00 [Fwd: I do not understand !!!] Gáspár Lajos
2008-01-14 10:11 ` Jozsef Kadlecsik
2008-01-16  1:34 ` Amos Jeffries [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=478D5F2F.1090001@treenet.co.nz \
    --to=squid3@treenet.co.nz \
    --cc=netfilter@vger.kernel.org \
    --cc=swifty@freemail.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.