From: Gioele Barabucci <dev@gioelebarabucci.com>
To: netfilter@lists.netfilter.org
Subject: Aren't these connections ESTABILISHED? (2nd take)
Date: Sat, 01 Oct 2005 21:12:33 +0200 [thread overview]
Message-ID: <dhmn38$hsk$1@sea.gmane.org> (raw)
I spend the last weeks doing experiments with iptables but still I have
problems with connections that should be ESTABILISHED but are not.
Postfix does some DNS lookups on the DNS server (69.93.28.254). After a bit,
iptables forget that the connection is ESTABILISHED and DROPs the reply.
My logs are full of dropped packets like these
05:32:33 69.93.28.254 53 myIP 2755 UDP
05:32:33 69.93.28.254 53 myIP 2755 UDP
05:32:53 69.93.28.254 53 myIP 2758 UDP
05:32:53 69.93.28.254 53 myIP 2758 UDP
05:33:13 69.93.28.254 53 myIP 2760 UDP
05:33:13 69.93.28.254 53 myIP 2760 UDP
05:33:34 69.93.28.254 53 myIP 2760 UDP
05:33:34 69.93.28.254 53 myIP 2760 UDP
05:33:34 69.93.28.254 53 myIP 2760 UDP
05:33:34 69.93.28.254 53 myIP 2760 UDP
05:38:08 69.93.28.254 53 myIP 2761 UDP
05:38:08 69.93.28.254 53 myIP 2761 UDP
Here is my ruleset (BTW, I did not test much the "limit SMTP trafic", do you
think that it is correct?)
iptables -F
iptables -X
echo "Default policies"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Passthrough for known good trafic"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT #accept internal connections
echo "Allow only legal connection"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level
"debug" --log-ip-options --log-tcp-options --log-prefix 'iptables INPUT
DROP !SYN '
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Limit smtp traffic"
iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m recent
--set
#iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m
recent --update --seconds 30 --hitcount 4 -j LOG --log-level "debug"
--log-ip-options --log-tcp-options --log-prefix 'iptables INPUT DROP limit
'
iptables -I INPUT -p tcp --dport smtp -i eth0 -m state --state NEW -m recent
--update --seconds 30 --hitcount 4 -j DROP
echo "Exceptions for INPUT"
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -p tcp --dport pop3 -j ACCEPT
iptables -A INPUT -p tcp --dport imap -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
--
Gioele <dev@gioelebarabucci.com>
next reply other threads:[~2005-10-01 19:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-01 19:12 Gioele Barabucci [this message]
2005-10-02 0:07 ` Aren't these connections ESTABILISHED? (2nd take) /dev/rob0
2005-10-02 2:16 ` Henrik Nordstrom
2005-10-02 4:48 ` Robert Nichols
2005-10-02 10:18 ` Henrik Nordstrom
2005-10-02 13:38 ` Jozsef Kadlecsik
2005-10-02 14:44 ` Henrik Nordstrom
2005-10-02 20:23 ` Jozsef Kadlecsik
2005-10-02 21:08 ` Jozsef Kadlecsik
2005-10-03 8:30 ` Henrik Nordstrom
2005-10-03 8:24 ` Henrik Nordstrom
2005-10-02 19:16 ` /dev/rob0
2005-10-02 20:38 ` Jozsef Kadlecsik
2005-10-02 21:13 ` /dev/rob0
2005-10-03 11:48 ` Henrik Nordstrom
2005-10-03 11:44 ` Henrik Nordstrom
2005-10-04 13:19 ` Jozsef Kadlecsik
2005-10-02 18:11 ` Gioele Barabucci
2005-10-02 2:02 ` Henrik Nordstrom
2005-10-02 17:45 ` Gioele Barabucci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='dhmn38$hsk$1@sea.gmane.org' \
--to=dev@gioelebarabucci.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.