Valid packets blocked as invalid?

Valid packets blocked as invalid?

[Lars Täuber]

Hi everybody!

I just subscribed and haven't found any hints on the net.

We here have some packets dropped as invalid, but I don't understand why they are invalid and which part of iptables/kernel marks it as invalid.
So I ask for a hint where to look first or how to debug this. I'm a bit familiar with ethereal/wireshark.

The situation:

- Linux hippo1 2.6.18.8-0.1-default #1 SMP Fri Mar 2 13:51:59 UTC 2007 i686 athlon i386 GNU/Linux
- openSUSE 10.2 (i586)
- iptables v1.3.6

eth0, eth1, lo and
eth2 = 194.95.188.7 / 255.255.255.192 !!

2 different networks are connected to eth2:
 194.95.188.0   / 26 (directly) and
 194.95.188.192 / 26 through gateway 194.95.188.25

routes:

 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 194.95.188.192  194.95.188.25   255.255.255.192 UG    0      0        0 eth2
 194.95.188.0    0.0.0.0         255.255.255.192 U     0      0        0 eth2

important iptables rules (in this order):

 $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 # drop packets that do not match any valid state 
 #
 $IPTABLES -N drop_invalid
 $IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
 $IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid
 $IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
 $IPTABLES -A drop_invalid  -j LOG  --log-level debug --log-prefix "RULE -1 -- DENY "
 $IPTABLES -A drop_invalid  -j DROP


and now the bad log entry:

 kernel: RULE -1 -- DENY IN=eth2 OUT=eth2 SRC=194.95.188.38 DST=194.95.188.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=49272 WINDOW=5792 RES=0x00 ACK SYN URGP=0

This is answer of a packet that gets through the firewall because of this rules:

 $IPTABLES -A FORWARD -i eth2 -s 194.95.188.192/26 -m state --state NEW -j ACCEPT 
 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 194.95.188.38 --dports 80,22,10080,10180 -m state --state NEW -j ACCEPT


Could someone tell me what happens here?

Thank you and best regards.
Lars

-- 
                            Informationstechnologie
Berlin-Brandenburgische Akademie der Wissenschaften
Jägerstrasse 22-23                     10117 Berlin
Tel.: +49 30 20370-352           http://www.bbaw.de

Re: Valid packets blocked as invalid?

[Jorge Davila]

I'm guessing a routing problem here. If you see the log you can see that the 
packet marked as invalid have the same incoming/outgoing interface.

Your diagram, as you said is:

eth2
|
|
+--- gtw 194.95.188.25 --- LAN 194.95.188.192.
|
|
LAN 194.95.188.0/26

The gateway behind eth2 is in the same first network and you don't need a 
route in the box (the eth2 box) for the LAN behind the gateway because is 
managed for the gateway behind eth2.

This is the reason, the packet is not being routed properly.

Hope this help,

Jorge.

On Wed, 18 Apr 2007 15:19:41 +0200
  Lars Täuber <taeuber@bbaw.de> wrote:
> Hi everybody!
> 
> I just subscribed and haven't found any hints on the net.
> 
> We here have some packets dropped as invalid, but I don't understand why 
>they are invalid and which part of iptables/kernel marks it as invalid.
> So I ask for a hint where to look first or how to debug this. I'm a bit 
>familiar with ethereal/wireshark.
> 
> The situation:
> 
> - Linux hippo1 2.6.18.8-0.1-default #1 SMP Fri Mar 2 13:51:59 UTC 2007 
>i686 athlon i386 GNU/Linux
> - openSUSE 10.2 (i586)
> - iptables v1.3.6
> 
> eth0, eth1, lo and
> eth2 = 194.95.188.7 / 255.255.255.192 !!
> 
> 2 different networks are connected to eth2:
> 194.95.188.0   / 26 (directly) and
> 194.95.188.192 / 26 through gateway 194.95.188.25
> 
> routes:
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use 
>Iface
> 194.95.188.192  194.95.188.25   255.255.255.192 UG    0      0        0 
>eth2
> 194.95.188.0    0.0.0.0         255.255.255.192 U     0      0        0 
>eth2
> 
> important iptables rules (in this order):
> 
> $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # drop packets that do not match any valid state 
> #
> $IPTABLES -N drop_invalid
> $IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
> $IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid
> $IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
> $IPTABLES -A drop_invalid  -j LOG  --log-level debug --log-prefix "RULE -1 
>-- DENY "
> $IPTABLES -A drop_invalid  -j DROP
> 
> 
> and now the bad log entry:
> 
> kernel: RULE -1 -- DENY IN=eth2 OUT=eth2 SRC=194.95.188.38 
>DST=194.95.188.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP 
>SPT=80 DPT=49272 WINDOW=5792 RES=0x00 ACK SYN URGP=0
> 
> This is answer of a packet that gets through the firewall because of this 
>rules:
> 
> $IPTABLES -A FORWARD -i eth2 -s 194.95.188.192/26 -m state --state NEW -j 
>ACCEPT 
> $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 194.95.188.38 --dports 
>80,22,10080,10180 -m state --state NEW -j ACCEPT
> 
> 
> Could someone tell me what happens here?
> 
> Thank you and best regards.
> Lars
> 
> -- 
>                            Informationstechnologie
> Berlin-Brandenburgische Akademie der Wissenschaften
> Jägerstrasse 22-23                     10117 Berlin
> Tel.: +49 30 20370-352           http://www.bbaw.de
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com

Re: Valid packets blocked as invalid?

[Lars Täuber]

Hallo Jorge!

> I'm guessing a routing problem here. If you see the log you can see that the 
> packet marked as invalid have the same incoming/outgoing interface.

Yes, it's the same interface but that is intention.

 
> Your diagram, as you said is:
> 
> eth2
> |
> |
> +--- gtw 194.95.188.25 --- LAN 194.95.188.192/26
> |
> |
> LAN 194.95.188.0/26

You'r right that's the situation.

We know the problem could be solved by setting appropriate routes to the gateways in all servers in the 194.95.188.0/26 network. But we don't like that.
Is the routing the reason for the kernel to mark this packet as invalid?

The firewall is our default gateway and also a gateway to some more networks. We don't want to put detailed routes in all servers in the 194.95.188.0/26 network. They all only know the default gateway (and firewall) 194.95.188.7. They all get the information about the better next hop by the fireall via icmp redirects automatically we think.

But why is the packet invalid?

Regards
Lars

Re: Valid packets blocked as invalid?

[Lars Täuber]

Hi!

To enhance the problem:

The ICMP redirects are also blocked as invalid:

kernel: RULE -1 -- DENY IN= OUT=eth2 SRC=194.95.188.7 DST=194.95.188.37 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=18322 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=194.95.188.25 [SRC=194.95.188.37 DST=194.95.188.245 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=1246 WINDOW=5840 RES=0x00 ACK SYN URGP=0 ] 

What is invalid with this?

Here again the rules that match (first rules of firewall script):
 $IPTABLES -N drop_invalid
 $IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
 $IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid
 $IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
 $IPTABLES -A drop_invalid  -j LOG  --log-level debug --log-prefix "RULE -1 -- DENY "
 $IPTABLES -A drop_invalid  -j DROP

I think it could have something to do with the ACK and SYN flags. It seems to me the kernel doesn't recognise this packet as part of an established connection.
Anyone with an explaination here or someone that shows me my nescience?

Thanks
Lars

Problem resolved!

[Lars Täuber]

Jorge was very right.

The routing tables where not ballanced.
The gateway has had a route to the 194.95.188.0/26 network and so the requests for a tcp connection into this network have never been seen by the firewall. That's why the answers are invalid.

Sorry for this disturbance. But sometimes it helps to simply talk about problems.

Thanks.
Lars

Am Thu, 19 Apr 2007 11:23:38 +0200 schrieb Lars Täuber <taeuber@bbaw.de>:

> Hi!
> 
> To enhance the problem:
> 
> The ICMP redirects are also blocked as invalid:
> 
> kernel: RULE -1 -- DENY IN= OUT=eth2 SRC=194.95.188.7 DST=194.95.188.37 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=18322 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=194.95.188.25 [SRC=194.95.188.37 DST=194.95.188.245 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=1246 WINDOW=5840 RES=0x00 ACK SYN URGP=0 ] 
> 
> What is invalid with this?
> 
> Here again the rules that match (first rules of firewall script):
>  $IPTABLES -N drop_invalid
>  $IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
>  $IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid
>  $IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
>  $IPTABLES -A drop_invalid  -j LOG  --log-level debug --log-prefix "RULE -1 -- DENY "
>  $IPTABLES -A drop_invalid  -j DROP
> 
> I think it could have something to do with the ACK and SYN flags. It seems to me the kernel doesn't recognise this packet as part of an established connection.
> Anyone with an explaination here or someone that shows me my nescience?
> 
> Thanks
> Lars
> 


-- 
                            Informationstechnologie
Berlin-Brandenburgische Akademie der Wissenschaften
Jägerstrasse 22-23                     10117 Berlin
Tel.: +49 30 20370-352           http://www.bbaw.de