From: Kevin <kmg952@bigpond.com>
To: netfilter@vger.kernel.org
Subject: SYN packet "disappears"
Date: Thu, 27 Apr 2017 15:21:14 +1000 [thread overview]
Message-ID: <1538022.l5gG4X5sYW@giles> (raw)
Hi,
I'm having trouble changing my iptables configuration to work with a new
NordVPN/OpenVPN.
In trying to diagnose the problem, I have saturated my firewall with "-j LOG"
rules. The problem is that the initial SYN packet to TCP port 22 seems to go
missing between the "nat prerouting" and the "mangle input" chains.
Messy details (config & log) are at the end of this email.
My question is: Where did my SYN packet go?
The initial portion of my firewall is as follows:
#!/bin/bash
IPT="/sbin/iptables"
$IPT -F
$IPT -X
for table in filter mangle nat raw security; do
$IPT -F -t $table
$IPT -X -t $table
done
$IPT -t filter --policy INPUT DROP
$IPT -t filter --policy FORWARD DROP
$IPT -t filter --policy OUTPUT DROP
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy INPUT ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy INPUT ACCEPT
$IPT -t mangle --policy FORWARD ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
$IPT -t raw --policy PREROUTING ACCEPT
$IPT -t raw --policy OUTPUT ACCEPT
$IPT -t security --policy INPUT ACCEPT
$IPT -t security --policy FORWARD ACCEPT
$IPT -t security --policy OUTPUT ACCEPT
$IPT -t filter -A INPUT -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter input tun: "
$IPT -t filter -A FORWARD -i tun+ -s 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter forward tun: "
$IPT -t filter -A OUTPUT -o tun+ -d 999.999.999.999 -p tcp --dport 22 -j
LOG --log-prefix "ssh filter output tun: "
$IPT -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
filter forward: "
$IPT -t filter -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
filter input: "
$IPT -t filter -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
filter output: "
$IPT -t mangle -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle forward: "
$IPT -t mangle -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle input: "
$IPT -t mangle -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle output: "
$IPT -t mangle -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle postrouting: "
$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh
mangle prerouting: "
$IPT -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
prerouting: "
$IPT -t nat -A POSTROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh nat
postrouting: "
$IPT -t raw -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "ssh raw
prerouting: "
$IPT -t raw -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh raw
output: "
$IPT -t security -A INPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
security input: "
$IPT -t security -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "ssh
security forward: "
$IPT -t security -A OUTPUT -p tcp --dport 22 -j LOG --log-prefix "ssh
security output: "
$IPT -A INPUT -i tun+ -s 999.999.999.999 -j ACCEPT
$IPT -A FORWARD -i tun+ -s 999.999.999.999 -j ACCEPT
$IPT -A OUTPUT -o tun+ -d 999.999.999.999 -j ACCEPT
The resulting log entries are as follows (slightly edited for security):
ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40283 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
<then the following retry>
ssh raw prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh mangle prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
ssh nat prerouting: IN=wlan OUT= MAC=??? SRC=999.999.999.999
DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40284 DF
PROTO=TCP SPT=45823 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
... and so on.
Cheers,
Kevin
next reply other threads:[~2017-04-27 5:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-27 5:21 Kevin [this message]
2017-04-27 15:04 ` SYN packet "disappears" Anton Danilov
2017-04-27 15:08 ` Noel Kuntze
2017-04-27 23:15 ` Kevin
2017-04-28 1:00 ` Robert White
2017-04-28 2:55 ` Kevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538022.l5gG4X5sYW@giles \
--to=kmg952@bigpond.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox