Possible conntrack problem

Possible conntrack problem

[zottmann]

[-- Attachment #1: Mail message body --]
[-- Type: text/plain, Size: 540 bytes --]

Hi !! 

I am having a problem that I think may be related to conntrack. 

I am getting dropped packets in the firewall coming from our web server, 
source port 80, and going to external machines on high ports, with both ACK 
and SEQ numbers set. 

It seems to me that these packets are answers from our webserver to 
connections estabilished with it, but, for some reason, the connection 
information is being lost (maybe due to timeout?). 

How can I track this? Has anyone gone through something like it? 

Thanks in advance, 
Carlos. 

RE: Possible conntrack problem

[Sietse van Zanen]

This usually happens with clients behaving badly or misconfigured servers. Very unlikely (I would say less 1% chance) to be a netfilter issue.
If you don't get any reports about you webserver being unreachable or unusable, all is working exactly as it should.
 
If people do have problems with your webserver, check the configuration of the server and clients.
 
-Sietse

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of zottmann@ig.com.br
Sent: Thu 01-Jun-06 13:56
To: netfilter@lists.netfilter.org
Subject: Possible conntrack problem



Hi !!

I am having a problem that I think may be related to conntrack.

I am getting dropped packets in the firewall coming from our web server,
source port 80, and going to external machines on high ports, with both ACK
and SEQ numbers set.

It seems to me that these packets are answers from our webserver to
connections estabilished with it, but, for some reason, the connection
information is being lost (maybe due to timeout?).

How can I track this? Has anyone gone through something like it?

Thanks in advance,
Carlos.

Re: Possible conntrack problem

[Justin Schoeman]

Can also try:

echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Seems to help if there is a PIX between your clients and servers...

-justin

Sietse van Zanen wrote:
> This usually happens with clients behaving badly or misconfigured servers. Very unlikely (I would say less 1% chance) to be a netfilter issue.
> If you don't get any reports about you webserver being unreachable or unusable, all is working exactly as it should.
>  
> If people do have problems with your webserver, check the configuration of the server and clients.
>  
> -Sietse
> 
> ________________________________
> 
> From: netfilter-bounces@lists.netfilter.org on behalf of zottmann@ig.com.br
> Sent: Thu 01-Jun-06 13:56
> To: netfilter@lists.netfilter.org
> Subject: Possible conntrack problem
> 
> 
> 
> Hi !!
> 
> I am having a problem that I think may be related to conntrack.
> 
> I am getting dropped packets in the firewall coming from our web server,
> source port 80, and going to external machines on high ports, with both ACK
> and SEQ numbers set.
> 
> It seems to me that these packets are answers from our webserver to
> connections estabilished with it, but, for some reason, the connection
> information is being lost (maybe due to timeout?).
> 
> How can I track this? Has anyone gone through something like it?
> 
> Thanks in advance,
> Carlos.
> 
> 
> 
> 
> 

Possible conntrack problem

[zottmann]

[-- Attachment #1: Mail message body --]
[-- Type: text/plain, Size: 487 bytes --]

Hi !! 

We are seeing a lot of packets being blocked at our firewall, coming from 
our webserver, port 80, going to the several hosts at the Internet, at high 
ports, with both SET and ACK set. 

It seems that these packets are answers from our webserver to connections 
estabilished to it, and, for some reason, their state is not being kept. 

How can I track this problem? 

We are using iptables 1.3.1, kernel 2.6.11.12, in a Fedora Core 3 machine. 

Thanks in advance, 
Carlos. 

Re: Possible conntrack problem

[zottmann]

[-- Attachment #1: Mail message body --]
[-- Type: text/plain, Size: 1803 bytes --]

Hi !! 

Thank you both for your answers!! 

We are not getting any reports regarding problems with our webserver, but 
surely these logs are weird. 

We are going to try ip_conntrack_tcp_be_liberal and see what happens. By the 
way, what does it really means? 

Regards, 
Carlos. 


Em (14:15:13), Justin Schoeman escreveu: 


>Can also try: 
> 
>echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 
> 
>Seems to help if there is a PIX between your clients and servers... 
> 
>-justin 
> 
>Sietse van Zanen wrote: 
>> This usually happens with clients behaving badly or misconfigured 
servers. 
>Very unlikely (I would say less 1% chance) to be a netfilter issue. 
>> If you don't get any reports about you webserver being unreachable or 
>unusable, all is working exactly as it should. 
>> 
>> If people do have problems with your webserver, check the configuration 
of 
>the server and clients. 
>> 
>> -Sietse 
>> 
>> ________________________________ 
>> 
>> From: netfilter-bounces@lists.netfilter.org on behalf of 
>zottmann@ig.com.br 
>> Sent: Thu 01-Jun-06 13:56 
>> To: netfilter@lists.netfilter.org 
>> Subject: Possible conntrack problem 
>> 
>> 
>> 
>> Hi !! 
>> 
>> I am having a problem that I think may be related to conntrack. 
>> 
>> I am getting dropped packets in the firewall coming from our web server, 
>> source port 80, and going to external machines on high ports, with both 
>ACK 
>> and SEQ numbers set. 
>> 
>> It seems to me that these packets are answers from our webserver to 
>> connections estabilished with it, but, for some reason, the connection 
>> information is being lost (maybe due to timeout?). 
>> 
>> How can I track this? Has anyone gone through something like it? 
>> 
>> Thanks in advance, 
>> Carlos. 
>> 
>> 
>> 
>> 
>> 
> 
>---------- 

Re: Possible conntrack problem

[Djalma Fadel Junior]

On Fri, 2 Jun 2006 15:46:42 -0300
zottmann <zottmann@ig.com.br> wrote:

> Hi !! 
> 
> We are seeing a lot of packets being blocked at our firewall, coming from 
> our webserver, port 80, going to the several hosts at the Internet, at high 
> ports, with both SET and ACK set. 
> 
> It seems that these packets are answers from our webserver to connections 
> estabilished to it, and, for some reason, their state is not being kept. 
> 
> How can I track this problem? 
> 
> We are using iptables 1.3.1, kernel 2.6.11.12, in a Fedora Core 3 machine. 

I'm facing the same problem on port 3128.
I guess that may be some kind of virus/worm that use ports like 80,1080,8080,3128 for spam purpose. They use any HTTP port to connect on mail servers and send bulk email.

My conntrack table was getting flooded and I set 2 rules, but the problem keeps on.

iptables -t nat -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
iptables -I FORWARD -d ${MY_NETWORK} -p tcp --dport 3128 -m state --state NEW -j DROP


any effective solution would be appreciated.

thanks


-- 
Djalma Fadel Junior
Diretor Técnico
Ferasoft Corporation Ltda
+55 (19) 3542-3490
dfadel@ferasoft.com.br