From: Aiko Barz <aiko@deepco.de>
To: netfilter@vger.kernel.org
Cc: aiko@deepco.de
Subject: INVALID FIN/ACK packets
Date: Wed, 14 Nov 2007 11:02:26 +0100 [thread overview]
Message-ID: <20071114100226.GA29362@thorin.admin.heise.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 2916 bytes --]
Hi,
like others, I'm facing some conntrack problems. A typical logentry
looks like this:
> Nov 14 10:46:22 lain fire: INVALID IN=eth0 OUT= MAC=00:e0:81:5c:f7:d9:00:02:85:04:0e:c0:08:00 SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0
> Nov 14 10:46:22 lain fire: INPUT IN=eth0 OUT= MAC=00:e0:81:5c:f7:d9:00:02:85:04:0e:c0:08:00 SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0
> Nov 14 10:46:22 lain fire: OUTPUT IN= OUT=eth0 SRC=88.198.253.172 DST=a.b.c.d LEN=68 TOS=0x00 PREC=0xC0 TTL=64 ID=13872 PROTO=ICMP TYPE=3 CODE=13 [SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0 ]
lain is an IMAP server. This is not happening in any FORWARDING chain.
I have one more server with this same kind of problem. "ACK RST" and
"ACK FIN" packets are involved.
> $ uname -a
> Linux lain 2.6.22-gentoo-r8-lain #2 SMP Wed Oct 24 13:48:14 CEST 2007 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ AuthenticAMD GNU/Linux
> sysctl -a| grep -i conntrack
> net.netfilter.nf_conntrack_generic_timeout = 600
> net.netfilter.nf_conntrack_max = 65536
> net.netfilter.nf_conntrack_count = 127
> net.netfilter.nf_conntrack_buckets = 8192
> net.netfilter.nf_conntrack_checksum = 1
> net.netfilter.nf_conntrack_log_invalid = 1
> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
> net.netfilter.nf_conntrack_tcp_timeout_established = 432000
> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
> net.netfilter.nf_conntrack_tcp_timeout_close = 10
> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
> net.netfilter.nf_conntrack_tcp_loose = 1
> net.netfilter.nf_conntrack_tcp_be_liberal = 0
> net.netfilter.nf_conntrack_tcp_max_retrans = 3
> net.netfilter.nf_conntrack_udp_timeout = 30
> net.netfilter.nf_conntrack_udp_timeout_stream = 180
> net.netfilter.nf_conntrack_icmp_timeout = 30
> net.nf_conntrack_max = 65536
The rules are basically like the following set:
> $fw -A INPUT -m state --state INVALID -j LOG --log-prefix "fire: INVALID "
> $fw -A INPUT -i $dev -m state --state ESTABLISHED,RELATED -s $world -d $myip -j ACCEPT
> $fw -A OUTPUT -o $dev -m state --state ESTABLISHED,RELATED -d $world -s $myip -j ACCEPT
> $fw -A INPUT -i $dev -p tcp -m tcp -m state --state NEW --syn -s $world --sport 1024: -d $myip --dport 993 -j ACCEPT
Those rules are working most of the time. But there are quite a number
of invalid connections...
Bye,
Aiko
--
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2007-11-14 10:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-14 10:02 Aiko Barz [this message]
2007-11-14 22:35 ` INVALID FIN/ACK packets Olivier Sessink
2007-11-15 9:57 ` Jozsef Kadlecsik
2007-11-26 22:10 ` Aiko Barz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071114100226.GA29362@thorin.admin.heise.de \
--to=aiko@deepco.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox