Newbie: why is this packet being dropped/logged?

Newbie: why is this packet being dropped/logged?

[Jean-Christian Imbeault]

I am relatively new to iptables. I have set up some basic rules for my 
web server to allow only SSH and HTTP traffic (listed below). But I am 
finding some log entries showing packets that were trying to connect to 
port 80 getting logged (and dropped).

I can't understand why these packets were logged as I thought my rules 
would let through any packet trying to connect to port 80.

# iptables -n -v -L
Chain INPUT (policy DROP 279 packets, 14864 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   238 47040 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
  366M   21G ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0          state RELATED,ESTABLISHED
2199K  120M ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
203.179.86.66      state NEW,RELATED,ESTABLISHED tcp dpt:80
    38  1824 ACCEPT     tcp  --  eth0   *       219.118.175.0/24 
203.179.86.66      state NEW,RELATED,ESTABLISHED tcp dpt:22
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:67
     0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:113 reject-with tcp-reset
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:137 reject-with icmp-port-unreachable
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:138 reject-with icmp-port-unreachable
     0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:138 reject-with icmp-port-unreachable
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:139 reject-with icmp-port-unreachable
   279 14864 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0          LOG flags 0 level 7 prefix `DROP:'

Here is one of those log entries:

kernel: DROP:IN=eth0 OUT= MAC=00:d0:b7:e1:13:e7:00:90:fe:1e:50:a6:08:00 
SRC=66.69.93.167 DST=203.179.86.66 LEN=40 TOS=0x00 PREC=0x00 TTL=105 
ID=8622 DF PROTO=TCP SPT=1439 DPT=80 WINDOW=64952 RES=0x00 ACK URGP=0

Can someone help me understand why this packet was dropped?

Thanks,

Jean-Christian Imbeault

RE: Newbie: why is this packet being dropped/logged?

[George Vieira]

it's being dropped because you have allowed TCP port 80 on 219.118.175.0/24 ONLY.. looking at your logs it shows the IP as DST=203.179.86.66 which isn't to that network..

HOW BIG is your network???

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Jean-Christian Imbeault [mailto:jc@mega-bucks.co.jp]
Sent: Monday, August 04, 2003 3:12 PM
To: netfilter@lists.netfilter.org
Subject: Newbie: why is this packet being dropped/logged?


I am relatively new to iptables. I have set up some basic rules for my 
web server to allow only SSH and HTTP traffic (listed below). But I am 
finding some log entries showing packets that were trying to connect to 
port 80 getting logged (and dropped).

I can't understand why these packets were logged as I thought my rules 
would let through any packet trying to connect to port 80.

# iptables -n -v -L
Chain INPUT (policy DROP 279 packets, 14864 bytes)
  pkts bytes target     prot opt in     out     source 
destination
   238 47040 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
  366M   21G ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0          state RELATED,ESTABLISHED
2199K  120M ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
203.179.86.66      state NEW,RELATED,ESTABLISHED tcp dpt:80
    38  1824 ACCEPT     tcp  --  eth0   *       219.118.175.0/24 
203.179.86.66      state NEW,RELATED,ESTABLISHED tcp dpt:22
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:67
     0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:113 reject-with tcp-reset
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:137 reject-with icmp-port-unreachable
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:138 reject-with icmp-port-unreachable
     0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:138 reject-with icmp-port-unreachable
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:139 reject-with icmp-port-unreachable
   279 14864 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0          LOG flags 0 level 7 prefix `DROP:'

Here is one of those log entries:

kernel: DROP:IN=eth0 OUT= MAC=00:d0:b7:e1:13:e7:00:90:fe:1e:50:a6:08:00 
SRC=66.69.93.167 DST=203.179.86.66 LEN=40 TOS=0x00 PREC=0x00 TTL=105 
ID=8622 DF PROTO=TCP SPT=1439 DPT=80 WINDOW=64952 RES=0x00 ACK URGP=0

Can someone help me understand why this packet was dropped?

Thanks,

Jean-Christian Imbeault

Re: Newbie: why is this packet being dropped/logged?

[Jean-Christian Imbeault]

George Vieira wrote:
>
> it's being dropped because you have allowed TCP port 80 on
219.118.175.0/24 ONLY.. looking at your logs it shows the IP as
DST=203.179.86.66 which isn't to that network..

Maybe you misread the iptables' out output since the formatting is off,
but the rule for 219.118.175.0/24 is for SSH. The port 80 rule is:

ACCEPT tcp  --  eth0   *  0.0.0.0/0 203.179.86.66  state
NEW,RELATED,ESTABLISHED tcp dpt:80

> HOW BIG is your network???

Only 16 IP addresses. I hate to show my ignorance but the the SSH rule
which uses the 219.118.175.0/24 is to allow SSH access from another
network with 8 IP address. The range is 219.118.175.240-248 but I didn't
know how to write that as a / netmask so I used 0/24 :(

Jc

Re: Newbie: why is this packet being dropped/logged?

[Jean-Christian Imbeault]

Cedric Blancher wrote:

> Do you use patches such as tcp-nopickup that could make an ACK packet
> fall into INVALID state because not matched against any existing
> conntrack entry ?

How can I check? I installed iptables v1.2.8 with no patches so I don't
think I ahve tcp-nopickup installed.

Thanks,

Jean-Christian Imbeault

Re: Newbie: why is this packet being dropped/logged?

[Cedric Blancher]

Le lun 04/08/2003 à 09:29, Jean-Christian Imbeault a écrit :
> Cedric Blancher wrote:
> > Do you use patches such as tcp-nopickup that could make an ACK packet
> > fall into INVALID state because not matched against any existing
> > conntrack entry ?
> How can I check? I installed iptables v1.2.8 with no patches so I don't
> think I ahve tcp-nopickup installed.

Well, probably not this. Still, just add a logging rule for INVALID
packets, just to check. I may miss something obvious, but for now, I do
not see anything but an INVALID state to cause this packet get dropped.

Also check if your conntrack table is not full (see
/proc/net/ip_conntrack file) and kernel log entries for some related
errors.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Newbie: why is this packet being dropped/logged?

[Jean-Christian Imbeault]

Cedric Blancher wrote:

> 
> Also check if your conntrack table is not full (see
> /proc/net/ip_conntrack file) and kernel log entries for some related
> errors.

Had a look and no errors were logged in that file.

Also, is my rule overkill in the sense that specifying all three of NEW,
ESTABLISHED and RELATED states is not necessary. I could get away with
just NEW and RELATED?

thanks,

Jean-Christian Imbeault

Re: Newbie: why is this packet being dropped/logged?

[Cedric Blancher]

Le lun 04/08/2003 à 09:49, Jean-Christian Imbeault a écrit :
> Had a look and no errors were logged in that file.

This file is not a log. This is your conntrack table. When it is full,
packets that should have been spoted as NEW are INVALID because there's
no place left to handle them. Afaik, INVALID for TCP means the packets
is really fucked or an error occured during state matching.

Could you post an iptables-save output for your INPUT chain so we can
have a complete ruleset description ?

> Also, is my rule overkill in the sense that specifying all three of NEW,
> ESTABLISHED and RELATED states is not necessary. I could get away with
> just NEW and RELATED?

It is a bit redundant with previous rule that allows ESTABLISHED and
RELATED packets, whatever source, destination and protocol they may
have. So, ESTABLISHED HTTP packets to 203.179.86.66 would not reach your
rule, being accepted by previous one. Moreover, RELATED is useless, as
HTTP does not have related connections such as FTP or IRC.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Newbie: why is this packet being dropped/logged?

[Jean-Christian Imbeault]

Cedric Blancher wrote:

> 
> This file is not a log. [sni]

Ah ... thanks for the explanation.

> Could you post an iptables-save output for your INPUT chain so we can
> have a complete ruleset description ?

Sure, here it is:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [29809:39495741]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 203.179.86.66 -i eth0 -p tcp -m tcp --dport 80 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 219.118.175.0/255.255.255.0 -d 203.179.86.66 -i eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j DROP
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 137 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 138 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 138 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 139 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -j LOG --log-prefix "DROP:" --log-level debug
-A OUTPUT -o lo -j ACCEPT
COMMIT


> It is a bit redundant with previous rule that allows ESTABLISHED and
> RELATED packets, whatever source, destination and protocol they may
> have. So, ESTABLISHED HTTP packets to 203.179.86.66 would not reach your
> rule, being accepted by previous one. Moreover, RELATED is useless, as
> HTTP does not have related connections such as FTP or IRC.

Ok. So I guess NEW is all I need and RELATED and ESTABLISHED are
unnecessary.

Jean-Christian Imbeault