Re: [Fwd: I do not understand !!!]

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Amos Jeffries <squid3@treenet.co.nz>
To: "Gáspár Lajos" <swifty@freemail.hu>
Cc: Netfilter list <netfilter@vger.kernel.org>
Subject: Re: [Fwd: I do not understand !!!]
Date: Wed, 16 Jan 2008 14:34:39 +1300	[thread overview]
Message-ID: <478D5F2F.1090001@treenet.co.nz> (raw)
In-Reply-To: <478B32B4.9090106@freemail.hu>

Gáspár Lajos wrote:
> ANYONE ????

Hm, reads like a FW blocking all packet-based traffic the hard way to me.

A few steps I'd recommend:
   - find a little F/W utility called 'ferm'
   - read its manual, demos, and find a full list of iptables targets
   - define the actions you want the router to perform
   - write the ferm.conf

AYJ

> 
> Hi list,
> 
> I have a bit complicated script.
> But I do not understand the following output of it.
> 
> 1. ESTABLISHED packets without 0x100 or 0x200 mark ???
> 2. NEW packets without the 0x200 mark and without SYN ???
> 3. INVALID packets with SYN/ACK ??? (As a first packet maybe? Should I 
> drop it?)
> 4. Connection that started from internal gets validated as WRONG_NEW 
> (with a simple SYN)...
> 
> Can anyone tell me how the conntrack system works in detail?
> 
> Thanx
> 
> Swifty
> 
> 
> Chain con_tcp (1 references)
> pkts bytes target     prot
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>   0     0 INVALID    tcp  tcp flags:SYN,RST/SYN,RST
> 5224  209K INVALID    tcp  tcp flags:FIN,RST/FIN,RST
>   0     0 INVALID    tcp  tcp flags:FIN,SYN/FIN,SYN
> 2477  101K ACCEPT     all  ctstate RELATED
> 145K 7215K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300 ctstate 
> ESTABLISHED
> 11M 7920M ACCEPT     all  CONNMARK match 0x100/0x300 ctstate ESTABLISHED
> 2880K 1666M ACCEPT     all  ctstate ESTABLISHED
> 272K   15M tcp_NEW    all  [goto] ctstate NEW
> 29796 2233K tcp_INV    all  [goto] ctstate INVALID
>   0     0 LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `UNKNOWN:'
>   0     0 ACCEPT     all
> Chain tcp_NEW (1 references)
> pkts bytes target     prot
> 232K   13M tcp_NEW_1  tcp  [goto] tcp flags:FIN,SYN,RST,ACK/SYN CONNMARK 
> match 0x0/0x300
> 38579 2014K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 969  212K LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `WRONG_NEW:'
> 969  212K ACCEPT     all
> Chain tcp_NEW_1 (1 references)
> pkts bytes target     prot
> 232K   13M CONNMARK   all  CONNMARK set 0x200/0x300
> 232K   13M RETURN     all
> Chain tcp_NEW_2 (3 references)
> pkts bytes target     prot
> 184K 9229K CONNMARK   all  CONNMARK set 0x100/0x300
> 184K 9229K ACCEPT     all
> 
> Chain tcp_INV (1 references)
> pkts bytes target     prot
>   0     0 tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 2148 85920 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST
> 24624  986K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
>  86 15329 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK
> 752 30110 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
>  80  4088 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
> 1507  289K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
> 599  822K INVALID    all
> 
> And a few log:
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17760 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61449 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17770 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61457 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=85.131.72.154 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14307 DF PROTO=TCP SPT=4796 
> DPT=52045 SEQ=4243195870 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=84.3.29.226 LEN=52 
> TOS=0x00 PREC=0x00 TTL=127 ID=14322 DF PROTO=TCP SPT=4797 DPT=6881 
> SEQ=2594461565 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=90.52.165.175 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14323 DF PROTO=TCP SPT=4798 
> DPT=50428 SEQ=2039438787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

     prev parent reply	other threads:[~2008-01-16  1:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-14 10:00 [Fwd: I do not understand !!!] Gáspár Lajos
2008-01-14 10:11 ` Jozsef Kadlecsik
2008-01-16  1:34 ` Amos Jeffries [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=478D5F2F.1090001@treenet.co.nz \
    --to=squid3@treenet.co.nz \
    --cc=netfilter@vger.kernel.org \
    --cc=swifty@freemail.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox