[Fwd: I do not understand !!!]

[Fwd: I do not understand !!!]

[Gáspár Lajos]

ANYONE ????

Hi list,

I have a bit complicated script.
But I do not understand the following output of it.

1. ESTABLISHED packets without 0x100 or 0x200 mark ???
2. NEW packets without the 0x200 mark and without SYN ???
3. INVALID packets with SYN/ACK ??? (As a first packet maybe? Should I 
drop it?)
4. Connection that started from internal gets validated as WRONG_NEW 
(with a simple SYN)...

Can anyone tell me how the conntrack system works in detail?

Thanx

Swifty


Chain con_tcp (1 references)
pkts bytes target     prot
   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
   0     0 INVALID    tcp  tcp flags:SYN,RST/SYN,RST
5224  209K INVALID    tcp  tcp flags:FIN,RST/FIN,RST
   0     0 INVALID    tcp  tcp flags:FIN,SYN/FIN,SYN
2477  101K ACCEPT     all  ctstate RELATED
145K 7215K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300 ctstate 
ESTABLISHED
 11M 7920M ACCEPT     all  CONNMARK match 0x100/0x300 ctstate ESTABLISHED
2880K 1666M ACCEPT     all  ctstate ESTABLISHED
272K   15M tcp_NEW    all  [goto] ctstate NEW
29796 2233K tcp_INV    all  [goto] ctstate INVALID
   0     0 LOG        all  LOG level debug tcp-sequence tcp-options 
ip-options uid prefix `UNKNOWN:'
   0     0 ACCEPT     all 

Chain tcp_NEW (1 references)
pkts bytes target     prot
232K   13M tcp_NEW_1  tcp  [goto] tcp flags:FIN,SYN,RST,ACK/SYN 
CONNMARK match 0x0/0x300
38579 2014K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
 969  212K LOG        all  LOG level debug tcp-sequence tcp-options 
ip-options uid prefix `WRONG_NEW:'
 969  212K ACCEPT     all 

Chain tcp_NEW_1 (1 references)
pkts bytes target     prot
232K   13M CONNMARK   all  CONNMARK set 0x200/0x300
232K   13M RETURN     all 

Chain tcp_NEW_2 (3 references)
pkts bytes target     prot
184K 9229K CONNMARK   all  CONNMARK set 0x100/0x300
184K 9229K ACCEPT     all

Chain tcp_INV (1 references)
pkts bytes target     prot
   0     0 tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
2148 85920 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST
24624  986K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
  86 15329 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK
 752 30110 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
  80  4088 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
1507  289K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
 599  822K INVALID    all 


And a few log:

INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
PREC=0x00 TTL=51 ID=17760 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0

INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
PREC=0x00 TTL=48 ID=61449 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0

INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
PREC=0x00 TTL=51 ID=17770 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0

INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
PREC=0x00 TTL=48 ID=61457 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0

WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=85.131.72.154 
LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14307 DF PROTO=TCP SPT=4796 
DPT=52045 SEQ=4243195870 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
(020405AC0103030001010402)

WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=84.3.29.226 LEN=52 
TOS=0x00 PREC=0x00 TTL=127 ID=14322 DF PROTO=TCP SPT=4797 DPT=6881 
SEQ=2594461565 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
(020405AC0103030001010402)

WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=90.52.165.175 
LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14323 DF PROTO=TCP SPT=4798 
DPT=50428 SEQ=2039438787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
(020405AC0103030001010402)


-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Fwd: I do not understand !!!]

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 543 bytes --]

On Mon, 14 Jan 2008, Gáspár Lajos wrote:

> ANYONE ????

[Shaking my crystal ball gently.] Heck, this device just don't work. 
[Shaking it more heavily...] Why, it doesn't show nothing about the poster 
full ruleset, broken ball! How on the earth will I help him now?

[;-)]

Best regards,
Jozsi
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [Fwd: I do not understand !!!]

[Amos Jeffries]

Gáspár Lajos wrote:
> ANYONE ????

Hm, reads like a FW blocking all packet-based traffic the hard way to me.

A few steps I'd recommend:
   - find a little F/W utility called 'ferm'
   - read its manual, demos, and find a full list of iptables targets
   - define the actions you want the router to perform
   - write the ferm.conf

AYJ

> 
> Hi list,
> 
> I have a bit complicated script.
> But I do not understand the following output of it.
> 
> 1. ESTABLISHED packets without 0x100 or 0x200 mark ???
> 2. NEW packets without the 0x200 mark and without SYN ???
> 3. INVALID packets with SYN/ACK ??? (As a first packet maybe? Should I 
> drop it?)
> 4. Connection that started from internal gets validated as WRONG_NEW 
> (with a simple SYN)...
> 
> Can anyone tell me how the conntrack system works in detail?
> 
> Thanx
> 
> Swifty
> 
> 
> Chain con_tcp (1 references)
> pkts bytes target     prot
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
>   0     0 INVALID    tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>   0     0 INVALID    tcp  tcp flags:SYN,RST/SYN,RST
> 5224  209K INVALID    tcp  tcp flags:FIN,RST/FIN,RST
>   0     0 INVALID    tcp  tcp flags:FIN,SYN/FIN,SYN
> 2477  101K ACCEPT     all  ctstate RELATED
> 145K 7215K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300 ctstate 
> ESTABLISHED
> 11M 7920M ACCEPT     all  CONNMARK match 0x100/0x300 ctstate ESTABLISHED
> 2880K 1666M ACCEPT     all  ctstate ESTABLISHED
> 272K   15M tcp_NEW    all  [goto] ctstate NEW
> 29796 2233K tcp_INV    all  [goto] ctstate INVALID
>   0     0 LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `UNKNOWN:'
>   0     0 ACCEPT     all
> Chain tcp_NEW (1 references)
> pkts bytes target     prot
> 232K   13M tcp_NEW_1  tcp  [goto] tcp flags:FIN,SYN,RST,ACK/SYN CONNMARK 
> match 0x0/0x300
> 38579 2014K tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 969  212K LOG        all  LOG level debug tcp-sequence tcp-options 
> ip-options uid prefix `WRONG_NEW:'
> 969  212K ACCEPT     all
> Chain tcp_NEW_1 (1 references)
> pkts bytes target     prot
> 232K   13M CONNMARK   all  CONNMARK set 0x200/0x300
> 232K   13M RETURN     all
> Chain tcp_NEW_2 (3 references)
> pkts bytes target     prot
> 184K 9229K CONNMARK   all  CONNMARK set 0x100/0x300
> 184K 9229K ACCEPT     all
> 
> Chain tcp_INV (1 references)
> pkts bytes target     prot
>   0     0 tcp_NEW_2  all  [goto] CONNMARK match 0x200/0x300
> 2148 85920 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST
> 24624  986K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
>  86 15329 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK
> 752 30110 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
>  80  4088 ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
> 1507  289K ACCEPT     tcp  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
> 599  822K INVALID    all
> 
> And a few log:
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17760 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61449 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=51 ID=17770 PROTO=TCP SPT=50698 DPT=4492 SEQ=0 
> ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00 
> PREC=0x00 TTL=48 ID=61457 PROTO=TCP SPT=57102 DPT=4495 SEQ=0 
> ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=85.131.72.154 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14307 DF PROTO=TCP SPT=4796 
> DPT=52045 SEQ=4243195870 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=84.3.29.226 LEN=52 
> TOS=0x00 PREC=0x00 TTL=127 ID=14322 DF PROTO=TCP SPT=4797 DPT=6881 
> SEQ=2594461565 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=90.52.165.175 
> LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14323 DF PROTO=TCP SPT=4798 
> DPT=50428 SEQ=2039438787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT 
> (020405AC0103030001010402)
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.