From: Jonathan Tripathy <jonnyt@abpni.co.uk>
Cc: netfilter@vger.kernel.org
Subject: Re: Iptables State Table
Date: Thu, 07 Jul 2011 17:33:24 +0100 [thread overview]
Message-ID: <4E15DFD4.8090805@abpni.co.uk> (raw)
In-Reply-To: <1310055574.13240.2149268161@webmail.messagingengine.com>
netfilter@buglecreek.com wrote:
>
> On Thu, 07 Jul 2011 16:12 +0100, "Jonathan Tripathy"
> <jonnyt@abpni.co.uk> wrote:
>>
>> netfilter@buglecreek">netfilter@buglecreek.com wrote:
>>> Given the following simplified rules:
>>> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>
>>> When the system boots, various daemons create persistent connections
>>> that stay established indefinitely to authentication servers like the
>>> following:
>>> clientSytem:44444 -----> authServer:389
>>> This creates an entry in the iptables state table which works fine.
>>> But, occasionally the state table gets cleared out. Usually by
>>> something simple like someone restarting iptables. Once that happens the
>>> established connection is still there, but when the authServer sends a
>>> packet back to the clientSystem the packet is viewed as new and
>>> eventually gets dropped since their is nothing in the state table. The
>>> only way I can think of allowing for this is to create a rule that
>>> allows new connections from the authServer:389 to the clientSystem:any.
>>> Is there a better way?
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>
>> Shouldn't the software in question detect a connection drop and then
>> re-attempt to connect to the server?
>>
> The connection never drops. Netstat shows the connection as
> ESTABLISHED, but the iptables state table does not have the connection
> since it was cleared. So, if there were no iptables running the
> connection would carry on normal comms. Since there are rules that only
> allow established connections the packet gets dropped due to the
> clearing of the state table. Hope that makes sense.
Yes, I understand what's happening :)
What I am confused about though is why netstat is showing the state as
still ESTABLISHED. Surely if the packets can't get through the filter,
this should be class as an effective connection drop, so the software
should restart the connection?
Most good firewalls (not just iptables) include a feature to reset the
state table. I know that if I reset the state table in my firewall, all
connections are effectively dropped and the individual bits of software
running throughout the LAN will re-connect.
next prev parent reply other threads:[~2011-07-07 16:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-01 14:12 Generating Ethernet Header in Prerouting? Nader Al-Naji
2011-07-07 14:55 ` Iptables State Table netfilter
[not found] ` <4E15CCDF.7010704@abpni.co.uk>
2011-07-07 16:19 ` netfilter
2011-07-07 16:33 ` Jonathan Tripathy [this message]
2011-07-07 16:52 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E15DFD4.8090805@abpni.co.uk \
--to=jonnyt@abpni.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox