Is there a way to tell the reason for rejection or the state of a packet from the log entry that IPTables generates? Here is an example of a log entry that I saw. AFTER valid traffic accepted, an SMTP session was setup, and postfix rejected the mail with an error code, I saw this message in my log:
Apr 10 06:40:29 master kernel: IN=eth1 OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=22.214.171.124 DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
This is incoming, not outgoing packet. It contains RST flag, that would couse connection to be terminated.
Now, this is just a guess what might have happened. Most likely what happened was that Postfix closed the connection, and for whatever reason the other side sent an extra RST packet (for whatever reason, if connection was shut down cleanly, it shouldn't have sent it). Since Netfilter saw that connection was closed, it removed it from the internal tables of open connections. Hence the packet was not in ESTABLISHED state. It was in NEW state (note that NEW state doesn't mean a packet that is starting connection (the SYN packet), packet is in NEW if it is first packet seen by firewall for that particular combination of IP addresses and ports).
To debug this further, you would need to run tcpdump on eth1 interface, and look what is going on at the end of connection (last couple of packets exchanged between 126.96.36.199 and your server).
Any help would be appreciated. If necessary, I can send the complete firewall rules.
Usually firewall problems are rather nasty to debug withoug seeing actual firewall rules and tcpdump output of problematic traffic.
-- Aleksandar Milivojevic <[email protected]> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7