There's nothing wrong with the iptables file, is there?
This is not a serious problem, but I'd sure like to understand what is going on, and why the behavior is different between RHEL3 and FC3.
Jan
Ian P. Thomas wrote:
On Thu, 2005-02-24 at 11:30 -0500, Jan Morales wrote:
I recently replaced the OS on a PC from RHEL3 to FC3. The iptables config file format didn't appear to change, so I used the same file on FC3 that I had on RHEL3, reproduced below. The IP address of the PC, 192.168.0.5, did not change. The PC is on a network that is itself behind a firewall that implements NAT and prevents inbound sessions.
Because of this network architecture, the PC under RHEL3 recorded no dropped packets, presumably because the network firewall was doing its job. However, now that the PC is running FC3 I am seeing dropped packets logged. The packets, however, are not inbound sessions. They appear to be packets inbound that are part of outbound sessions, e.g. POP and web sessions initiated by the PC. The logged packets also don't appear to be dropped from every single session, just from some, in a pattern I haven't figured out yet. Here is a sample of the logged packets:
Feb 23 23:53:59 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=166.0.230.20 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=4731 DF PROTO=TCP SPT=80 DPT=33015 WINDOW=64512 RES=0x00 ACK URGP=0
Feb 23 23:56:39 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=822 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=826 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=834 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
Is there some reason why iptables is dropping, or at least logging, these legitimate packets? Is there a difference between iptables in RHEL3 and FC3 that accounts for this? My /etc/sysconfig/iptables follows:
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
It drops and logs using the next two rules.
-A RH-Firewall-1-INPUT -j LOG -d 192.168.0.5 --log-prefix "iptables: " -A RH-Firewall-1-INPUT -j DROP COMMIT
If this is happening intermittently then the connection tracking may be timing out for certain connections. It's also possible that if the amount of memory on this machine is low, and the machine is handling many concurrent connections, the state table is getting too large. This site says more on the subject
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
Ian
