Re: iptables dropping legitimate packets?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The PC is new. 1GB RAM, 3.2GHz P4HT. I never saw this issue on another PC running RHEL3 with 512MB RAM and 1.4GHz P4.

There's nothing wrong with the iptables file, is there?

This is not a serious problem, but I'd sure like to understand what is going on, and why the behavior is different between RHEL3 and FC3.

Jan

Ian P. Thomas wrote:
On Thu, 2005-02-24 at 11:30 -0500, Jan Morales wrote:

I recently replaced the OS on a PC from RHEL3 to FC3. The iptables config file format didn't appear to change, so I used the same file on FC3 that I had on RHEL3, reproduced below. The IP address of the PC, 192.168.0.5, did not change. The PC is on a network that is itself behind a firewall that implements NAT and prevents inbound sessions.

Because of this network architecture, the PC under RHEL3 recorded no dropped packets, presumably because the network firewall was doing its job. However, now that the PC is running FC3 I am seeing dropped packets logged. The packets, however, are not inbound sessions. They appear to be packets inbound that are part of outbound sessions, e.g. POP and web sessions initiated by the PC. The logged packets also don't appear to be dropped from every single session, just from some, in a pattern I haven't figured out yet. Here is a sample of the logged packets:

Feb 23 23:53:59 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=166.0.230.20 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=4731 DF PROTO=TCP SPT=80 DPT=33015 WINDOW=64512 RES=0x00 ACK URGP=0
Feb 23 23:56:39 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=822 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=826 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=834 PROTO=TCP SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0


Is there some reason why iptables is dropping, or at least logging, these legitimate packets? Is there a difference between iptables in RHEL3 and FC3 that accounts for this? My /etc/sysconfig/iptables follows:

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


It drops and logs using the next two rules.


-A RH-Firewall-1-INPUT -j LOG -d 192.168.0.5 --log-prefix "iptables: "
-A RH-Firewall-1-INPUT -j DROP
COMMIT


If this is happening intermittently then the connection tracking may be
timing out for certain connections.  It's also possible that if the
amount of memory on this machine is low, and the machine is handling
many concurrent connections, the state table is getting too large.  This
site says more on the subject

http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html


Ian



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux