[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

IPTables rejecting packets that should be let through???



This one is really confusing me...

I am running IPTables to configure my firewall, telling it to ALLOW
incoming traffic on eth1 from anywhere to port 25. The way the
firewall is set up, it says to allow connections that are RELATED or
ESTABLISHED, before going the following rules. One of the following
rules says to allow connections that are NEW if they are destined for
port 25.

At the bottom of my firewall rules, I have an entry that rejects all
traffic that has failed to pass all other checks. Right before that
entry, I have an entry that logs the packet that was rejected.

What I am seeing is traffic that is coming in from a machine as a NEW
connection, and is being allowed in. During the SMTP transaction (and
this only happens sometimes - usually when Postfix has rejected the
connection for failing some sanity check) Postfix might reject a
connection, and then shortly after, I see a log entry from the
firewall for a connection from port 25, but it failed to pass the
previous checks, and so it rejects it.

My guess is that the state of the packet is not being considered as
RELATED, ESTABLISHED, or NEW... but from the packet, I'm not sure if
there is a way to determine which state the packet is in.

Is there a way to tell the reason for rejection or the state of a
packet from the log entry that IPTables generates? Here is an example
of a log entry that I saw. AFTER valid traffic accepted, an SMTP
session was setup, and postfix rejected the mail with an error code, I
saw this message in my log:

Apr 10 06:40:29 master kernel: IN=eth1
OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56
DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP
SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0

Here are the log entries from Postfix, so you can see that before the
IPTables log entry above, traffic was accepted and an SMTP
conversation took place. At 06:40:28, postfix rejected the mail with a
554 message because of an invalid Helo entry. Then it shows that the
connection was lost after RCPT, and then the other machine
disconnected.

Log entries from maillog are listed below:

Apr 10 06:39:03 master postfix/smtpd[15051]: connect from unknown
[220.117.112.56]

Apr 10 06:40:28 master postfix/smtpd[15051]: NOQUEUE: reject: RCPT
from unknown[220.117.112.56]: 554 <216.61.158.201>: Helo command
rejected: You are not 214.161.58.101;
from=<vvhyhncokwe accordappraisal com> to=<bruce marcomp com>
proto=SMTP helo=<214.161.58.101>

Apr 10 06:40:28 master postfix/smtpd[15051]: lost connection after
RCPT from unknown[220.117.112.56]

Apr 10 06:40:28 master postfix/smtpd[15051]: disconnect from unknown
[220.117.112.56]


Any help would be appreciated. If necessary, I can send the complete
firewall rules.

-- 

David
Registered Linux User 383030 (since everyone else was doing it 8-)
-----------------------------------------------------------------------
There are only 10 kinds of people in this world,
those who understand binary, and those who don't.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]