IPTables rejecting packets that should be let through???

Mon Apr 11 15:32:07 UTC 2005

On Apr 11, 2005 9:51 AM, Aleksandar Milivojevic <amilivojevic at pbl.ca> wrote:
> Aleksandar Milivojevic wrote:
> Oh, and BTW, the above tells me (based on IP addresses) there is
> (probably) an NAT firewall doing DNAT before that packet hit the
> firewall on your mail server.  It might be that something got blocked on
> that upstream NAT firewall.  Another thing that I haven't mentioned in
> my previous mail is that you might have blocked some ICMP traffic that
> shouldn't be blocked (either on the machine in question or on the
> upstream NAT firewall).
> 

Thanks Aleksandar,
Yes, there is an upstream NAT firewall. There are very limited ports
open on there. I'm pretty sure it's open to all ICMP traffic, but I'll
have to go back in and double check when I'm on site again later this
afternoon.

I left ethereal running overnight and caught several
packets that were tripping this log event. Out of the 7 events that I
caught, 6 of them showed [TCP ZeroWindow] and [INCORRECT CHECKSUM] in
the packet info. There are other places where I would see the
ZeroWindow message that did not trip the log, but there were no other
places where I would see the INCORRECT CHECKSUM. The seventh entry
that showed up in the log did not have an info line that matched
either the ZeroWindow or Checksum message, but it was the last packet
received from the host and the info simply stated:
4257 > smtp [RST] Seq=93 Ack=1545503494 Win=0 Len=0

I think I understand what you mean about seeing an RST AFTER Postfix
closes the connection. Maybe I should look at what Postfix sends when
it closes the connection. If Postfix sends the RST, then should the
other end send anything back at all? Maybe an ACK? Does Netfilter
simply look for the first RST (from either side) and then consider it
a closed connection?

The IPTables rules are set up to allow incoming connections on port 25
if the state is NEW. But I'm guessing that a new connection should not
have the RST in it.

I guess my concern is that I just want to make sure that I am not
rejecting traffic that should be valid, and simply creating a rule to
tell IPTables not to log the packet will only hide the issue. If it is
truly a packet that can be disregarded then I have no problem with it,
but I wanted to be sure.

I'm also guessing that this issue is moving farther away from a Fedora
issue, so I'll apologize to the list if this thread is straying.

-- 

David
Registered Linux User 383030 (since everyone else was doing it 8-)
-----------------------------------------------------------------------
There are only 10 kinds of people in this world,
those who understand binary, and those who don't.