iptables dropping legitimate packets?

Jan Morales jan at geezjan.org
Thu Feb 24 22:54:21 UTC 2005 

The PC is new. 1GB RAM, 3.2GHz P4HT. I never saw this issue on another 
PC running RHEL3 with 512MB RAM and 1.4GHz P4.

There's nothing wrong with the iptables file, is there?

This is not a serious problem, but I'd sure like to understand what is 
going on, and why the behavior is different between RHEL3 and FC3.

Jan

Ian P. Thomas wrote:
> On Thu, 2005-02-24 at 11:30 -0500, Jan Morales wrote:
> 
>>I recently replaced the OS on a PC from RHEL3 to FC3. The iptables 
>>config file format didn't appear to change, so I used the same file on 
>>FC3 that I had on RHEL3, reproduced below. The IP address of the PC, 
>>192.168.0.5, did not change. The PC is on a network that is itself 
>>behind a firewall that implements NAT and prevents inbound sessions.
>>
>>Because of this network architecture, the PC under RHEL3 recorded no 
>>dropped packets, presumably because the network firewall was doing its 
>>job. However, now that the PC is running FC3 I am seeing dropped packets 
>>logged. The packets, however, are not inbound sessions. They appear to 
>>be packets inbound that are part of outbound sessions, e.g. POP and web 
>>sessions initiated by the PC. The logged packets also don't appear to be 
>>dropped from every single session, just from some, in a pattern I 
>>haven't figured out yet. Here is a sample of the logged packets:
>>
>>Feb 23 23:53:59 toast kernel: iptables: IN=eth0 OUT= 
>>MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=166.0.230.20 
>>DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=4731 DF PROTO=TCP 
>>SPT=80 DPT=33015 WINDOW=64512 RES=0x00 ACK URGP=0
>>Feb 23 23:56:39 toast kernel: iptables: IN=eth0 OUT= 
>>MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 
>>DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=822 PROTO=TCP 
>>SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
>>Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= 
>>MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 
>>DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=826 PROTO=TCP 
>>SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
>>Feb 23 23:56:40 toast kernel: iptables: IN=eth0 OUT= 
>>MAC=00:12:11:a7:86:e2:00:42:17:f4:ed:fa:0a:00 SRC=66.221.50.162 
>>DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=834 PROTO=TCP 
>>SPT=110 DPT=32995 WINDOW=0 RES=0x00 RST URGP=0
>>
>>Is there some reason why iptables is dropping, or at least logging, 
>>these legitimate packets? Is there a difference between iptables in 
>>RHEL3 and FC3 that accounts for this? My /etc/sysconfig/iptables follows:
>>
>># Firewall configuration written by redhat-config-securitylevel
>># Manual customization of this file is not recommended.
>>*filter
>>:INPUT ACCEPT [0:0]
>>:FORWARD ACCEPT [0:0]
>>:OUTPUT ACCEPT [0:0]
>>:RH-Firewall-1-INPUT - [0:0]
>>-A INPUT -j RH-Firewall-1-INPUT
>>-A FORWARD -j RH-Firewall-1-INPUT
>>-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
>>ACCEPT
> 
> 
> It drops and logs using the next two rules.
> 
> 
>>-A RH-Firewall-1-INPUT -j LOG -d 192.168.0.5 --log-prefix "iptables: "
>>-A RH-Firewall-1-INPUT -j DROP
>>COMMIT
> 
> 
> If this is happening intermittently then the connection tracking may be
> timing out for certain connections.  It's also possible that if the
> amount of memory on this machine is low, and the machine is handling
> many concurrent connections, the state table is getting too large.  This
> site says more on the subject
> 
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> 
> 
> Ian
>

More information about the fedora-list mailing list