IPTables rejecting packets that should be let through???

Robert Nichols rnichols42 at comcast.net
Sun Apr 10 18:03:04 UTC 2005


David Hoffman wrote:
> This one is really confusing me...
> 
> I am running IPTables to configure my firewall, telling it to ALLOW
> incoming traffic on eth1 from anywhere to port 25. The way the
> firewall is set up, it says to allow connections that are RELATED or
> ESTABLISHED, before going the following rules. One of the following
> rules says to allow connections that are NEW if they are destined for
> port 25.
> 
> At the bottom of my firewall rules, I have an entry that rejects all
> traffic that has failed to pass all other checks. Right before that
> entry, I have an entry that logs the packet that was rejected.
> 
> What I am seeing is traffic that is coming in from a machine as a NEW
> connection, and is being allowed in. During the SMTP transaction (and
> this only happens sometimes - usually when Postfix has rejected the
> connection for failing some sanity check) Postfix might reject a
> connection, and then shortly after, I see a log entry from the
> firewall for a connection from port 25, but it failed to pass the
> previous checks, and so it rejects it.
> 
> My guess is that the state of the packet is not being considered as
> RELATED, ESTABLISHED, or NEW... but from the packet, I'm not sure if
> there is a way to determine which state the packet is in.
> 
> Is there a way to tell the reason for rejection or the state of a
> packet from the log entry that IPTables generates? Here is an example
> of a log entry that I saw. AFTER valid traffic accepted, an SMTP
> session was setup, and postfix rejected the mail with an error code, I
> saw this message in my log:
> 
> Apr 10 06:40:29 master kernel: IN=eth1
> OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56
> DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP
> SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0

Once you've eliminated RELATED, ESTABLISHED, and NEW, the only
remaining state is INVALID.  I don't know why the connection
state would be considered INVALID, but that packet looks like a
tcp-reset packet (40 bytes, "RST" flag) that was received after
postfix closed, or tried to close, the connection on your machine.
To see what is actually happening in the handshake you need to
run 'ethereal' and look at the packets.

-- 
Bob Nichols         rnichols42 at comcast.net




More information about the users mailing list