Packets dropped by iptables

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Tue Oct 12 19:42:12 UTC 2004


Am Di, den 12.10.2004 schrieb Juan L. Pastor um 21:21:

> My current setup (/etc/sysconfig/iptables) is:
> 
> # Generated by iptables-save v1.2.9 on Mon Oct 11 12:11:44 2004
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :LOGDROP - [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 192.168.1.4 -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

You drop all other ICMP types other than echo (=8). That is bad. ICMP is
an important protocol and blocking specific types will break things! If
you don't know for sure why you block a specific ICMP type then just
don't. You gain no security.

> -A INPUT -j LOGDROP
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A LOGDROP -j LOG --log-level 7 --log-prefix "Bad packet from eth0:"
> -A LOGDROP -j DROP
> COMMIT
> # Completed on Mon Oct 11 12:11:44 2004
> 
> I use aMule software, and I read on the amule firewall how-to at
> http://www.amule.org/wiki/index.php/Firewall that I should accept tcp
> port XX, udp port XX+3 and udp port YY, with XX and YY the TCP and UDP
> ports setup in amule. I didn't add these rules, as I see no difference
> between having them or not, as it is my machine the one that initiates
> the connection, and I have the following rule:
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> But when I look at the log, I see lots of:
> 
> Oct 12 21:18:26 kalimotxo kernel: Bad packet from eth0:IN=eth0 OUT=
> MAC=00:50:8d:e3:19:cb:00:90:d0:bc:56:db:08:00 SRC=80.25.178.113
> DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=28653 PROTO=TCP
> SPT=4662 DPT=36455 WINDOW=0 RES=0x00 ACK RST URGP=0
> Oct 12 21:18:50 kalimotxo kernel: Bad packet from eth0:IN=eth0 OUT=
> MAC=00:50:8d:e3:19:cb:00:90:d0:bc:56:db:08:00 SRC=82.82.102.218
> DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=24226 PROTO=TCP
> SPT=4662 DPT=36563 WINDOW=0 RES=0x00 ACK RST URGP=0
> Oct 12 21:18:52 kalimotxo kernel: Bad packet from eth0:IN=eth0 OUT=
> MAC=00:50:8d:e3:19:cb:00:90:d0:bc:56:db:08:00 SRC=62.48.113.158
> DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=21077 PROTO=TCP
> SPT=4662 DPT=36569 WINDOW=0 RES=0x00 ACK RST URGP=0
> 
> I think these are acknowledge packets, and they should be accepted (BTW,
> 4662 is my TCP port for amule). Why are they not accepted by the above
> rules (state ESTABLISHED) and how can I accept these dropped packets?

What tells you that these are ESTABLISHED (or RELATED) connections? If
they would be, then they would not go to the LOGDROP chain. If running a
P2P client such connection attempts are pretty normal. This is how P2P
works.

> Juan

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 21:37:02 up 13 days, 3 users, load average: 1.08, 1.21, 1.30
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041012/56ad8abc/attachment-0001.sig>


More information about the fedora-list mailing list