IPTables rejecting packets that should be let through???
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Apr 11 14:38:23 UTC 2005
David Hoffman wrote:
> Is there a way to tell the reason for rejection or the state of a
> packet from the log entry that IPTables generates? Here is an example
> of a log entry that I saw. AFTER valid traffic accepted, an SMTP
> session was setup, and postfix rejected the mail with an error code, I
> saw this message in my log:
>
> Apr 10 06:40:29 master kernel: IN=eth1
> OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56
> DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP
> SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
This is incoming, not outgoing packet. It contains RST flag, that would
couse connection to be terminated.
Now, this is just a guess what might have happened. Most likely what
happened was that Postfix closed the connection, and for whatever reason
the other side sent an extra RST packet (for whatever reason, if
connection was shut down cleanly, it shouldn't have sent it). Since
Netfilter saw that connection was closed, it removed it from the
internal tables of open connections. Hence the packet was not in
ESTABLISHED state. It was in NEW state (note that NEW state doesn't
mean a packet that is starting connection (the SYN packet), packet is in
NEW if it is first packet seen by firewall for that particular
combination of IP addresses and ports).
To debug this further, you would need to run tcpdump on eth1 interface,
and look what is going on at the end of connection (last couple of
packets exchanged between 220.117.112.56 and your server).
> Any help would be appreciated. If necessary, I can send the complete
> firewall rules.
Usually firewall problems are rather nasty to debug withoug seeing
actual firewall rules and tcpdump output of problematic traffic.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list