iptables v1.2.4 logs dropped packets that should have been allowed ???

This is a discussion on iptables v1.2.4 logs dropped packets that should have been allowed ??? within the Linux Networking forums, part of the Linux Forums category; Hi, I hope someone can shed some light on a mistery i have: our firewall (also squid proxy) serves some ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page iptables v1.2.4 logs dropped packets that should have been allowed ???

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-16-2003
Tom Van Overbeke
 
Posts: n/a
Default iptables v1.2.4 logs dropped packets that should have been allowed ???
Hi,


I hope someone can shed some light on a mistery i have:


our firewall (also squid proxy) serves some 50 desktops for web browsing.

Everything works fine, noone complains about sites not being accessible or
sth, but in the firewall logs, i see very regularly 2 types of blocked
packets:


Jul 16 16:49:11 dobermann kernel: -drop_the_rest-IN=eth0 OUT=
MAC=00:06:5b:f7:66:96:00:00:d1:ec:fa:3b:08:00 SRC=213.199.148.12
DST=172.17.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=11706 PROTO=TCP SPT=80
DPT=55475 WINDOW=17125 RES=0x00 ACK URGP=0

DST ip is the external interface of the proxy server. to me, this appears to
be the reply from an attempt of the squid proxy to initiate a connection
with a remote website (because of the ACK).
i see no reason why this packet would be blocked, because i can't find the
corresponding SYN packet in my logs.
anyway, The connection between these hosts and ports in this example are
configured to be permitted.


second type of blocked packets:

Jul 16 11:57:47 dobermann kernel: -drop_the_rest-IN= OUT=eth1 SRC=172.21.3.1
DST=172.21.3.209 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=6144 PROTO=TCP SPT=3128
DPT=2408 WINDOW=16056 RES=0x00 ACK PSH FIN URGP=0
Jul 16 13:16:19 dobermann kernel: -drop_the_rest-IN= OUT=eth1 SRC=172.21.3.1
DST=172.21.3.209 LEN=1102 TOS=0x00 PREC=0x00 TTL=64 ID=25203 PROTO=TCP
SPT=3128 DPT=3384 WINDOW=6468 RES=0x00 ACK PSH URGP=0

SRC is the internal ip of the firewall / squid proxy; DST is one of the
desktop pc's used to surf the web.

this packet looks like it's the squid that is forwarding the received web
page back to the requesting client (because of the ACK and PSH bits set).
the source port is 3128, where we have configured our proxy to listen to.


to me this doesn't make sence: it seems almost like iptables has forgotten
about the already established connection and seems to drop the packet
because it can't find it in the connection tracking table.

our firewall is iptables v1.2.4 running on redhat advanced server 2.1.
the firewall was setup via fwbuilder, with connection tracking enabled for
most of the rules (and definitely for the 'allow squid traffic' rule).
cat /proc/sys/net/ipv4/conntrack_max is 32760
cat /proc/net/ip_conntrack | wc -l is 172 (i assume these 2 variables are
related ?).



thx,


Tom.


Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:14 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0