TCP flag PSH - (Sorry for the cross-posting)
This is a discussion on TCP flag PSH - (Sorry for the cross-posting) within the Linux Networking forums, part of the Linux Forums category; Sorry for the cross-posting, I probably should have put this question here originally. I'm having a weird problem ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-22-2006
|
|||
|
|||
TCP flag PSH - (Sorry for the cross-posting)
Sorry for the cross-posting, I probably should have put this question
here originally. I'm having a weird problem with iptables 1.2.11 on my linux system. For some reason, it is only allowing packets through from allowed hosts/ports that have the TCP flag PSH set on them, it will deny all others. I have no rules set in iptables about allowing/disallowing this tcp flags, and I'm not quite sure what could be causing my problems. Does anyone have any ideas why my linux system would be doing this? Thanks Mike Here is an output of my iptables-save (with a few edits for mac and ip security): # Generated by iptables-save v1.2.11 on Thu Jun 22 09:38:48 2006 *filter :INPUT ACCEPT [23:1292] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [35:43479] :Cid449952DF.0 - [0:0] :Cid449952E9.0 - [0:0] :Cid449952E9.1 - [0:0] :Cid449952F3.0 - [0:0] :Cid44995307.0 - [0:0] :Cid44995307.1 - [0:0] :Cid4499B94F.0 - [0:0] :RULE_2 - [0:0] :RULE_3 - [0:0] :RULE_4 - [0:0] :RULE_5 - [0:0] :RULE_7 - [0:0] :RULE_8 - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s <firewall host> -m state --state NEW -j ACCEPT -A INPUT -d <firewall host> -m state --state NEW -j Cid44995307.0 -A INPUT -d <firewall host> -p tcp -m tcp --dport 22 -m state --state NEW -j Cid449952F3.0 -A INPUT -d <firewall host> -m state --state NEW -j Cid449952E9.0 -A INPUT -d <firewall host> -p tcp -m tcp --dport 10000:10500 -m state --state NEW -j Cid449952DF.0 -A INPUT -s <priv subnet>/255.255.255.0 -d <firewall host> -p tcp -m tcp --sport 1520:1522 -m state --state NEW -j RULE_5 -A INPUT -s <priv subnet 1>/255.255.255.0 -d <firewall host> -p tcp -m tcp --sport 445 -j DROP -A INPUT -s <priv subnet 2>/255.255.255.0 -d <firewall host> -m state --state NEW -j Cid4499B94F.0 -A INPUT -d <firewall host> -j RULE_8 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s <firewall host> -m state --state NEW -j ACCEPT -A OUTPUT -d <firewall host> -j RULE_8 -A Cid449952DF.0 -s 10.0.0.0/255.0.0.0 -j RULE_4 -A Cid449952DF.0 -s <priv subnet 3>/255.255.0.0 -j RULE_4 -A Cid449952DF.0 -s <priv subnet 5>/<priv subnet range> -j RULE_4 -A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4 -A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4 -A Cid449952DF.0 -s <priv subnet 7>/<priv subnet range> -j RULE_4 -A Cid449952DF.0 -s <priv subnet 8>/<priv subnet range> -j RULE_4 -A Cid449952E9.0 -p tcp -m tcp -m multiport --dports 80,443 -j Cid449952E9.1 -A Cid449952E9.1 -s 10.0.0.0/255.0.0.0 -j RULE_3 -A Cid449952E9.1 -s <priv subnet 3>/255.255.0.0 -j RULE_3 -A Cid449952E9.1 -s <priv subnet 5>/<priv subnet range> -j RULE_3 -A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3 -A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3 -A Cid449952E9.1 -s <priv subnet 7>/<priv subnet range> -j RULE_3 -A Cid449952E9.1 -s <priv subnet 8>/<priv subnet range> -j RULE_3 -A Cid449952F3.0 -s 10.0.0.0/255.0.0.0 -j RULE_2 -A Cid449952F3.0 -s <priv subnet 3>/255.255.0.0 -j RULE_2 -A Cid449952F3.0 -s <priv subnet 5>/<priv subnet range> -j RULE_2 -A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2 -A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2 -A Cid449952F3.0 -s <priv subnet 7>/<priv subnet range> -j RULE_2 -A Cid449952F3.0 -s <priv subnet 8>/<priv subnet range> -j RULE_2 -A Cid44995307.0 -f -j Cid44995307.1 -A Cid44995307.0 -p icmp -m icmp --icmp-type 11/0 -j Cid44995307.1 -A Cid44995307.0 -p icmp -m icmp --icmp-type 11/1 -j Cid44995307.1 -A Cid44995307.0 -p icmp -m icmp --icmp-type 0/0 -j Cid44995307.1 -A Cid44995307.0 -p icmp -m icmp --icmp-type 3 -j Cid44995307.1 -A Cid44995307.0 -p icmp -m icmp --icmp-type 8/0 -j Cid44995307.1 -A Cid44995307.1 -s 10.0.0.0/255.0.0.0 -j ACCEPT -A Cid44995307.1 -s <priv subnet 3>/255.255.0.0 -j ACCEPT -A Cid44995307.1 -s <priv subnet 5>/<priv subnet range> -j ACCEPT -A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT -A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT -A Cid44995307.1 -s <priv subnet 7>/<priv subnet range> -j ACCEPT -A Cid44995307.1 -s <priv subnet 8>/<priv subnet range> -j ACCEPT -A Cid4499B94F.0 -p tcp -m tcp -m multiport --dports 445,139 -j RULE_7 -A Cid4499B94F.0 -p udp -m udp -m multiport --dports 138,137 -j RULE_7 -A RULE_2 -j LOG --log-prefix "ALLOWED-SSH " --log-level 6 -A RULE_2 -j ACCEPT -A RULE_3 -j LOG --log-prefix "ALLOWED-WEB " --log-level 6 -A RULE_3 -j ACCEPT -A RULE_4 -j LOG --log-prefix "ALLOWED-APP " --log-level 6 -A RULE_4 -j ACCEPT -A RULE_5 -j LOG --log-prefix "ALLOWED-DB " --log-level 6 -A RULE_5 -j ACCEPT -A RULE_7 -j LOG --log-prefix "ALLOWED-SMB " --log-level 6 -A RULE_7 -j ACCEPT -A RULE_8 -j LOG --log-prefix "DENIED " --log-level 6 -A RULE_8 -j DROP COMMIT # Completed on Thu Jun 22 09:38:48 2006 
|
Linear Mode
