iptables: "--state RELATED,ESTABLISHED" misses packets?

"Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE> · Wed, 22 Aug 2001 12:08:55 +0200

Hi there,

I'm using iptables on a box with a relatively recent kernel (2.4.6 currently, 
but soon to be upgraded to 2.4.9.)

Since I've switched from ipchains to iptables and begun using the "state" 
module together with the "ESTABLISHED,RELATED" options I'm seeing packets that 
obviously belong to an already established connection but which are still 
rejected by the firewall. Note that I'm using SNAT which may contribute to the 
problem(?).

For example, after I've visited a web site I will often see lines like the 
following in syslog:

ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=61512 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=61706 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=62032 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=62573 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=63686 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=61 DF PROTO=TCP SPT=80 
DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=4553 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=10653 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=17585 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=23755 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=30855 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=37762 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=45083 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=51555 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=58441 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=65320 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=6942 DF PROTO=TCP SPT=
80 DPT=1188 WINDOW=32120 RES=0x00 ACK FIN URGP=0 
ipfilter:IN=atm0 OUT= MAC=aa:aa:03:00:00:00:08:00 SRC=11.22.33.44 
DST=my.own.ip.addr LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=35444 PROTO=TCP SPT=80 
DPT=1188 WINDOW=0 RES=0x00 ACK RST URGP=0 

My relevant iptables config looks as follows (I'm running Debian Linux and 
adapted the ipmasq package's scripts to my needs):

    $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Packets coming in from internal interface, going out via external int.
    $IPTABLES -X int-ext 2>/dev/null
    $IPTABLES -N int-ext
    if [ -n "$INTERNAL" -a -n "$EXTERNAL" ]; then
        for int in $INTERNAL; do
            for ext in $EXTERNAL; do
                $IPTABLES -A FORWARD -i $int -o $ext -j int-ext
            done
        done
    fi

    # Packets coming from inside the LAN travelling to the outside
    # ACCEPT everything
    $IPTABLES -A int-ext -m state --state NEW -j ACCEPT

    # Source NAT ("Masquerading")
    if [ -n "$EXTERNAL" ]; then
        for ext in $EXTERNAL; do
            ipnm_cache $ext
            $IPTABLES -t nat -A POSTROUTING -o $ext -j SNAT --to $IPOFIF
        done
    fi

Is there anything that looks incorrect to you? Any rule that I could insert 
and/or change to stop those packets from being blocked by my firewall?

Thanks,

Ralf

-- 
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html