RES=0x00 ACK FIN URGP=0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

Following the FAQ, I'm looking to find some help in the mail list in
regard to the RES=0x00 ACK FIN URGP=0 entries in the system log.  I'm
using a 2.4.20 kernel from debian source, with most modules including
contrack/s compiled in.  The entries are arising in relation to web
traffic that always sourced from the web server outbound on the forward
chain.

I have the follwing entries in the iptables start script....

iptables -A INPUT -i $ext_ethernet -p tcp --dport 80 -d $web_server -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ext_ethernet -o $dmz_ethernet -p tcp --dport 80
-d $web_server -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $dmz_ethernet -p tcp --dport 80 -d $web_server -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $dmz_ethernet -p tcp --sport 80 -s $web_server -m
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $ext_ethernet -i $dmz_ethernet -p tcp --sport 80
-s $web_server -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $ext_ethernet -p tcp --sport 80 -s $web_server -m
state --state ESTABLISHED,RELATED -j ACCEPT

In the past I had a 2.4.18 kernel in a transparent bridged set-up, with
an external router doing the port translations and NAT and had no issues
what so ever with persistent RES=0x00 ACK FIN URGP=0 entries.

I'm now using a std netfilter configuration to firewall, NAT and mangle.


iptables -t nat -A PREROUTING -i $ext_ethernet -p tcp -d $external_ip
--dport 80 -j DNAT --to $web_server

I have additional rules to restrict port scans and LOG.

iptables -A INPUT -i $ext_ethernet -p tcp --tcp-flags SYN,ACK,FIN,RST
RST -m limit --limit 10/h -j LOG --log-prefix 'PORT SCAN!: '

iptables -A INPUT -i $ext_ethernet -p tcp --tcp-flags SYN,ACK,FIN,RST
RST -m limit --limit 1/s --limit-burst 5 -j ACCEPT

I'm concerned that the dropped packets will reduce the performance of
the web server.

here's the log entry that repeats, that repeats...

Oct 20 11:01:11 fatswan kernel: FORWARD :IN=eth2 OUT=eth1
SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00
TTL=127 ID=60618 DF PROTO=TCP SPT=80 DPT=2698 WINDOW=17225 RES=0x00 ACK
FIN URGP=0

Can anyone suggest a fix for this, or tell me that were talking 5
milliseconds/minute?

Cheers,

Lewis Shobbrook
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux