Hi,
I have some trouble with ip_conntrack_rpc_tcp.
It seems, that it doesn't find the right rpc-packets when making an nfs mount.
Do you have any ideas what I'm doing wrong?
Thanks a lot
Wolfi
Here are the rules
iptables -F
iptables -F PREROUTING -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 111 -j LOG
iptables -A OUTPUT -p tcp --sport 111 -j LOG
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -m rpc -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP --dport 111 -m rpc -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
Here is some debugging output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21635 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC="" DST=10.8.15.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21636 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 ACK URGP=0
This is the RPC Call
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the initiator. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=76 .. (I added this to debugging-output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 .. (I added this to debugging-output
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=21637 DF PROTO=TCP SPT=716 DPT=111 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC="" DST=10.8.15.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14112 DF PROTO=TCP SPT=111 DPT=716 WINDOW=5792 RES=0x00 ACK URGP=0
This should be the RPC-REPLY
As you can see: tcplen-(tcph->doff*4) != 32
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the receiver. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=432 .. (I added this to debugging-output)
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 .. (I added this to debugging-output)
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC="" DST=10.8.15.12 LEN=452 TOS=0x00 PREC=0x00 TTL=64 ID=14113 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21638 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet is from the receiver. [cont]
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: TCP header length is; tcplen=68 ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: tcph id; tcph->doff=8 ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet length is not correct. [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC="" DST=10.8.15.12 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=14114 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK PSH URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21639 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21640 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK FIN URGP=0
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=108 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=717 DPT=32771 LEN=88
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
Mar 23 15:48:54 DEVil kernel: IN= OUT=eth0 SRC="" DST=10.8.15.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14115 DF PROTO=TCP SPT=111 DPT=716
WINDOW=5792 RES=0x00 ACK FIN URGP=0
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: new packet to evaluate ..
Mar 23 15:48:54 DEVil kernel: ip_conntrack_rpc_tcp: packet has no data (may still be handshaking). [skip]
This is the NFS mount which will be dropped.
Mar 23 15:48:54 DEVil kernel: IN=eth0 OUT= MAC=00:30:05:3f:ca:c3:00:e0:00:5e:13:ad:08:00 SRC="" DST=10.8.15.10 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21641 DF PROTO=TCP SPT=716 DPT=111 WINDOW=6432 RES=0x00 ACK URGP=0
