On Sat, 2004-11-20 at 18:18, BjÃrn Schmidt wrote:Jason Opperisano wrote: Here is a(n older) packet that is _falsely_ classified as INVALID (should be ESTABLISHED). I changed the IP-adress and hostname in the meantime:
Oct 29 13:51:05 skyron ILLEGAL_PACKET IN= OUT=eth0 MAC= SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=33085 SEQ=1048000056 ACK=1050690244 WINDOW=5792 ACK SYN URGP=0
well--this is a SYN-ACK packet...without seeing the log rule that creates this "ILLEGAL_PACKET" entry, i can't say.
I changed the log rule(s) that creates "ILLEGAL_PACKET", now it creates "OUTPUT_INVALID", "INPUT_INVALID" and "FORWARD_INVALID". Here is one line from the log with the new rules (client):
Nov 21 23:21:43 gigabyte OUTPUT_INVALID IN= OUT=eth0 MAC= SRC=192.168.1.2 DST=192.168.1.1 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=23692 DF PROTO=TCP SPT=32807 DPT=22 SEQ=798630945 ACK=685050669 WINDOW=1460 ACK URGP=0
The state of this packet should be ESTABLISHED, but it _is_ INVALID. Perhaps there is a bug in ipsec or netfilter...
> my guess is that your rules do not match your intentions.
Impossible. I have this problem even with this _minimalistic_ ruleset:
gigabyte:~# cat firewall.tmp #!/bin/sh
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A INPUT -m state --state INVALID -j ULOG --ulog-prefix INPUT_INVALID iptables -A OUTPUT -m state --state INVALID -j ULOG --ulog-prefix OUTPUT_INVALID iptables -A FORWARD -m state --state INVALID -j ULOG --ulog-prefix FORWARD_INVALID
Besides I forgot to mention that i only get "false INVALID" states with activated IPsec (esp in transport mode, kernel 2.6). With IPsec _AND_ iptables it es NOT possible to establish a new tcp connection due to these "INVALID state packets".
uh huh... post your rules:
iptables -t mangle -vnxL
gigabyte:~# iptables -t mangle -vnxL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -vnxL
gigabyte:~# iptables -t nat -vnxL
Chain PREROUTING (policy ACCEPT 7 packets, 1515 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 26 packets, 2637 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26 packets, 2565 bytes)
pkts bytes target prot opt in out source destination
iptables -vnxL
gigabyte:~# iptables -vnxL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2460 2616788 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID ULOG copy_range 0 nlgroup 1 prefix `INPUT_INVALID' queue_threshold 1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID ULOG copy_range 0 nlgroup 1 prefix `FORWARD_INVALID' queue_threshold 1
Chain OUTPUT (policy DROP 38 packets, 2036 bytes)
pkts bytes target prot opt in out source destination
1938 959688 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
38 2036 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID ULOG copy_range 0 nlgroup 1 prefix `OUTPUT_INVALID' queue_threshold 1
Hmmm, it is not possible to establish a ssh connection, but it IS possible to establish a telnet connection (but it needs ~148 seconds until the "skyron login:" appears).
-- Greetings Bjoern Schmidt
