On Fri, 2 Jun 2006 15:46:42 -0300
zottmann <zottmann@xxxxxxxxx> wrote:
> Hi !!
>
> We are seeing a lot of packets being blocked at our firewall, coming from
> our webserver, port 80, going to the several hosts at the Internet, at high
> ports, with both SET and ACK set.
>
> It seems that these packets are answers from our webserver to connections
> estabilished to it, and, for some reason, their state is not being kept.
>
> How can I track this problem?
>
> We are using iptables 1.3.1, kernel 2.6.11.12, in a Fedora Core 3 machine.
I'm facing the same problem on port 3128.
I guess that may be some kind of virus/worm that use ports like 80,1080,8080,3128 for spam purpose. They use any HTTP port to connect on mail servers and send bulk email.
My conntrack table was getting flooded and I set 2 rules, but the problem keeps on.
iptables -t nat -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
iptables -I FORWARD -d ${MY_NETWORK} -p tcp --dport 3128 -m state --state NEW -j DROP
any effective solution would be appreciated.
thanks
--
Djalma Fadel Junior
Diretor Técnico
Ferasoft Corporation Ltda
+55 (19) 3542-3490
dfadel@xxxxxxxxxxxxxxx
