Re: TCP connection timeout problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Just did some more investigation. Didn't test with tcpdump yet as this issue is not reproducable easiely :-S Anyway it turns out that the packets shown have state "INVALID" (opposed to ESTABLISHED or NEW). So somehow iptables "thinks" they no longer belong to a connection (somehow).... 

Arno van Amersfoort wrote:



Jozsef Kadlecsik wrote:

On Tue, 11 Jul 2006, Arno van Amersfoort wrote:
I think I already stumbled into this bug in the past, I recall that this 
bug was in 2.6.14.
Anyway, I've tried to disable tcp_sack & tcp_dsack but no luck. I also
upgraded to 2.6.17.4 but this doesn't help iether :-S I'm also getting
packets like this for "open ports" (with ie. -p tcp --dport 22 --syn -j
ACCEPT) giving:

Jul 11 04:02:59 rulhm2 kernel: Stealth scan (PRIV)?: IN=eth0 OUT=
MAC=00:01:02:05:1d:25:00:01:03:d2:b8:75:08:00 SRC=132.229.96.110 DST=132.229.96.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34709 DF PROTO=TCP 
SPT=39536 DPT=445 WINDOW=5840 RES=0x00 ACK FIN URGP=0


I don't understand how it is related to an open ssh port.
Sorry about that. It should (of course) be -p tcp --dport 445 --syn -j ACCEPT . (I'm running Samba on this machine). But do note that this issue doesn't specifically happen with Samba. I've also seen it happen with http packets... 
Any other suggestions?


Enable logging invalid packets via
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid then record by
tcpdump a whole TCP session which triggers the problem. Then send me the
capture file and the corresponding kernel log entries.

Ok. I will try to do this. And let you know my findings

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary





--
Ing. A.C.J. van Amersfoort (Arno)
Department Of Electronics (ELD, k1007)
Huygens Laboratory
Leiden University
P.O. Box 9504
Niels Bohrweg 2
2333 CA Leiden
The Netherlands
----------------------------------------------------------------
Phone : +31-(0)71-527.1894   Fax: +31-(0)71-527.5819
E-mail: a.c.j.van.amersfoort@xxxxxxxxxxxxxxxxxxxxxxxxx
----------------------------------------------------------------
Arno's (Linux firewall) homepage: http://rocky.eld.leidenuniv.nl
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux