unexpected outgoing ACK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is on a machine sitting behind another firewall. It runs debian,
with debian linux-image-2.6.18-5-686  2.6.18.dfsg.1-13etch2.

Once in a while, we see some unexpected ACK+RST going out of the server
(the incoming SYN should have been dropped since the source port is not
explicitely allowed in INPUT): 

On Thu, Sep 13, 2007 at 09:02:12 +0200, logcheck system account wrote:
> Sep 13 08:35:09 kernel: IN= OUT=eth0 SRC=140.77.x.y DST=152.77.24.38 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=17699 DF PROTO=TCP SPT=54597 DPT=62603 WINDOW=952 RES=0x00 ACK RST URGP=0

On Sat, Sep 15, 2007 at 20:02:12 +0200, logcheck system account wrote:
> Sep 15 19:53:28 kernel: IN= OUT=eth0 SRC=140.77.x.y DST=61.29.145.234 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28476 DF PROTO=TCP SPT=41636 DPT=2948 WINDOW=5840 RES=0x00 ACK RST URGP=0
> Sep 15 19:53:31 kernel: IN= OUT=eth0 SRC=140.77.x.y DST=61.29.145.234 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=43810 DF PROTO=TCP SPT=36437 DPT=2868 WINDOW=5840 RES=0x00 ACK RST URGP=0

On Sun, Sep 16, 2007 at 05:02:12 +0200, logcheck system account wrote:
> Sep 16 04:52:53 kernel: IN= OUT=eth0 SRC=140.77.x.y DST=221.206.165.157 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=41883 DF PROTO=TCP SPT=54608 DPT=1786 WINDOW=5840 RES=0x00 ACK RST URGP=0

iptables -v -L looks like this (mangle and nat are empty):
Chain INPUT (policy DROP 19 packets, 988 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7060K 2416M ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
  200 17395 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 264K   28M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
1364K  917M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    1    40 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
 282K   16M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
 177K   44M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
10377  917K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 
 766K   56M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:25 
 3532  644K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:53 
 812K  154M ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:53 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
 6686  508K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:123 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
41603 2569K ACCEPT     tcp  --  eth0   *       140.77.0.0/16        0.0.0.0/0           tcp dpt:1119 
 132K 9442K ACCEPT     tcp  --  eth0   *       140.77.0.0/16        0.0.0.0/0           tcp dpt:4030 
35174 4593K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
 9876  316K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type MULTICAST 
  530 26036 REJECT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 reject-with icmp-port-unreachable 
  132  6336 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 135:139,445 
    0     0 DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 135:139,445 
   18   936 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 12 packets, 624 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7060K 2416M ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0           
 2865  360K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 264K  172M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:22 
1210K   90M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:25 
    1    40 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:53 
 535K  775M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:80 
 232K  264M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp spt:443 
28184 2609K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
1030K  989M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
 4235  251K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spt:53 
 822K   62M ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:53 
 7017  533K ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp spt:123 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:123 
33220 4951K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            140.77.0.0/16       tcp spt:1119 
 103K   34M ACCEPT     tcp  --  *      eth0    0.0.0.0/0            140.77.0.0/16       tcp spt:4030 
   12   624 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 


related modules loaded:
iptable_mangle          2880  0
iptable_nat             7044  0
ip_nat                 16876  1 iptable_nat
ip_conntrack           49088  2 iptable_nat,ip_nat
nfnetlink               6680  2 ip_nat,ip_conntrack
ipt_LOG                 6112  2
xt_multiport            3264  2
ipt_REJECT              5248  1
ipt_addrtype            1952  2
xt_tcpudp               3136  61
iptable_filter          3104  1
ip_tables              13028  3
iptable_mangle,iptable_nat,iptable_filter
x_tables               13316  7
iptable_nat,ipt_LOG,xt_multiport,ipt_REJECT,ipt_addrtype,xt_tcpudp,ip_tables

anything obvious we missed, or is this a bug somewhere ?

regards,

Benoit
-- 
:wq
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux