Hi,
like others, I'm facing some conntrack problems. A typical logentry
looks like this:
> Nov 14 10:46:22 lain fire: INVALID IN=eth0 OUT= MAC=00:e0:81:5c:f7:d9:00:02:85:04:0e:c0:08:00 SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0
> Nov 14 10:46:22 lain fire: INPUT IN=eth0 OUT= MAC=00:e0:81:5c:f7:d9:00:02:85:04:0e:c0:08:00 SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0
> Nov 14 10:46:22 lain fire: OUTPUT IN= OUT=eth0 SRC=88.198.253.172 DST=a.b.c.d LEN=68 TOS=0x00 PREC=0xC0 TTL=64 ID=13872 PROTO=ICMP TYPE=3 CODE=13 [SRC=a.b.c.d DST=88.198.253.172 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=47775 DF PROTO=TCP SPT=49184 DPT=993 WINDOW=65535 RES=0x00 ACK RST URGP=0 ]
lain is an IMAP server. This is not happening in any FORWARDING chain.
I have one more server with this same kind of problem. "ACK RST" and
"ACK FIN" packets are involved.
> $ uname -a
> Linux lain 2.6.22-gentoo-r8-lain #2 SMP Wed Oct 24 13:48:14 CEST 2007 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ AuthenticAMD GNU/Linux
> sysctl -a| grep -i conntrack
> net.netfilter.nf_conntrack_generic_timeout = 600
> net.netfilter.nf_conntrack_max = 65536
> net.netfilter.nf_conntrack_count = 127
> net.netfilter.nf_conntrack_buckets = 8192
> net.netfilter.nf_conntrack_checksum = 1
> net.netfilter.nf_conntrack_log_invalid = 1
> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
> net.netfilter.nf_conntrack_tcp_timeout_established = 432000
> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
> net.netfilter.nf_conntrack_tcp_timeout_close = 10
> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
> net.netfilter.nf_conntrack_tcp_loose = 1
> net.netfilter.nf_conntrack_tcp_be_liberal = 0
> net.netfilter.nf_conntrack_tcp_max_retrans = 3
> net.netfilter.nf_conntrack_udp_timeout = 30
> net.netfilter.nf_conntrack_udp_timeout_stream = 180
> net.netfilter.nf_conntrack_icmp_timeout = 30
> net.nf_conntrack_max = 65536
The rules are basically like the following set:
> $fw -A INPUT -m state --state INVALID -j LOG --log-prefix "fire: INVALID "
> $fw -A INPUT -i $dev -m state --state ESTABLISHED,RELATED -s $world -d $myip -j ACCEPT
> $fw -A OUTPUT -o $dev -m state --state ESTABLISHED,RELATED -d $world -s $myip -j ACCEPT
> $fw -A INPUT -i $dev -p tcp -m tcp -m state --state NEW --syn -s $world --sport 1024: -d $myip --dport 993 -j ACCEPT
Those rules are working most of the time. But there are quite a number
of invalid connections...
Bye,
Aiko
--
:wq
Attachment:
signature.asc
Description: Digital signature
