Hi list,
I have a bit complicated script.
But I do not understand the following output of it.
1. ESTABLISHED packets without 0x100 or 0x200 mark ???
2. NEW packets without the 0x200 mark and without SYN ???
3. INVALID packets with SYN/ACK ??? (As a first packet maybe? Should I
drop it?)
4. Connection that started from internal gets validated as WRONG_NEW
(with a simple SYN)...
Can anyone tell me how the conntrack system works in detail?
Thanx
Swifty
Chain con_tcp (1 references)
pkts bytes target prot
0 0 INVALID tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 INVALID tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 INVALID tcp tcp flags:SYN,RST/SYN,RST
5224 209K INVALID tcp tcp flags:FIN,RST/FIN,RST
0 0 INVALID tcp tcp flags:FIN,SYN/FIN,SYN
2477 101K ACCEPT all ctstate RELATED
145K 7215K tcp_NEW_2 all [goto] CONNMARK match 0x200/0x300 ctstate
ESTABLISHED
11M 7920M ACCEPT all CONNMARK match 0x100/0x300 ctstate ESTABLISHED
2880K 1666M ACCEPT all ctstate ESTABLISHED
272K 15M tcp_NEW all [goto] ctstate NEW
29796 2233K tcp_INV all [goto] ctstate INVALID
0 0 LOG all LOG level debug tcp-sequence tcp-options
ip-options uid prefix `UNKNOWN:'
0 0 ACCEPT all
Chain tcp_NEW (1 references)
pkts bytes target prot
232K 13M tcp_NEW_1 tcp [goto] tcp flags:FIN,SYN,RST,ACK/SYN CONNMARK
match 0x0/0x300
38579 2014K tcp_NEW_2 all [goto] CONNMARK match 0x200/0x300
969 212K LOG all LOG level debug tcp-sequence tcp-options
ip-options uid prefix `WRONG_NEW:'
969 212K ACCEPT all
Chain tcp_NEW_1 (1 references)
pkts bytes target prot
232K 13M CONNMARK all CONNMARK set 0x200/0x300
232K 13M RETURN all
Chain tcp_NEW_2 (3 references)
pkts bytes target prot
184K 9229K CONNMARK all CONNMARK set 0x100/0x300
184K 9229K ACCEPT all
Chain tcp_INV (1 references)
pkts bytes target prot
0 0 tcp_NEW_2 all [goto] CONNMARK match 0x200/0x300
2148 85920 ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST
24624 986K ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
86 15329 ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK
752 30110 ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
80 4088 ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
1507 289K ACCEPT tcp tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
599 822K INVALID all
And a few log:
INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00
PREC=0x00 TTL=51 ID=17760 PROTO=TCP SPT=50698 DPT=4492 SEQ=0
ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00
PREC=0x00 TTL=48 ID=61449 PROTO=TCP SPT=57102 DPT=4495 SEQ=0
ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
INVALID: IN=ppp0 OUT= MAC= SRC=189.11.239.248 DST=EXT_IP LEN=40 TOS=0x00
PREC=0x00 TTL=51 ID=17770 PROTO=TCP SPT=50698 DPT=4492 SEQ=0
ACK=3777589785 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
INVALID: IN=ppp0 OUT= MAC= SRC=78.149.78.12 DST=EXT_IP LEN=40 TOS=0x00
PREC=0x00 TTL=48 ID=61457 PROTO=TCP SPT=57102 DPT=4495 SEQ=0
ACK=1455119138 WINDOW=0 RES=0x00 ACK RST FIN URGP=0
WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=85.131.72.154
LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14307 DF PROTO=TCP SPT=4796
DPT=52045 SEQ=4243195870 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405AC0103030001010402)
WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=84.3.29.226 LEN=52
TOS=0x00 PREC=0x00 TTL=127 ID=14322 DF PROTO=TCP SPT=4797 DPT=6881
SEQ=2594461565 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405AC0103030001010402)
WRONG_NEW:IN=br1 OUT=ppp0 PHYSIN=lan1 SRC=INT_IP DST=90.52.165.175
LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14323 DF PROTO=TCP SPT=4798
DPT=50428 SEQ=2039438787 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405AC0103030001010402)
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html