Hi,
Additional information.
Dropped packages are in the filter FORWARD chain.
Packages coming from eth2(DMZ) to eth0(INTERNET) are
NEW,RELATED,ESTABLISHED ACCEPT and, packages coming from eth0 to eth2
are RELATED,ESTABLISHED.
This way: iptables -A FORWARD -i eth2 -o eth0 -s one.of.my.ips -d
200.x.x.x --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j
drop-log-some-chain-made-by-me ( <- here, LOG and DROP ).
iptables -A FORWARD -i eth0 -o eth2 -d
one.of.my.ips -s 200.x.x.x --sport 80 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j
drop-log-some-chain-made-by-me ( <- here, LOG and DROP ).
Dropped packages ARE NOT from any of my LAN's ips.
Well, thank you for your attention. I hope somebody can help me
to understand.
Regards,
Cássio
---------- Forwarded message ----------
From: casfre@xxxxxxxxx <casfre@xxxxxxxxx>
Date: Feb 7, 2008 8:10 PM
Subject: strange ACK SYN URGP=0 in an iptables firewall with statefull enabled.
To: netfilter@xxxxxxxxxxxxxxx
HI,
English is not my native language, so forgive about my mistakes.
I think you can point me to right direction to investigate some
"weird" log lines from my iptables ( 1.3.7 )
I use -m state to control my traffic and I am see a lot of log
lines, from a lot of src ips ( out of my range and from other
countries) and with SPT=80 PROTOCOL=TCP directed to machines, in my
lan. There are some line were SPT=10100 or 6667.
The strange thing is that target IPs were never used in my LAN.
They are in our range, but, we never used them. Other detail: all
lines have ACK SYN URGP=0.
I log everything I drop and, in that cases, an
RELATED,ESTABLISHED rule is blocking the packages.
Could some one point me in a good direction to solve/investigate
the problem?
Cássio
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
