Session tracking failure - ssh packets dropped as INVALID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm setting up a host based firewall on a CentOS 5.1 system and I'm having issues with ssh sessions hanging. I want to restrict incoming ssh sessions to those originating from a particular subnet and interface.
I can connect via ssh, but often when I generate a lot of traffic e.g. by cat'ing a large file or running top, the session hangs. By selective logging, I have discovered that when a session hangs the packets coming to port 22 for that session change from ESTABLISHED to INVALID and I have a rule that all INVALID packets are dropped. For some reason the connection tracking appears to be faulty. Is this a known issue or am I doing something incorrect? I've had this occur on a number of systems I'm setting up at the moment all are configured similarly. 

iptables-save output below:

# Generated by iptables-save v1.3.5 on Sun Feb 10 11:50:18 2008
*filter
:INPUT DROP [36592:4741659]
:FORWARD DROP [0:0]
:OUTPUT DROP [31:11468]
-A INPUT -f -j LOG --log-prefix "FRAGMENT DROPPED "
-A INPUT -f -j DROP
-A INPUT -s 172.18.0.0/255.255.254.0 -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j LOG --log-prefix "ESTABLISHED - TO BE ACCEPTED " -A INPUT -s 172.18.0.0/255.255.254.0 -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID - TO BE DROPPED " 
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m addrtype --dst-type LOCAL -j LOG
-A FORWARD -j LOG
-A OUTPUT -d 172.18.0.0/255.255.254.0 -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j LOG --log-prefix "ESTABLISHED - TO BE ACCEPTED " -A OUTPUT -d 172.18.0.0/255.255.254.0 -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j ACCEPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID - TO BE DROPPED " 
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j LOG
COMMIT
# Completed on Sun Feb 10 11:50:18 2008


Log excerpt while executing "ls -Rl /" in the ssh session.
Feb 10 13:15:09 logging kernel: ESTABLISHED - TO BE ACCEPTED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=52 TOS=0x10 PREC=0x00 TTL=61 ID=5833 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=25100 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: ESTABLISHED - TO BE ACCEPTED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=52 TOS=0x10 PREC=0x00 TTL=61 ID=30003 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=25068 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: ESTABLISHED - TO BE ACCEPTED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=52 TOS=0x10 PREC=0x00 TTL=61 ID=11272 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=25044 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: ESTABLISHED - TO BE ACCEPTED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=52 TOS=0x10 PREC=0x00 TTL=61 ID=16325 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=24916 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: ESTABLISHED - TO BE ACCEPTED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=52 TOS=0x10 PREC=0x00 TTL=61 ID=23358 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=24748 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=22690 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=23572 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=9482 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=23572 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=22670 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=23572 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=26191 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=27668 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=112 TOS=0x10 PREC=0x00 TTL=61 ID=31011 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=27668 RES=0x00 ACK PSH URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=19328 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=31764 RES=0x00 ACK URGP=0 Feb 10 13:15:09 logging kernel: INVALID - TO BE DROPPED IN=eth0 OUT= MAC=00:1d:09:1e:b0:a4:00:d0:00:db:f8:00:08:00 SRC=172.18.0.168 DST=192.168.154.56 LEN=64 TOS=0x10 PREC=0x00 TTL=61 ID=11844 DF PROTO=TCP SPT=50066 DPT=22 WINDOW=33252 RES=0x00 ACK URGP=0 



JZ
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux