Connection tracking/iptables problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

(If this is the wrong list for this, please let me know!)

This problem showed up with my FC10 box (2.6.27.19-170.2.35.fc10.i686
#1 SMP Mon Feb 23 13:21:22 EST 2009 i686 athlon i386 GNU/Linux)
failing to send emails through easydns's smtp relay that I use for all
outbound email via TLS authentication.  After the authentication, and
only with binary attachments or large emails (not sure which is
required), the connection hangs to their SMTP server.  Small emails
work.   This fails on both port 587 and 20025.  (My firewall blocks
25, as does my ISP)

Sometime during the SMTP conversation (after authentication while it
is sending the body), the connection is no longer considered
established.

I added a log entry before and after my ACCEPT statement...

LOG       tcp  --  any    any     anywhere             anywhere
    tcp spt:20025 state RELATED,ESTABLISHED LOG level warning prefix
`20025 established'
ACCEPT all  --  any    any     anywhere         anywhere
state RELATED,ESTABLISHED
LOG       tcp  --  any    any     anywhere             anywhere
    tcp spt:20025 LOG level warning prefix `20025 not established'

 and get the following during the transfer:

20025 established:     IN=eth0 OUT=
MAC=00:18:e7:16:c6:02:00:01:5c:31:e4:41:08:00 SRC=205.210.42.66
DST=**************
LEN=52 TOS=0x00 PREC=0x20 TTL=49 ID=34104 DF PROTO=TCP SPT=20025
DPT=39436 WINDOW=7041 RES=0x00 ACK URGP=0

20025 established:     IN=eth0 OUT=
MAC=00:18:e7:16:c6:02:00:01:5c:31:e4:41:08:00 SRC=205.210.42.66
DST=**************
LEN=52 TOS=0x00 PREC=0x20 TTL=49 ID=34105 DF PROTO=TCP SPT=20025
DPT=39436 WINDOW=7131 RES=0x00 ACK URGP=0

20025 NOT established: IN=eth0 OUT=
MAC=00:18:e7:16:c6:02:00:01:5c:31:e4:41:08:00 SRC=205.210.42.66
DST=**************
LEN=64 TOS=0x00 PREC=0x20 TTL=49 ID=34106 DF PROTO=TCP SPT=20025
DPT=39436 WINDOW=7131 RES=0x00 ACK URGP=0

REJECTING:             IN=eth0 OUT=
MAC=00:18:e7:16:c6:02:00:01:5c:31:e4:41:08:00 SRC=205.210.42.66
DST=**************
LEN=64 TOS=0x00 PREC=0x20 TTL=49 ID=34106 DF PROTO=TCP SPT=20025
DPT=39436 WINDOW=7131 RES=0x00 ACK URGP=0

My firewall looks like this -- I'll try to keep it brief:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target     prot opt in     out     source               destination
BOGON_FIREWALL  all  --  any    any     anywhere             anywhere
RJR_FIREWALL  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:137
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:139
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:138
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:137
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:139
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:138
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:25 LOG flags 0 level 4 prefix `Dropping outgoing SMTP: '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25

Chain BOGON_FIREWALL (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  eth0   any     default/8
anywhere
    0     0 DROP       all  --  eth0   any     1.0.0.0/8
anywhere
    0     0 DROP       all  --  eth0   any     2.0.0.0/8
anywhere
[...]

Chain RJR_FIREWALL (2 references)
target     prot opt in     out     source               destination
ACCEPT     all  --  lo     any     anywhere             anywhere
ACCEPT     all  --  eth1   any     anywhere             anywhere
ACCEPT     icmp --  any    any     anywhere             anywhere
     icmp any
ACCEPT     all  --  any    any     anywhere             anywhere
     state RELATED,ESTABLISHED
[more rules allowing ssh whitelist, http, etc.]
LOG        tcp  --  any    any     anywhere             anywhere
     limit: avg 1/sec burst 5 LOG level warning prefix `REJECTING: '
REJECT     all  --  any    any     anywhere             anywhere
     reject-with icmp-host-prohibited

I found something similar happening at :
http://www.mail-archive.com/shorewall-users@xxxxxxxxxxxxxxxxxxxxx/msg03055.html

So I ran conntrack -E for the destination host ...

[root@tendo ~]# conntrack -E -d 205.210.42.66
[NEW] tcp      6 120 SYN_SENT src=****** dst=205.210.42.66 sport=33636
dport=20025 [UNREPLIED] src=205.210.42.66 dst=****** sport=20025
dport=33636
[UPDATE] tcp      6 60 SYN_RECV src=****** dst=205.210.42.66
sport=33636 dport=20025 src=205.210.42.66 dst=****** sport=20025
dport=33636
[UPDATE] tcp      6 432000 ESTABLISHED src=****** dst=205.210.42.66
sport=33636 dport=20025 src=205.210.42.66 dst=****** sport=20025
dport=33636 [ASSURED]
(and here it hangs....)

Is that UNREPLIED relevant?  I seem to get them on my internal network
(unrelated traffic), so I'm guessing not:

[NEW] tcp      6 120 SYN_SENT src=192.168.100.193 dst=192.168.100.1
sport=4017 dport=445 [UNREPLIED] src=192.168.100.1 dst=192.168.100.193
sport=445 dport=4017

Here's some tcpdump -- my IP is redacted

{1658971599:1658972967}{1658967495:1658970231}>
10:18:40.722966 IP (tos 0x20, ttl 49, id 47607, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xcc01 (correct), ack 439804 win 8037
<nop,nop,timestamp 1102738292 63641796,nop,nop,sack 3
{1658989383:1658993487}{1658971599:1658972967}{1658967495:1658970231}>
10:18:40.727988 IP (tos 0x20, ttl 49, id 47608, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xe637 (correct), ack 439804 win 8037
<nop,nop,timestamp 1102738293 63641796,nop,nop,sack 3
{1658997591:1658998959}{1658989383:1658993487}{1658971599:1658972967}>
10:18:40.742704 IP (tos 0x20, ttl 49, id 47609, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xe0dd (correct), ack 439804 win 8037
<nop,nop,timestamp 1102738295 63641796,nop,nop,sack 3
{1658997591:1659000327}{1658989383:1658993487}{1658971599:1658972967}>
10:18:40.858908 IP (tos 0x0, ttl 64, id 38758, offset 0, flags [DF],
proto TCP (6), length 1420) ********.43026 >
205.210.42.66.20025: . 439804:441172(1368) ack 1969 win 193
<nop,nop,timestamp 63643709 1102738199>
10:18:40.943809 IP (tos 0x20, ttl 49, id 47610, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xbf6e (correct), ack 446644 win 7823
<nop,nop,timestamp 1102738315 63643709,nop,nop,sack 3
{1658997591:1659000327}{1658989383:1658993487}{1658971599:1658972967}>
10:18:40.944451 IP (tos 0xc0, ttl 64, id 46984, offset 0, flags
[none], proto ICMP (1), length 108) ******** >
205.210.42.66: ICMP host ******** unreachable - admin prohibited, length 88
        IP (tos 0x20, ttl 49, id 47610, offset 0, flags [DF], proto
TCP (6), length 80) 205.210.42.66.20025 >
********.43026: . ack 446644 win 7823 <nop,nop,timestamp 1102738315
63643709,nop,nop,[|tcp]>
10:18:43.002909 IP (tos 0x0, ttl 64, id 38759, offset 0, flags [DF],
proto TCP (6), length 1420) ********.43026 >
205.210.42.66.20025: . 439804:441172(1368) ack 1969 win 193
<nop,nop,timestamp 63645853 1102738199>
10:18:43.086907 IP (tos 0x20, ttl 36, id 38759, offset 0, flags [DF],
proto TCP (6), length 40) 205.210.42.66.20025 >
********.43026: P, cksum 0xa83c (correct), ack 446644 win 7823
10:18:43.087278 IP (tos 0x0, ttl 64, id 38760, offset 0, flags [DF],
proto TCP (6), length 2788) ********.43026 >
205.210.42.66.20025: . 692884:695620(2736) ack 1969 win 193
<nop,nop,timestamp 63645937 1102738199>
10:18:43.173519 IP (tos 0x20, ttl 49, id 47611, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xb35e (correct), ack 446644 win 7823
<nop,nop,timestamp 1102738538 63643709,nop,nop,sack 3
{1659005799:1659007167}{1658997591:1659000327}{1658989383:1658993487}>
10:18:43.174175 IP (tos 0xc0, ttl 64, id 46985, offset 0, flags
[none], proto ICMP (1), length 108) ******** >
205.210.42.66: ICMP host ******** unreachable - admin prohibited, length 88
        IP (tos 0x20, ttl 49, id 47611, offset 0, flags [DF], proto
TCP (6), length 80) 205.210.42.66.20025 >
********.43026: . ack 446644 win 7823 <nop,nop,timestamp 1102738538
63643709,nop,nop,[|tcp]>
10:18:43.178785 IP (tos 0x20, ttl 49, id 47612, offset 0, flags [DF],
proto TCP (6), length 80) 205.210.42.66.20025 >
********.43026: ., cksum 0xae06 (correct), ack 446644 win 7823
<nop,nop,timestamp 1102738538 63643709,nop,nop,sack 3
{1659005799:1659008535}{1658997591:1659000327}{1658989383:1658993487}>
10:18:43.179413 IP (tos 0xc0, ttl 64, id 46986, offset 0, flags
[none], proto ICMP (1), length 108) ******** >
205.210.42.66: ICMP host ******** unreachable - admin prohibited, length 88
        IP (tos 0x20, ttl 49, id 47612, offset 0, flags [DF], proto
TCP (6), length 80) 205.210.42.66.20025 >
********.43026: . ack 446644 win 7823 <nop,nop,timestamp 1102738538
63643709,nop,nop,[|tcp]>

Any ideas?

Rich
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux