Hello, Justin Piszcz a écrit : > > When I load [some] web pages I get firewall blocks after the page has > loaded, for example: [...] > Firewall block: > Nov 14 08:13:19 p34 INPUT_BLOCK IN=eth1 OUT= MAC=00:1b:21:43:7b:9e:00:13:f7:5e:77:56:08:00 SRC=69.41.161.35 DST=75.144.35.66 LEN=43 TOS=00 PREC=0x20 TTL=17 ID=0 PROTO=TCP SPT=80 DPT=38582 SEQ=3671564445 ACK=0 WINDOW=0 ACK RST URGP=0 That's a RST (reset) from the web server. If it does not match an existing connection, the connection tracking classifies it in the INVALID state. > The last few packets of a tcpdump: > # tcpdump -XX -S -s 0 -vv -i eth1 -n host 69.41.161.35 > > 08:13:08.482191 IP (tos 0x0, ttl 64, id 27054, offset 0, flags [DF], proto TCP (6), length 40) > 75.144.35.66.38582 > 69.41.161.35.80: Flags [F.], cksum 0x8d3c (correct), seq 4037481634, ack 2462267876, win 25728, length 0 That's an outgoing FIN, closing the connection. > 08:13:08.533200 IP (tos 0x20, ttl 49, id 25885, offset 0, flags [DF], proto TCP (6), length 40) > 69.41.161.35.80 > 75.144.35.66.38582: Flags [.], cksum 0xd89c (correct), seq 2462267876, ack 4037481635, win 6432, length 0 That's an incoming ACK (acknowledge) of the previous FIN packet. Now the connection is really closed. > 08:13:19.123062 IP (tos 0x20, ttl 17, id 0, offset 0, flags [none], proto TCP (6), length 43) > 69.41.161.35.80 > 75.144.35.66.38582: Flags [R.], cksum 0x7bc7 (correct), seq 3671564445:3671564448, ack 0, win 0, length 3 [RST cki] That's a RST for an already closed connection -> state INVALID. > This last packet at 08:13:19 appears to be what gets blocked by iptables, > even though ESTABLISHED,RELATED is in effect. As expected. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
