Unexpected (ct)state matching behaviour

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I'm running a netfilter firewall on a KVM hosting system which also
is the router for the IP networks. Like this:



                   ,--------------------------.
                   |                          |
internet <-- eth0 -|                          |
                   | - br0 192.168.42.1/24    |
		   `--------------------------Â

Most VMs ar connected to th bridge.

The bridge-nf-hooks are disabled via sysctl:

net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0


What I'm now doing is filtering the traffic to the service VMs with the following ruleset:
Where 192.168.42.53 being a DNS, .25 being a MX and .70 being a monitoring (Nagios, ..) machine.
(All machines have public IPs, but I mapped them to this network here.)

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    192.168.42.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       192.168.42.70          0.0.0.0/0           tcp dpt:4949
    0     0 ACCEPT     tcp  --  *      *       192.168.42.70          0.0.0.0/0           tcp dpt:5666
    0     0 ACCEPT     tcp  --  *      *       192.168.42.70          0.0.0.0/0           tcp dpt:22
    0     0 services   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `forward reject: '
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-admin-prohibited

Chain services (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.42.53         udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.53         tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.25         tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.25         tcp dpt:26
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.25         tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.25         tcp dpt:143
[...]

This works great in general but since the Nagios is checking the services I get some
rejected packets and I have no idea why:

First, some DNS answers to queries from the MX get rejected:

forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.25 LEN=238 TOS=0x00 PREC=0x00 TTL=63 ID=64971 PROTO=UDP SPT=53 DPT=37743 LEN=218
forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.25 LEN=238 TOS=0x00 PREC=0x00 TTL=63 ID=64972 PROTO=UDP SPT=53 DPT=37743 LEN=218
forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.25 LEN=238 TOS=0x00 PREC=0x00 TTL=63 ID=64973 PROTO=UDP SPT=53 DPT=37743 LEN=218
forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.25 LEN=238 TOS=0x00 PREC=0x00 TTL=63 ID=64974 PROTO=UDP SPT=53 DPT=57656 LEN=218

And some Nagios test fail.

forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=4949 DPT=45244 WINDOW=5792 RES=0x00 ACK SYN URGP=0
forward reject: IN=br0 OUT=br0 SRC=192.168.42.25 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=143 DPT=54878 WINDOW=5792 RES=0x00 ACK SYN URGP=0
forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=4949 DPT=36041 WINDOW=5792 RES=0x00 ACK SYN URGP=0
forward reject: IN=br0 OUT=br0 SRC=192.168.42.25 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=143 DPT=47685 WINDOW=5792 RES=0x00 ACK SYN URGP=0
forward reject: IN=br0 OUT=br0 SRC=192.168.42.53 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=4949 DPT=57860 WINDOW=5792 RES=0x00 ACK SYN URGP=0
forward reject: IN=br0 OUT=br0 SRC=192.168.42.25 DST=192.168.42.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=143 DPT=45284 WINDOW=5792 RES=0x00 ACK SYN URGP=0

The really confusing thing is that this only happens sometimes while the rest
of the day everything works as expected. No other services running in
different VMs on the same hosts show any problems.

Any ideas what might go wrong here?

Thanks
Ciao
Max
-- 
Fortschritt bedeutet, einen Schritt so zu machen,
daà man den nÃchsten auch noch machen kann.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux