dropping packets of --ctstate INVALID stopped working with 2.6.39.1?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I thought only a SYN packet should create a new connection, but PSH
packets seem to do it, too, now.

We are trying to delete conntracker connections, but finding they are
reappearing, even though we are trying
to drop anything with a --ctstate of INVALID.

Our assumption was that if we deleted the connection, that any further
TCP packets for that flow would have a ctstate of INVALID, and be
dropped.

This worked with 2.6.38, but doesn't work with 2.6.39.1.

For example, if I make an rdesktop connection to from .125 to dport
3389, conntrack -E shows it appearing:

    [NEW] tcp      6 433025 ESTABLISHED src=192.168.41.125
dst=192.168.1.20 sport=38916 dport=3389 [UNREPLIED] src=192.168.1.20
dst=192.168.41.125 sport=3389 dport=38916
 [UPDATE] tcp      6 432000 src=192.168.41.125 dst=192.168.1.20
sport=38916 dport=3389 src=192.168.1.20 dst=192.168.41.125 sport=3389
dport=38916 [ASSURED]

If I call conntrack -D to delete it, it goes away:

[DESTROY] tcp      6 src=192.168.41.125 dst=192.168.1.20 sport=38916
dport=3389 src=192.168.1.20 dst=192.168.41.125 sport=3389 dport=38916
[ASSURED]

I have an iptables rule of:

-A FORWARD -m conntrack --ctstate INVALID -j DROP

The next rdesktop packets cause the connection to be reestablished:

    [NEW] tcp      6 432962 ESTABLISHED src=192.168.41.125
dst=192.168.1.20 sport=38916 dport=3389 [UNREPLIED] src=192.168.1.20
dst=192.168.41.125 sport=3389 dport=38916
 [UPDATE] tcp      6 432000 src=192.168.41.125 dst=192.168.1.20
sport=38916 dport=3389 src=192.168.1.20 dst=192.168.41.125 sport=3389
dport=38916
 [UPDATE] tcp      6 431999 src=192.168.41.125 dst=192.168.1.20
sport=38916 dport=3389 src=192.168.1.20 dst=192.168.41.125 sport=3389
dport=38916 [ASSURED]

when they used to be discarded with 2.6.38.

Can anybody shed some light on this?

Thanks,
Sam

Btw - our full iptables dump. We have snort running on NFQ number 0.


root@x86-gaia:~# iptables-save
# Generated by iptables-save v1.4.11.1 on Fri Jun 24 01:01:46 2011
*filter
:INPUT DROP [3:695]
:FORWARD ACCEPT [522:26283]
:OUTPUT ACCEPT [4930:1165363]
:LOG_AND_QUEUE - [0:0]
:USER - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p tcp -m multiport --dports 80,443,22 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 161 -j DROP
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 161 -j DROP
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -i eth1 -p udp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -i eth0 -j NFQUEUE --queue-num 0
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j USER
-A FORWARD -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 0
-A LOG_AND_QUEUE -m limit --limit 15/min -j LOG
-A LOG_AND_QUEUE -j NFQUEUE --queue-num 0
COMMIT
# Completed on Fri Jun 24 01:01:46 2011
root@x86-gaia:~# uname -a
Linux x86-gaia 2.6.39.1 #1 SMP Wed Jun 22 14:53:50 PDT 2011 i686 unknown
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux