SYN,ACK state NEW not being rejected?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

I am somewhat concerned that my firewall rules are not working quite as expected. I am seeing zero pkts for some rules where I expect to see at least some packets. At the end of all the rules I am left with a growing number of unmatched tcp INPUTs being logged and these are typically of the following format - notice they all have ACK SYN and many have SPT=80:

LEN=44 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=80 DPT=5867 WINDOW=5840 RES=0x00 ACK SYN URGP=0
LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=33748 PROTO=TCP SPT=7000 DPT=15351 WINDOW=8760 RES=0x00 ACK SYN URGP=0

For a while I logged all NEW OUTPUTs so am happy that the origin of these packets is DOS / SYN attacks elsewhere with my IP address being spoofed.

The first line of the INPUT chain sends all the packets to bad_tcp_packets
# Generated by iptables-save v1.4.8

-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:" 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

Recent packet counts from iptables -L bad_tcp_packets -nv

pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
187 25464 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:'
187 25464 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW

Have I completely misunderstood that REJECT rule? I thought its purpose is to reject these ACK/SYN packets.

The default on INPUT is ACCEPT
I am erring on the side of caution and rejecting all the unmatched packets with tcp-reset at the end of the INPUT chain.

This seems such a basic 'problem' that I am at a loss to know where to look. I did not compile IPTABLES - part of the standard Debian Squeeze package - iptables v1.4.8-3


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux