SYN - ACKs being rejected by firewall

Kevin <kevin@xxxxxxxxxxxx> · Fri, 16 Nov 2012 09:12:39 -0500

Hi Folks,
Having a problem with my firewall and hoping I could get some answers 
here.  I've got 2 servers on either side of a firewall. Some packets are 
getting thru and creating the TCP handshaking and some packets are being 
rejected that go in the opposite direction and have the SYN-ACK flags set.

These are the reject packets I'm getting (Notice the SYN-ACK):
Nov 13 08:48:14 localhost kernel: KAMRejected IN=eth0 OUT=eth1 
SRC=1.2.3.4 DST=5.6.7.8 LEN=52 TOS=0x00 PREC=0x00 TTL=62 ID=4830 
PROTO=TCP SPT=2100 DPT=56654 WINDOW=5840 RES=0x00 ACK SYN URGP=0

What is really making this weird is that the the communication goes like 
this
    1.2.3.4    tells the server 5.6.7.8, via port 4891, to run a process

    5.6.7.8    tells    1.2.3.4  that process is finished using port 2100
            SYN goes from 5.6.7.8  to 1.2.3.4
                    then
           SYN-ACK goes from 1.2.3.4  to 5.6.7.8     and is reported 
like the above packet

BUT the 4891 port communication is always fine.  Why is the problem only 
1 way?  I've got 2 rules like this and they go in the opposite direction 
(ports 2100:2151 & 5432 - below)

   # Generated by iptables-save v1.4.7 on Mon Nov  5 16:41:32 2012
   *filter
   :INPUT DROP [0:0]
   :FORWARD DROP [222:65535]
   :OUTPUT ACCEPT [55:5004]
   -A INPUT -p icmp -j ACCEPT
   -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
   -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   # Enable logging
   -A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
   -A FORWARD -i eth1 -o eth0 -p icmp -j ACCEPT
   -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --sport 22 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT

   #Allow all SYN-ACKs and ACKs thru???
   -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

   -A FORWARD -s 5.6.7.8/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp -m tcp
   --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 5.6.7.8/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp -m tcp
   --dport 5432 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

   -A FORWARD -s 5.6.7.8/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp -m
   multiport --dport 443,8081,80,8043 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 5.6.7.8/32 -i eth1 -o eth0 -p tcp -m multiport --dport
   80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 5.6.7.8/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp -m tcp
   --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -m multiport --dport
   22,443,8444,8088 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

   -A FORWARD -s 5.6.7.8/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp -m
   multiport --dport 2100:2151 -m state --state NEW,RELATED,ESTABLISHED
   -j ACCEPT
   # Console connects to processes
   -A FORWARD -s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -m tcp
   --dport 4891 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -i eth1 -o eth0 -s 5.6.7.8/32 -p tcp -m multiport --dport
   49152:65535 -j ACCEPT
   -A FORWARD -s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p udp -m
   multiport --dport 123,161 -j ACCEPT

   ### Unexplained Rules
   -A FORWARD -s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp
   --sport 5432 --dport 49152:65535 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 192.168.7.164/32 -d 1.2.3.4/32 -i eth1 -o eth0 -p tcp
   --sport 443 --dport 49152:65535 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 192.168.148.222/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p
   udp --sport 49152:65535 --dport 49152:65535 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 192.168.7.164/32 -d 0/0 -i eth1 -o eth0 -p tcp --sport
   443 --dport 49152:65535 -m state --state NEW,RELATED,ESTABLISHED -j
   ACCEPT
   -A FORWARD -s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp
   --sport 2100:2151 --dport 49152:65535 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp
   --sport 49152:65535 --dport 113 -m state --state
   NEW,RELATED,ESTABLISHED -j ACCEPT
   #####

   -A FORWARD -j LOG --log-prefix "KAM Rejected "
   -A INPUT -p tcp -j REJECT
   COMMIT
   # Completed on Mon Nov  5 16:41:32 2012

Somebody suggested that I use the rule  -A FORWARD -p tcp -m state -- 
state RELATED, ESTABLISHED -j ACCEPT.   But that let's everything thru.  
Isn't that a major security issue?  The same person said that having 
destination ports of the entire ephemeral range is bad form but is that 
the only way to tighten up the firewall?  It does resolve the issue - 
but at what cost?   Is there anything better?

All points, improvements and criticisms gratefully welcome.

Thanks,
Kevin

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html