Hi List!
I have been experiencing problems with my stateful filter on linux-2.4.*. The problem is a little bit odd and is most likely to be a wrong config issue. The problem is that SPT=80 packets get dropped. I wanna set up linux workstations in such a way, that they are invisible to scanners, but they access the internet, only when the request is local. To cut it short: OUTPUT -> NEW, RELATED and ESTABLISHED INPUT -> just RELATED and ESTABLISHED Direct http connections using wget, telnet IP 80, and the browsers work just fine. But sometimes packets start getting dropped, just when using the browser. I was trying to isolate the problem, and see if it is connected to any redirect, which would get defered by the filter, but wasnt able to find anything. As far as I know, all redirects are done in DNS and when they are HTTP redirects, the httpd servers informs the new IP+virtualhost to the client, who starts a new query/connection to the new http server; so the new connection would start from the client, and the filter wouldnt affect anything. I have also tried to see if there was some timeout in the ip_contrack table, but havent found anything either. ******************************************************************* NONSENSE thoughts... I find this nonsense but Would the following situation be possible? 192.168.0.1 -> accepts only related/established in INPUT rule 192.168.0.2 and 192.168.0.3 -> UNIX HTTP servers with no filters -192.168.0.1:XXX makes a request to 192.168.0.2:80 (NEW) -in 192.168.0.1 ip_contrack table a connection 192.168.0.1:XXX-192.168.0.2:80 is added. -the 192.168.0.1:XXX-192.168.0.2:80 connection becomes ESTABLISHED -traffic flows as expected. -for some strange reason during the session, 192.168.0.2:80 involves 192.168.0.3:80 in the connection and 192.168.0.3:80 tries to send packets to 192.168.0.1:anyport -incoming 192.168.0.3:80 arent in the contrack table @ 192.168.0.1 and get dropped. OR -192.168.0.1:XXX makes a request to 192.168.0.2:80 (NEW) -in 192.168.0.1 ip_contrack table a connection 192.168.0.1:XXX-192.168.0.2:80 is added. -the 192.168.0.1:XXX-192.168.0.2:80 connection becomes ESTABLISHED -traffic flows as expected. -for some strange reason during the session, 192.168.0.2:80 changes the TCP connection and starts replying to 192.168.0.1:YYY changing Ports (nonsense) ******************************************************************* I have set up a simple simple filter like this: (any silly misconfs??) ###################################################################### #Flush all tables iptables -F #Create and Flush state tables iptables -X STATEIN iptables -N STATEIN iptables -F STATEIN iptables -X STATEOUT iptables -N STATEOUT iptables -F STATEOUT #Turn all policies to Drop. iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -P INPUT DROP #Accept all packets coming from Localhost iptables -A INPUT -i lo -jACCEPT # #Here some lines which accept some specific services from some specific hosts. # iptables -A INPUT -s <source-IP> -d <my-eth0-IP> --dport 22 -j ACCEPT iptables -A INPUT -s 0/0 -d <my-eth0-IP> --dport 22 -j DROP iptables -A INPUT -s 0/0 -d <my-eth0-IP> --dport 22 -j LOG #Redirect all input to STATEIN # and all output to STATEOUT iptables -A INPUT -j STATEIN iptables -A OUTPUT -j STATEOUT #Then Here the Stateful commands. iptables -A STATEIN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A STATEIN -j LOG --log-prefix ST_IN iptables -A STATEIN -j DROP iptables -A STATEOUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A STATEOUT -j LOG --log-prefix ST_OUT iptables -A STATEOUT -j DROP iptables -L --line-numbers ###################################################################### Thanks, Eduardo. -- Eduardo Damato Analista de Redes - GRC Assessoria de Inform�tica - UNESP email: [EMAIL PROTECTED] fone: (11) 252-0577
