Re: Iptables....

From: Paul Bryan (pa_bryan@yahoo.co.uk)
Date: 01/31/03

  • Next message: Paul Bryan: "Re: Spam stopping" 
    From: Paul Bryan <pa_bryan@yahoo.co.uk>
To: security-discuss@linuxsecurity.com, "Victor Batista" <vbatista@present-technologies.com>
Date: Fri, 31 Jan 2003 12:08:45 +1100

    On Tuesday 28 January 2003 07:29, Victor Batista wrote:
    > Hello!
    > My firewall has a rule that protects against new connections
    > without the syn flag. I am logging this rejected packets.
    >
    > I am observing lots of these packets being dropped, with
    > origin in one my servers. The Origin port is 80. I am also listening on
    > port 80 on this machine (Apache). Are these connection attempts being
    > made by apache, or can them be originated by a different program? If it
    > is Apache, what is the reason?
    >
    > Jan 27 20:07:00 firewall kernel: Firewall LOG-IN=eth1
    > OUT=eth0 SRC=192.168.1.253 DST=XXX.XXX.XXX.XXX LEN=468 TOS=0x00
    > PREC=0x00 TTL=63 ID=15690 DF PROTO=TCP SPT=80 DPT=11723 WINDOW=31740
    > RES=0x00 ACK PSH URGP=0

    This packet is being sent by apache a response to come client connection from
    the looks. What are your rules for matching against new connections without
    the syn flag? I suspect you may have a problem with your rules.

    >
    >
    > I am using DNAT. The packets which are addressed to DNATed
    > machines pass through the INPUT->OUTPUT chains, right? Or do they pass
    > by the FORWARD chain?

    Anything not addressed to the local machine passes through the forward chain.
    When using DNAT, the destination address is re-written as it comes in. This
    is part of the pre-routing table.

    This means that if the address is rewritten to a different machine than the
    local host (which I'm assuming it is otherwise you wouldn't be needing
    DNAT!), it will traverse the filter table through the forward chain. It does
    not traverse either the input or output chains of the filter table. These are
    only for packets destined for the local host (input) or packets originating
    from the local host (output).

    There seems to be a lot of confusion about iptables and how things work. This
    is really suprising, because the howto's at www.iptables.org are really very
    clear and describe all of this in detail. I recommend anyone who runs
    iptables read the filter howto and the NAT howto.

    Cheers,
    Paul.
    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.