Re: iptables strangeness

From: Clyde Nishimura (c.nishimura@verizon.net)
Date: 08/05/02

• Next message: : "Bizarre firewall entries"
• Previous message: Barracuda: "Mandrake SNF"
• In reply to: Kasper Dupont: "iptables strangeness"
• Next in thread: : "Re: iptables strangeness"
• Reply: : "Re: iptables strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Clyde Nishimura <c.nishimura@verizon.net>
Date: Mon, 05 Aug 2002 01:12:03 GMT

Kasper Dupont wrote:
> I just spotted these in my log
>
> Aug 4 10:33:14 eddie kernel: iptables ACCEPT: IN=eth0 OUT=
> MAC=00:a0:24:c7:7c:47:00:02:fd:13:c3:38:08:00 SRC=61.xx.xxx.181
> DST=62.xx.xxx.91 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=1332 DF
> PROTO=TCP SPT=23442 DPT=25 WINDOW=512 RES=0x00 SYN URGP=0
> Aug 4 10:33:35 eddie kernel: iptables REJECT: IN= OUT=eth0
> SRC=62.xx.xxx.91 DST=61.xx.xxx.181 LEN=44 TOS=0x00 PREC=0x00
> TTL=64 ID=0 DF PROTO=TCP SPT=25 DPT=23442 WINDOW=5840 RES=0x00
> ACK SYN URGP=0
>
> The first rule in my OUTPUT chain is:
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> This makes me wonder, why is there 21 seconds between the
> two messages. The system has not been under any high load.
> And why is the SYN ACK packet not ESTABLISHED?
>
> I'm using kernel 2.4.19-ac1, but I have seen similar strange
> rejects of outgoing packets with earlier kernels. They have
> usually been caused by a single of the connections when a
> Nimda infected host made a sequence of connections. But this
> one bothers me more.
>
> The connection never reached xinted.
>

My understanding is for TCP, ESTABLISHED is for after connections are
initiated, not during the three way handshake. Not sure why the 21
second delay. This is weird.

Why the reference to xinted (xinetd)?

---

• Next message: : "Bizarre firewall entries"
• Previous message: Barracuda: "Mandrake SNF"
• In reply to: Kasper Dupont: "iptables strangeness"
• Next in thread: : "Re: iptables strangeness"
• Reply: : "Re: iptables strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages iptables strangeness ... ACK SYN URGP=0 ... And why is the SYN ACK packet not ESTABLISHED? ... I'm using kernel 2.4.19-ac1, but I have seen similar strange ... Nimda infected host made a sequence of connections. ... (comp.os.linux.security) Re: ZONE_NORMAL memory exhausted by 4000 TCP sockets ... > By configuring ebtables and iptables, an application is running as TCP ... > The problem is the memory. ... > concurrent connections, I know the memory size of ZONE_NORMAL would be ... but other things may consume ram on your kernel. ... (Linux-Kernel) Re: [bug] stuck localhost TCP connections, v2.6.26-rc3+ ... Active Internet connections ... randconfig kernel configs that all produced such failures. ... TCP cubic registered ... (Linux-Kernel) Re: combining internet connections ... > I was wondering if I can use both connections... ... Julian Anastasov's routing patches found here: ... If you are patching your kernel, you may also want to add some functionality ... (Fedora) Re: Linux and DB2 ... Where can I get more informations about the mentioned IRC Server or the ... File Descriptor" hard limit in the kernel ?? ... >> connections are possible at the same time. ... Vous êtes donc prié de nous informer immédiatement de cette ... (Focus-Linux)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-10