Home Forums Articles Downloads Hosting Freebies Jobs
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Linux Security > iptables and 'new not syn' packets

Forgot Password?
 Linux Security   Discussion about keeping your machines secure, and the crackers out.

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Reply
 
Thread Tools Display Modes
Old 06-05-2009   #1 (permalink)
Just Joined!
 
Join Date: Jun 2009
Posts: 3
iptables and 'new not syn' packets
Hello,

Our machines are running behind a Debian firewall/router with iptables, under a 2.6.26 kernel, and with a fairly generic set of rules.
One such rule...
Code:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
... drops 'new not syn' packets. The log usually contains a few, less than 20, of these each month. However, after recently starting some work with another known (and I think trusted) site, communications with them yield at least one of the above mentioned packets with each contact. Sometimes 60-80 per day. The remote site is adamant that the problem has to lie in our OS or netfilter configuration. The occurrence of these packets doesn't seem to have any adverse effects on the exchange of data, the work flow appears to hum along fine. My question is, is it logical to assume that, given the 'every single time' occurrence of the dropped packets, and no other increase in activity in this category from other sources, that the remote site is somehow munging things at their end? Or, is there some other nuance of dealing with 'new not syn' packets that we should be doing? The latter seems unlikely as I've already exceeded my quota for mistakes this year.
Any thoughts on this are appreciated!

Chuck Logan
BNSC is offline  



Reply With Quote
Old 06-05-2009   #2 (permalink)
Linux Engineer
 
Lazydog's Avatar
 
Join Date: Jun 2004
Location: The Key Stone State
Posts: 1,352
It could be the app is trying to start another stream but because it thinks they are already sync'ed they don't need to do this again. Maybe they do have some sort of malware that is trying to piggyback in. Without seeing the packets it all just a guessing game. You need to look at the packets to figure this one out.
__________________

Regards
Robert

Linux
The adventure of a life time.

Linux User #296285
Get Counted
Lazydog is offline   Reply With Quote
Old 06-05-2009   #3 (permalink)
Just Joined!
 
Join Date: Jun 2009
Posts: 3
Quote:
Originally Posted by Lazydog View Post
You need to look at the packets to figure this one out.
Well, I let the Wireshark out of it's tank and let it nibble on a few packets when one of our clients 'phoned home'. I won't pretend to understand all I see in it's output, but in comparing the firewall log with the sniffer, I *might* see something pertinent. The firewall log showed that the dropped packet was headed for port 42129. Here's an abbreviated output of the first few frames captured:
Code:
Outbound   42129 > 80 [FIN, ACK]
Outbound   42144 > 80 [SYN]
Inbound      80 > 42129 [ACK]
Inbound      80 > 42144 [SYN, ACK]
Frames 4-14 shows traffic to and from port 42144.

Frame 15 is:
Code:
Outbound    42129 > 80 [FIN, ACK]
This is followed by 3 more frames of chat on port 42144

Finally, frames 19-23 all show:
Code:
Outbound     42129 > 80 [FIN, ACK]
The final frame is as above but with port 42144 [FIN, ACK]

As I was typing this long-winded message we captured another session and it appears to be almost identical to what I've posted, only the high-end port numbers changed. I think I feel confident to say that if the problem is in fact originating at our end, it's a function of the client software they provided, and not our firewall being paranoid. If anything above seems pertinent, let me know.
I appreciate the help!

Chuck
BNSC is offline   Reply With Quote
Old 06-06-2009   #4 (permalink)
Linux Engineer
 
Lazydog's Avatar
 
Join Date: Jun 2004
Location: The Key Stone State
Posts: 1,352
In your captures you should see what frames the FIN, ACK and SYN, ACK are replying to.

Looking at what you posted it looks like 42129 is sending the FIN, ACK then deciding it doesn't want to finish so it sends a SYN packet.

Looks like 80 is ACK the FIN, ACK of 42129 and then SYN, ACK the SYN packet from 42129.

I have port 80 traffic dropped on my system from time to time and I do not make a big deal out of it as if the connection is needed it will start a new one. But it sounds like the software should be looked at closer to understand why it does this so much.
__________________

Regards
Robert

Linux
The adventure of a life time.

Linux User #296285
Get Counted
Lazydog is offline   Reply With Quote
Old 06-06-2009   #5 (permalink)
Just Joined!
 
Join Date: Jun 2009
Posts: 3
Quote:
Originally Posted by Lazydog View Post
In your captures you should see what frames the FIN, ACK and SYN, ACK are replying to.
Thanks, Robert. Looking at the captures and the chronological time stamps, the very first packet sent from the client to start the conversation is the FIN ACK. There is no SYN ever sent for that first port that I can see. Oddly this is the case as well in transactions that have no firewall related issues. However, there are 5 possible scenarios that can happen when the client calls in. I suspect that one or two of those situations is what is causing the bad packets while the others slide on by. At this point I hereby deem it a "Monday problem", maybe if I apply enough barley pop over the weekend it will have corrected itself by then.
At any rate, with help of your sanity checks, I'm now confident that there isn't much more that can be done from a sysadmin point. I truly appreciate your help!

Best regards,
Chuck Logan
BNSC is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
A Newbie's Getting Started Guide to Linux
Learn the basics of the Linux operating systems. Get to know what it is all about, and familiarize yourself with the practical side. Basically, if you're a complete Linux newbie and looking for a quick and easy guide to get you started this is it.
subscribe
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 05:39 AM.





Advertise About Us Contact Us Write For Us Archive Top
© 2000 - - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.1