Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hi In my firewall blocking the following request. what sud I required to do so that firewall not block the same. I have following Iptalbles rule which blocking the same ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28

    packet rejected by firewall


    Hi

    In my firewall blocking the following request. what sud I required to do so that firewall not block the same.

    I have following Iptalbles rule which blocking the same

    $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "fp=bad_packets:1 a=DROP "

    $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP


    Jun 27 11:14:38 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41102 DF PROTO=TCP SPT=55563 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:39 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=57967 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:43 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=28476 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:45 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=59458 DF PROTO=TCP SPT=49772 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:49 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=48650 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=58428 DF PROTO=TCP SPT=49773 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=17698 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:51 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=45670 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:52 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=32826 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:54 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=16206 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
    Jun 27 11:14:55 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41103 DF P

  2. #2
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    You probably have this figured out by now, but just in case:

    From what I can tell, you want to create a rule to allow the packets that are currently being dropped by your firewall. To do that, use the following

    iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

    Netfilter runs on a 'first match wins' basis, so if you put that rule after your DROP rule, then it will match it first and drop all your packets. To get around that, tell iptables to place the new rule right at the start:

    iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT

    This should then allow the packets to filter through.

  3. #3
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    Hi

    I have already added the following rules for that IP 192.168.1.108

    iptables -I tcp_outbound -p TCP -s 192.168.1.108 --destination-port 80 -j ACCEPT and above rules that I mentioned in earlier post.

    As per the firewall its rejected due to INVALID packet but ........
    its not a INVALID packet. Its trying to contact with the google's server .....

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by Krendoshazin View Post
    From what I can tell, you want to create a rule to allow the packets that are currently being dropped by your firewall. To do that, use the following

    iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
    Looking at what the OP posted this is a FORWARD rule issue not an INPUT rule issue.
    a=DROP IN=eth0 OUT=eth1
    The question now becomes which rule is jumping to the INVALID chain and why? This is where you fix the problem.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    Quote Originally Posted by Lazydog View Post
    Looking at what the OP posted this is a FORWARD rule issue not an INPUT rule issue.
    You're right, I read the output incorrectly. I think it would help if we could see the entire firewall configuration by using 'iptables-save > filename'.

  7. #6
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    Hi

    Pleas find the firewall rules....
    Attached Files Attached Files

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Can you kindly re-post with the correct line breaks. Thnx

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #8
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    Hi

    my firewall rules is attached here.
    Attached Files Attached Files

  10. #9
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    I think the problem is that you're sending all incoming traffic through the bad_packets table, which then gets matched against your first TCP rule and subsequently dropped. Because you're sending everything through bad_packets, then the packets never reach the RELATED,ESTABLISHED rule for the firewall to know that these are packets from an established connection.

    Try moving your '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' rule so that it comes before the rule '-A INPUT -j bad_packets' and see what happens. Established connections shouldn't be subjected to those filtering rules.

  11. #10
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    Hi

    As you suggested I have added the rule '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' before the '-A INPUT -j bad_packets' but after that also I am getting the drop packet as below

    Jul 3 11:36:23 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44466 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:36:24 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46285 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:36:28 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=27522 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:36:32 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=61388 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:36:53 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51905 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:37:16 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=31902 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:37:39 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44726 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:38:02 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40431 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
    Jul 3 11:38:25 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41096 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

    So I have added the following rule
    $IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,FIN FIN,ACK -j ACCEPT
    $IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,RST RST,ACK -j ACCEPT

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •