packet rejected by firewall

[niraj.vara]

---

Hi

In my firewall blocking the following request. what sud I required to do so that firewall not block the same.

I have following Iptalbles rule which blocking the same

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "fp=bad_packets:1 a=DROP "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP


Jun 27 11:14:38 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41102 DF PROTO=TCP SPT=55563 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:39 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=57967 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:43 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=28476 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:45 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=59458 DF PROTO=TCP SPT=49772 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:49 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=48650 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=58428 DF PROTO=TCP SPT=49773 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=17698 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:51 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=45670 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:52 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=32826 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:54 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=16206 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:55 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41103 DF P

[Krendoshazin]

You probably have this figured out by now, but just in case:

From what I can tell, you want to create a rule to allow the packets that are currently being dropped by your firewall. To do that, use the following

iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

Netfilter runs on a 'first match wins' basis, so if you put that rule after your DROP rule, then it will match it first and drop all your packets. To get around that, tell iptables to place the new rule right at the start:

iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT

This should then allow the packets to filter through.

[niraj.vara]

Hi

I have already added the following rules for that IP 192.168.1.108

iptables -I tcp_outbound -p TCP -s 192.168.1.108 --destination-port 80 -j ACCEPT and above rules that I mentioned in earlier post.

As per the firewall its rejected due to INVALID packet but ........
its not a INVALID packet. Its trying to contact with the google's server .....

[Lazydog]

From what I can tell, you want to create a rule to allow the packets that are currently being dropped by your firewall. To do that, use the following

iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

Looking at what the OP posted this is a FORWARD rule issue not an INPUT rule issue.

a=DROP IN=eth0 OUT=eth1

The question now becomes which rule is jumping to the INVALID chain and why? This is where you fix the problem.

[Krendoshazin]

Looking at what the OP posted this is a FORWARD rule issue not an INPUT rule issue.

You're right, I read the output incorrectly. I think it would help if we could see the entire firewall configuration by using 'iptables-save > filename'.

[niraj.vara]

Hi

Pleas find the firewall rules....

[Lazydog]

Can you kindly re-post with the correct line breaks. Thnx

[niraj.vara]

Hi

my firewall rules is attached here.

[Krendoshazin]

I think the problem is that you're sending all incoming traffic through the bad_packets table, which then gets matched against your first TCP rule and subsequently dropped. Because you're sending everything through bad_packets, then the packets never reach the RELATED,ESTABLISHED rule for the firewall to know that these are packets from an established connection.

Try moving your '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' rule so that it comes before the rule '-A INPUT -j bad_packets' and see what happens. Established connections shouldn't be subjected to those filtering rules.

[niraj.vara]

Hi

As you suggested I have added the rule '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' before the '-A INPUT -j bad_packets' but after that also I am getting the drop packet as below

Jul 3 11:36:23 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44466 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:24 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46285 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:28 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=27522 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:32 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=61388 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:53 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51905 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:37:16 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=31902 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:37:39 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44726 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:38:02 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40431 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:38:25 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41096 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

So I have added the following rule
$IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,FIN FIN,ACK -j ACCEPT
$IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,RST RST,ACK -j ACCEPT