Results 1 to 10 of 12
Thread: packet rejected by firewall
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
06-27-2013 #1
- Join Date
- Jan 2008
- Posts
- 28
packet rejected by firewall
In my firewall blocking the following request. what sud I required to do so that firewall not block the same.
I have following Iptalbles rule which blocking the same
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
Jun 27 11:14:38 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41102 DF PROTO=TCP SPT=55563 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:39 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=57967 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:43 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=28476 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:45 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=59458 DF PROTO=TCP SPT=49772 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:49 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=48650 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=173.194.38.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=58428 DF PROTO=TCP SPT=49773 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:50 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.171 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=17698 DF PROTO=TCP SPT=49757 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:51 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=45670 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:52 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=32826 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:54 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=216.52.242.80 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=16206 DF PROTO=TCP SPT=49740 DPT=80 WINDOW=16384 RES=0x00 ACK FIN URGP=0
Jun 27 11:14:55 xyz kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.44 DST=173.194.38.141 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41103 DF P
-
07-01-2013 #2
You probably have this figured out by now, but just in case:
From what I can tell, you want to create a rule to allow the packets that are currently being dropped by your firewall. To do that, use the following
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
Netfilter runs on a 'first match wins' basis, so if you put that rule after your DROP rule, then it will match it first and drop all your packets. To get around that, tell iptables to place the new rule right at the start:
iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT
This should then allow the packets to filter through.Great GNU/Linux references and resources:
The Linux Documentation Project
Rute User's Tutorial and Exposition
GNU/Linux Man Pages
-
07-01-2013 #3
- Join Date
- Jan 2008
- Posts
- 28
Hi
I have already added the following rules for that IP 192.168.1.108
iptables -I tcp_outbound -p TCP -s 192.168.1.108 --destination-port 80 -j ACCEPT and above rules that I mentioned in earlier post.
As per the firewall its rejected due to INVALID packet but ........
its not a INVALID packet. Its trying to contact with the google's server .....
-
07-01-2013 #4
-
07-01-2013 #5Great GNU/Linux references and resources:
The Linux Documentation Project
Rute User's Tutorial and Exposition
GNU/Linux Man Pages
-
07-02-2013 #6
- Join Date
- Jan 2008
- Posts
- 28
Hi
Pleas find the firewall rules....
-
07-02-2013 #7
Can you kindly re-post with the correct line breaks. Thnx
-
07-02-2013 #8
- Join Date
- Jan 2008
- Posts
- 28
Hi
my firewall rules is attached here.
-
07-02-2013 #9
I think the problem is that you're sending all incoming traffic through the bad_packets table, which then gets matched against your first TCP rule and subsequently dropped. Because you're sending everything through bad_packets, then the packets never reach the RELATED,ESTABLISHED rule for the firewall to know that these are packets from an established connection.
Try moving your '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' rule so that it comes before the rule '-A INPUT -j bad_packets' and see what happens. Established connections shouldn't be subjected to those filtering rules.Great GNU/Linux references and resources:
The Linux Documentation Project
Rute User's Tutorial and Exposition
GNU/Linux Man Pages
-
07-03-2013 #10
- Join Date
- Jan 2008
- Posts
- 28
Hi
As you suggested I have added the rule '-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT' before the '-A INPUT -j bad_packets' but after that also I am getting the drop packet as below
Jul 3 11:36:23 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44466 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:24 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46285 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:28 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=27522 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:32 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=61388 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:36:53 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51905 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:37:16 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=31902 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:37:39 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=44726 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:38:02 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40431 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Jul 3 11:38:25 ebizchem kernel: fp=bad_packets:1 a=DROP IN=eth0 OUT=eth1 SRC=192.168.1.108 DST=54.249.82.173 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=41096 DF PROTO=TCP SPT=49361 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
So I have added the following rule
$IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,FIN FIN,ACK -j ACCEPT
$IPT -A bad_packets -p tcp -m tcp --tcp-flags ACK,RST RST,ACK -j ACCEPT