iptables issues
Shadow Hawkins on Saturday, 03 November 2012 17:14:34
Hi,
since some months, I'll getting strange log messages by my ip6tables:
fw6-fwd IN=sixxs-ipv6 OUT=eth0 MAC= SRC=2606:XXXX:XXXX:XXXX:17ca:0871:0eb2:2067 DST=2a01:XXXX:XXXX:XXXX:d462:119c:23cd:49a5 LEN=60 TC=0 HOPLIMIT=58 FLOWLBL=0 PROTO=TCP SPT=80 DPT=48040 WINDOW=0 RES=0x00 RST URGP=0
They occur only on a computer "behind" my router (to which the tunnel is connected)
The above message came when I was surfing on google. Shouldnt the connection tracking (ESTABLISHED,RELATED) keep an eye on those data?
My ip6tables look currently like this:
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i sixxs-ipv6 -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -i sixxs-ipv6 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i sixxs-ipv6 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i sixxs-ipv6 -m state --state INVALID,NEW -j DROP
-A INPUT ! -i sixxs-ipv6 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "fw6-in "
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o sixxs-ipv6 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s 2a01:XXXX/48 -i eth0 -o sixxs-ipv6 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fw6-fwd "
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o sixxs-ipv6 -j ACCEPT
-A OUTPUT -d fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fw6-out "
-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
Is there something wrong in my rules? Thank you
iptables issues
Shadow Hawkins on Saturday, 03 November 2012 22:07:48
To me it looks just out of state traffic that was delayed long enough for whatever reason on the way to your system and your firewall/router expired the state before the packet arrived. Also the source port in the packet is http and the destination port is a high numbered port that is usually used as source port in tcp connections makes it even more likely that it's just out of state traffic.
iptables issues
Shadow Hawkins on Sunday, 04 November 2012 20:44:31
Hmm,
so is it perhaps a POP problem? I also get many "ICMPv6 checksum failed" every now and then.
iptables issues
Jeroen Massar on Monday, 05 November 2012 09:06:30
This is not a PoP problem, you are filtering out packets that maybe should be there. Resolve your filter settings to resolve that problem, or as the previous poster stated, realize that maybe some packets arrive when the session is thought to be timed out.
The latter just shows actually why stateful firewalls are not always 100% correct, this as they cannot 100% emulate and track the state of the TCP stack on both sides of the connection as not all implementations are equal or let alone known.
Posting is only allowed when you are logged in. |