iptables blocking some ack fin packets

iptables blocking some ack fin packets

am 17.01.2008 21:49:52 von zebio

Hi all, hoping someone here can help me out as I can't seem to
understand what the issue is.

I have a server that runs a mail server on port 25, lets call it XXX.
Mail to this server is only allowed on port 25 from the mail scanning
server called ZZZ.

When the local server XXX sends the ACK FIN to acknowledge the client
sides request to terminate it works fine since I allow anything
outbound. The problem is when the remote side sends the ACK FIN it
passes all my iptables rules and gets rejected.

Jan 16 12:23:03 pop kernel: GOING OUT: in= OUT=eth0 SRC=XXX DST=ZZZ
LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51011 DF PROTO=TCP SPT=25
DPT=35322 WINDOW=5792 RES=0x00 ACK FIN URGP=0

Jan 16 12:23:07 pop kernel: COMING IN AND REJECTED: IN=eth0 OUT=
MAC=00:13:72:f7:d2:13:00:03:a0:0b:04:70:08:00 SRC=ZZZ DST=XXX LEN=52
TOS=0x00 PREC=0x00 TTL=60 ID=13994 DF PROTO=TCP SPT=60919 DPT=25
WINDOW=63 RES=0x00 ACK FIN URGP=0

Here are my firewall rules I'm hoping if anyone call tell me how I can
fix this or what I'm doing wrong.

/etc/sysconfig/iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT


-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --dport 3410 -j DROP
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --sport 10000 -j DROP

# accept anything established

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept anything new on 25

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -
j ACCEPT

-A RH-Firewall-1-INPUT -m limit --limit 15/minute -j LOG --log-level
warning --log-prefix " COMING IN AND REJECTED: "

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT


Iptables -vL output

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3154K 1566M RH-Firewall-1-INPUT all -- any any
anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- any any
anywhere anywhere

Chain OUTPUT (policy ACCEPT 3357K packets, 2113M bytes)
pkts bytes target prot opt in out source
destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
307K 266M ACCEPT all -- lo any anywhere
anywhere
152 9069 ACCEPT icmp -- any any anywhere
anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any
anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any
anywhere anywhere
0 0 DROP tcp -- any any anywhere
anywhere tcp dpt:3410
30 1536 DROP tcp -- any any anywhere
anywhere tcp spt:10000
2617K 1289M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
28525 1709K ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:netbios-ns reject-with icmp-port-
unreachable
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:netbios-dgm reject-with icmp-port-
unreachable
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:ntp
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:bootps reject-with icmp-port-unreachable
2800 171K LOG all -- any any anywhere
anywhere limit: avg 15/min burst 5 LOG level warning prefix
` COMING IN AND REJECTED: '
5201 317K REJECT all -- any any anywhere
anywhere reject-with icmp-port-unreachable


Thanks in advance, P

Re: iptables blocking some ack fin packets

am 18.01.2008 15:21:24 von Ansgar -59cobalt- Wiechers

zebio@meganet.net wrote:
> I have a server that runs a mail server on port 25, lets call it XXX.
> Mail to this server is only allowed on port 25 from the mail scanning
> server called ZZZ.
>
> When the local server XXX sends the ACK FIN to acknowledge the client
> sides request to terminate it works fine since I allow anything
> outbound. The problem is when the remote side sends the ACK FIN it
> passes all my iptables rules and gets rejected.
>
> Jan 16 12:23:03 pop kernel: GOING OUT: in= OUT=eth0 SRC=XXX DST=ZZZ
> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51011 DF PROTO=TCP SPT=25
> DPT=35322 WINDOW=5792 RES=0x00 ACK FIN URGP=0
[...]
> Chain OUTPUT (policy ACCEPT 3357K packets, 2113M bytes)
> pkts bytes target prot opt in out source
> destination
>

Apparently you are lying about your ruleset. Unless you post the ruleset
you actually use any attempt to help you will be a total waste of time,
because we cannot know whether or not you have left out some important
detail.

However, some general remarks on the ruleset you posted:

- Never use ACCEPT as the policy for your INPUT or FORWARD chain. Ever.
- Do not indiscriminately accept ICMP packets.
- It's stupid to send port-unreachable ICMP messages for each rejected
connection. Most protocols aside from TCP and UDP don't even have the
concept of ports, and for TCP connections it's better to use tcp-reset
anyway.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich